Public/private groups work on security metrics

Organizations across the public and private sectors are working togetherto establish tools that agencies can use to measure the effectiveness oftheir information security programs.

In a quarterly meeting this month, the Computer System Security andPrivacy Advisory Board, a group of federal and private-sector securityexperts, began to develop a workshop that would gather security metricsand then teach the metrics to federal IT professionals. The board plansto offer the workshop next year.

A working group within the White House's Office of Science and TechnologyPolicy (OSTP) also has been looking at developing a security metrics workshop,so the two groups have decided to work together.

Providing metrics will help agencies as they move their business functionsto the Internet, said advisory board member Joseph Leo, deputy administratorfor management government at the Agriculture Department's Food and ConsumerService.

Such metrics will be helpful as agencies try to comply with the GovernmentPaperwork Elimination Act of 1998 and Presidential Decision Directive 63,he said. GPEA requires agencies to provide the public with the opportunityto submit government forms electronically whenever possible by 2003. PDD63 requires agencies to develop ways to protect their critical informationsystems from cyberattacks.

The board is considering including many types of metrics in the study andworkshop, from measuring agencies' progress in developing security practicesand installing products to tracking the effectiveness of security measures.

"Without common, accepted metrics of some type, it's going to be hardto make the case" to invest in security, said John Sabo, board member andmanager of security strategy and business development at IBM Network ComputingSoftware.

But in the first few months, the groups simply may aim to encouragea discussion of security metrics, said Fran Nielsen, a computer scientistat the National Institute of Standards and Technology's Computer SecurityDivision, which the advisory board has tapped to lead the development ofthe workshops.

The OSTP critical infrastructure research and development interagency working group has been working with public- and private-sector representatives since 1998 on security R& D issues in banking, information and communications, energy, transportation, human services and interdependency.

Participants in each of those areas expressed concerns that no one really understands security vulnerabilities and that the lack of metrics is contributing to this problem, said Bruce MacDonald, assistant director for national security at OSTP's national security and international affairs division.

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.