Model may provide security benchmark
- By Diane Frank
- Mar 07, 2000
The CIO Council on Thursday will present to Congress the draft of a model
that will enable agencies to evaluate and rank their security capabilities.
The council's Security Subcommittee is developing the Information Technology
Security Maturity Framework as a way for agencies, Congress and auditors,
such as the General Accounting Office, to tell how well security has been
incorporated into an agency's business process.
The model also could be used as a benchmark for measuring one agency's
security level against another, an ability that interests Rep. Stephen Horn
(R-Calif.), said John Gilligan, chief information officer at the Energy
Department and co-chairman of the CIO Council subcommittee.
"We've suggested to Congressman Horn that we use something like this
to encourage agencies to address the levels of security," Gilligan said.
Horn led the development of a system to grade agencies on Year 2000
readiness, and he and other members of Congress are looking for a similar
system for grading security capabilities.
The framework is based on the Carnegie Mellon Software Engineering Institute's
Capability Maturity Model. CMMs measure the maturity of an organization's
processes, tracking levels from an ad hoc process known by only a few people
to a repeatable process that has been institutionalized.
The council is working with SEI director Steve Cross to review the comments
on the subcommittee's draft and formalize the framework so it can be used
by agencies and Congress, Gilligan said.