Why: Early generations of cyber security metrics were based on compliance and did not necessarily represent an agency’s ability to detect, defend, and recover from cyber attacks. As both the policy and technology evolved, there was an opportunity to improve the way we measured cyber performance.
What: Moving beyond the report card and compliance mentality, our consultants helped design and deploy an outcome-based model for cyber security performance. Beginning in 2009, agencies were required to assess their capabilities against a performance standard as part of their annual FISMA performance reporting and formally commit to addressing any gaps. We developed descriptive guidance to better articulate the outcomes and built reference architectures to help guide efforts without prescribing specific technical solutions; this gave agencies the flexibility in implementing a solution to meet their own unique needs while contributing to national goals.