Beyond FISMA: State Dept.'s Next Gen Metric - Interview with John Streufert, State Department Deputy CIO and CISO

Summary: To get a peak as to how IT security will be measured after FISMA, take a look at what's happening at Foggy Bottom. <p>The State Department in 2006 instituted its Risk Scoring Program, which is aimed at pinpointing and correcting the worst vulnerabilities on any particular day on any of its worldwide systems and networks. </p><p>John Streufert, the State Department deputy chief information officer and chief information security officer, says in an interview with GovInfoSecurity.com that the daily monitoring of IT vulnerabilities under Risk Scoring truly measures systems and network security as compared with the once-every-three-year assessment required by the Federal Information Security Management Act of 2002. Because of Risk Scoring, overall risk on State's key unclassified network has plunged by more than 80 percent in the past year. </p><p>As lawmakers craft legislation to upgrade to FISMA, expect to see a program like Risk Scoring incorporated in it. </p><p>Streufert spoke with Eric Chabrow, GovInfoSecurity.com managing editor, in the first of a two-part interview.</p>