Editor’s Note: CRE’s 2012 statement to the Information Security and Privacy Advisory Board (ISPAB) on the need for metrics to measure the security effectiveness and the cost effectiveness of FedRAMP is available here. A CRE article on CircleID explaining that “metrics will need to need to be developed to measure the security and cost effectiveness of cyber-reliant products and services….” is available here.
The complete GAO is available here. GAO’s Recommendations are below.
From: GAO
We recommend that the Director of the Office of Management and Budget, in coordination with the Secretary of Homeland Security, take the following actions to enhance the usefulness of the annual FISMA reports and to provide additional insight into agencies’ information security programs:
• develop compliance metrics related to periodic assessments of risk and development of subordinate security plans, and
• develop metrics for inspectors general to report on the effectiveness of agency information security programs.
Leave a Reply