This year, the FISMA metrics are moving away from checklist compliance with the law and toward more active cybersecurity measures and continuous monitoring of networks.
As the FISMA document explains, “the intent is to gather information on best practices and agency implementation status beyond minimal requirements.”
The document contains a series of questions and requests for information related to federal information security systems. For example, under continuous monitoring, the document asks: “What percentage of data from the following potential data feeds [e.g., vulnerability scans] are being monitored at appropriate frequencies and levels in the agency?” and “To what extent is the data collected, correlated, and being used to drive action to reduce risks?”
Alan Paller, director of research for the SANS Institute, called the FISMA metrics "a huge improvement" that should "result in rapid risk reduction and potentially allow the government to lead by example in showing how to manage cybersecurity effectively."
Paller told InformationWeek that this is the “first time [the government has] included effectiveness measures and a major focus on the 20 critical controls, so it saves agencies millions of dollars by enabling them to use the money on what matters most. That means radically better security."