Federal agencies preparing their annual Federal Information Security Management Act reports for Homeland Security Department scrutiny later this year now know what metrics DHS wants agencies to use.

DHS's fiscal 2011 FISMA reporting metrics (we are deep in the third quarter of fiscal 2011, which ends Sept. 30) are dated June 1 and have been posted online by the Sans Institute. The metrics were prepared by the National Cyber Security Division within DHS.

Among the metrics--oftentimes coached as questions agencies must answer--is that of continuous monitoring.

"What percentage of data from the following potential data feeds are being monitored at appropriate frequencies and levels in the Agency" the document asks, listing a number of sources such as various logs and system alerts.

The metrics don't specify what constitutes "appropriate frequencies" of monitoring.     

The metrics also ask agencies to provide the number of information systems deployed in the past 12 months that were subject to automated source code testing tools, the average frequency of supplemental cybersecurity awareness given to employees beyond the required annual training, and the number of agency networks on which controlled penetration testing was performance in the past year.

For more:
- download the fiscal 2011 FISMA metrics from the Sans Institute website (.pdf)

Related Articles: 
DOJ: Google Apps for Government lacked FISMA certification 
USAID waives FISMA for iPads 
White House unveils proposed cybersecurity legislation