Cybersecurity Performance Metrics may be coming

This was written by Jack Mann on Tuesday, December 15, 2009, 11:58.

The Office of Management and Budget and the National Institute of Standards and Technology have released a draft proposal for new cybersecurity performance metrics. The new metrics focus, among other things, on real time monitoring, combating one of the principle complaints regarding current cybersecurity metrics under FISMA.

Under FISMA, the metrics that agencies reported on dealt more with tangential issues, such as back up plan testing, instead of real-time operational security. According to a statement of NIST’s website “These metrics represent a new approach, which focuses on improving security, not just compliance. These metrics should encourage agencies to take concrete steps to improve their security posture.”

The new proposal includes four new categories including data level controls, access and identity management, managing remote access and real time security management and awareness.