US unveils security compliance metrics

InformationWeek.

The new metrics should bolster the federal government's strategy to keep a constant track of security vulnerabilities and threats as it moves forward with improvements to overall cyber security across agencies.

The fiscal 2011 Federal Information Security Management Act reporting metrics for CIOs, released this week, reflects an emphasis in compliance on real-time understanding and risk management, according to Government Computer News.

“The intent is to gather information on best practices and agency implementation status beyond minimal requirements,” states the document.

Next Gov says critics contend the Act compels managers to spend too much time completing meaningless checklists at the expense of more critical security-related tasks.

The US Congress is likely to overhaul the law as part of comprehensive cyber security legislation later this year.

To address some of the complaints, last year's Act guidance called for chief information officers to begin automating near real-time surveillance of controls so that annual reporting will be easier and represent more than a once-a-year snapshot.