Step 11 - Measure and Report Performance
Assigning performance measurements to your agency‘s ICAM program provides decision makers and stakeholders with a useful tool to monitor progress, determine program effectiveness, and identify areas that need more funding or process improvement. Performance reporting for ICAM programs has traditionally focused on external reporting requirements (e.g., OMB HSPD-12 implementation status reports).
Checklist
Leverage Performance Reporting. Determine how to use performance reporting to improve alignment with your ICAM segment architecture to drive progress on ICAM programs internal to the agency.
Include Agency ICAM Metrics. Incorporate relevant metrics into your Exhibit 300 business case submissions for any ICAM investment as a mean of tracking important information and showing investment results and value to your agency.
ICAM-specific FY16 FISMA Reporting Metrics
The FY16 CIO FISMA Metrics contains several metrics applicable to ICAM to ensure that departments and agencies safeguard their system, networks, and facilities with appropriate cybersecurity defense. These metrics serve as an existing foundation for agency reporting requirements and performance measurement:
| Unprivileged Network Users | 2.4. Number of users with unprivileged network accounts.4 (Exclude privileged network accounts and non-user accounts.) (Base) 2.4.1. Number of users (from 2.4.) technically required to log onto the network with a two-factor PIV card5 or NIST Level of Assurance (LOA) 4 credential.6 (CAP) 2.4.2. Number of users (from 2.4.) allowed to use username and password as their primary method for network authentication. (CAP) |
| Privileged Network Users | 2.5. Number of users with privileged network accounts. (Exclude unprivileged network accounts and non-user accounts.) (Base) 2.5.1. Number of users (from 2.5.) technically required to log onto the network with a two-factor PIV card7 or NIST LOA 4 credential. (CAP) 2.5.2. Number of users (from 2.5.1.) that are also using the same PIV card or NIST LOA 4 credential for both unprivileged network accounts and privileged network accounts. 2.5.3. Number of users (from 2.5.) allowed to use username and password as their primary method for network authentication. (CAP) |
| Network Accounts | 2.6. Number of unprivileged network accounts assigned8 to users. (Exclude privileged network accounts and non-user accounts.) 2.7. Number of privileged network accounts assigned to users. (Exclude unprivileged network accounts and non-user accounts.) 2.8. Number of non-user privileged network accounts. (Exclude unprivileged network accounts and privileged network accounts assigned to a user.) |
| Least Privilege | 2.9. Number of privileged network users9 (from 2.5.) that had their privileges reviewed this fiscal year. 2.10. Number of privileged network users (from 2.9.) that had their privileges adjusted or terminated after being reviewed this year. 2.11. Number of users with privileged local system accounts. 2.12. Number of users with privileged local system accounts (from 2.11.) technically required to log onto the system with a two-factor PIV card or NIST LOA 4 credential. |
| Physical Access Control Systems | 2.13. Percent (%) of D/A’s operational Physical Access Control Systems (PACS) that comply with procurement requirements for purchasing products and services from the FIPS 201 Approved Products List maintained by General Services Administration (GSA) (per OMB M-06-18). 2.14. Percent (%) of agency’s operational PACS that electronically accept and authenticate internal users’ PIV credentials for routine access in accordance with NIST standards and guidelines (e.g., FIPS 201-2 and NIST SP 800-116). |
| Data Protection and Remote Access | 2.15. Number of systems (from 1.1.) that require all users (100% privileged and 100% unprivileged) to authenticate using a two-factor PIV card or NIST LOA 4 credential. 2.16. Number of GFE endpoints and mobile assets (from 1.2.1. and 1.2.2.) with data encrypted at rest (FIPS 140-2). |
Implementation Tip
It is important to make leadership and management feel ownership and accountability for the success of their agency’s ICAM program. One way to accomplish this is to tie any outcomes and accomplishments of the ICAM program specifically to the responsible individual’s yearly performance plan.