OMB proposes new FISMA performance metrics

The Office of Management and Budget has detailed possible new metrics for agencies to use in the annual computer security reporting they do to comply with the Federal Information Security Management Act.

The proposed metrics “represent a new approach, which focuses on improving security, not just compliance,” according to a statement posted on the National Institute of Standards and Technology’s Web site. Requirements for FISMA compliance have been often criticized for being too focused on paperwork.

OMB asked that comments on the potential metrics be sent to OMB-Metrics@nist.gov by Jan. 4, 2010.

In the OMB’s report to Congress on agencies’ FISMA implementation during fiscal 2008, OMB said it would review the security metrics agencies use to report their compliance with FISMA and it may develop new metrics to improve the assurance of information security.

“These metrics should encourage agencies to take concrete steps to improve their security posture by implementing monitoring tools, strengthening areas such as identity and configuration management, and reporting on four new categories: remote access management, identity and access management, data level controls, real-time security awareness and management,” the statement, posted Dec. 8, said.