Administration proposes metrics for testing FISMA performance

Federal CIO Vivek Kundra said forward-looking metrics were underway at a hearing in October. James Kegley

Making good on federal Chief Information Officer Vivek Kundra's promises, the Office of Management and Budget has proposed metrics that agencies can use to gauge how well they secure computer networks and systems.

On Dec. 9, OMB and the National Institute of Standards and Technology posted online requests for comments on potential metrics to guide annual reporting on 2002 Federal Information Security Management Act performance. The move could quell criticism that the legislation focuses too much on compliance .

"These metrics represent a new approach, which focuses on improving security, not just compliance, [and] should encourage agencies to take concrete steps to improve their security posture" through monitoring tools, stronger identity and configuration management and more thorough reporting, according to the NIST announcement .

Comments are due to NIST by Jan. 4, 2010.

During October testimony before a Senate subcommittee, Kundra said efforts to develop "forward-looking metrics focused on improving security at agencies, rather than merely demonstrating compliance" were under way.

The draft document would require security officials to complete the following:

-- Systems inventory: Provide the number of agency-owned and contractor-managed computer systems with detailed information about the security status;

-- Software inventory: Confirm they can provide a real-time listing of software installed on all devices connected to agency networks;

-- Connections inventory: Confirm they can pull together a real-time listing of all external connections to the Internet, as defined in OMB's Trusted Internet Connections initiative;

-- Configuration management: Define baseline configurations for hardware and software applications and provide information about scans for compliance with configuration requirements;

-- Integration of security into system development life cycle: Report the status of security integration into new information systems on the network;

-- Remote access management: Confirm they can provide a real-time listing of all external connections to the network and provide details about security measures taken for remote access;

-- Training: Say whether they are capable of compiling a real-time listing of security training conducted with employees and contractors;

-- Identity and access management: Provide status on compliance with the Homeland Security Presidential Directive 12, which requires agencies to issue to federal employees and contractors biometrically enabled identity cards to gain entry to government buildings and computer networks;

-- Data leak prevention: List products installed to preclude sending unencrypted sensitive information outside the network perimeter;

-- Real-time security status and management: Describe automated capabilities to provide real- to near-real time cyber security situational awareness for the agency.