A few sections that I feel strongly about and look forward to studying more, and hopefully helping teams work on generally.
This feels very aligned with themes and success patterns within the development advanced technology space. There is an art though to these metrics and I am interested on the philosophy, raw inputs, and weight placed upon the 1,000s of possibly collected metrics:
Action Item 5.3.3 OMB should integrate cybersecurity metrics with agency performance metrics, review these metrics biannually, and integrate metrics and associated performance with the annual budget process. (SHORT TERM)
The idea of creating consistency and similarity seems to have a possibility of weakening the resiliency of the currently structured components. In that variety of administration, build, procedure, and custom threat augmentation all weaken with consistency. This will be interesting to see based on historic events. Cost wise I see an advantage, resiliency I am hesitant:
Recommendation 5.1 The federal government should take advantage of its ability to share components of the information technology (IT) infrastructure by consolidating basic network operations.
Well this sounds absolutely identical to the initiative that Mudge and his wife have setup in Washington and they presented at DefCon, well done:
Action Item 3.1.1 To improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity “nutritional label” for technology products and services— ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand. (SHORT AND MEDIUM TERM)
Maybe if we stopped stating roles and responsibilities to regular consumers of our technology and spoke to them in English, as I learned the hard way in my own Consumer ‘roles and responsibilities’ a part of How Not To Be Hacked:
Action Item 3.1.3 The FTC should convene consumer organizations and industry stakeholders in an initiative to develop a standard template for documents that inform consumers of their cybersecurity roles and responsibilities as citizens in the digital economy
More to follow … hoping there is more transparency around these results and the process to enhance our Nation’s future success and safety.