Whenever Federal Government IT initiatives are put in place which require actions by the CIO’s, whatever they do will be reviewed and in a public fashion evaluated on by a series of oversight organizations; these include the Inspectors General and GAO with guidance provided by NIST and in some cases using a framework contained in legislation.

Thus, regardless of the quality and usefulness of the initiative, the actual implementation is shaped by the interaction of the level of political/organization strength (and nerve) of the CIO and the perceived nature of the oversight evaluation.

The result can be different than the intent.

The point of all this is that when OMB or other senior management in an administration think through what they want to accomplish, it would be valuable to also think about how the oversight requirements will impact on those goals.

As far as metrics, no one cares about the millions of intrusion attempts that one prohibits. I routinely had to address the failed login (access) attempts that some of the security personnel wanted us to address. I routinely dismissed them as security successes and didn’t apply any resources to following up on these types of events. The only events that folks really get concerned about are the successful intrusions. The measures that you can (try to) use are the speed of detection (only available through post analysis), the quality (accuracy) of data that your security folks pass to operations for event resolution, the speed of event containment and services restoration and scope (relative size/ containment) of the security breach. All security folks will probably agree that it is only a question of when you’ll be breached. What makes a difference is what you do operationally to manage the breach and work through the event.

As I read your post, I was struck by a similar, if smaller scale argument posed a recent panel discussing cloud at a very tactical level. As you know, within the Navy context the C&A function can be a challenge – and – with Cloud there appears to be significant confusion as to the appropriate accreditation & certification process.

Do you believe that your remarks regarding standardization and rational decision making extend to the C&A level as well?

Great post
-Scott