Model may provide security benchmark

The CIO Council on Thursday will present to Congress the draft of a model

that will enable agencies to evaluate and rank their security capabilities.

The council's Security Subcommittee is developing the Information Technology

Security Maturity Framework as a way for agencies, Congress and auditors,

such as the General Accounting Office, to tell how well security has been

incorporated into an agency's business process.

The model also could be used as a benchmark for measuring one agency's

security level against another, an ability that interests Rep. Stephen Horn

(R-Calif.), said John Gilligan, chief information officer at the Energy

Department and co-chairman of the CIO Council subcommittee.

"We've suggested to Congressman Horn that we use something like this

to encourage agencies to address the levels of security," Gilligan said.

Horn led the development of a system to grade agencies on Year 2000

readiness, and he and other members of Congress are looking for a similar

system for grading security capabilities.

The framework is based on the Carnegie Mellon Software Engineering Institute's

Capability Maturity Model. CMMs measure the maturity of an organization's

processes, tracking levels from an ad hoc process known by only a few people

to a repeatable process that has been institutionalized.

The council is working with SEI director Steve Cross to review the comments

on the subcommittee's draft and formalize the framework so it can be used

by agencies and Congress, Gilligan said.