The results were less than sterling and represent a trend that is mirrored in private industry.\u00a0The Ponemon Institute released a report (November 2009) commissioned by Lumension on the State of Endpoint Security. Metrics from both these reports demonstrate a continued lack of strategic focus for information security efforts that should be alarming.\u00a0Some key metrics (some of the 19 criteria) from the GAO report are as follows: The following table illustrates the number of plans that fully, partially, and did not address each criterion (organized by key topic area). % Completed % Partially Completed % Not Touched Describe the agency's long-term protective strategy to protect the cyber critical infrastructure identified in the plan 56% 0% 44% Summarize the agency\u2019s ability to identify gaps in carrying out any of the activities discussed above 67% 0% 33% Describe any corrective actions identified for cyber-related issues and if follow-on actions were taken 72% 0% 28% Describe performance metrics for the CIP program 72% 0% 28% Discuss any specific management, technical, or operational challenges with regard to implementation of the plan. 72% 0% 28% Summarize locations and assets that support the primary functions 67% 17% 22% Describe the agency\u2019s process for ensuring independent oversight of cyber CIP programs 78% 0% 22% Determine whether corrective actions for IT systems considered critical infrastructure were included in Federal Information Security Management Act (FISMA) plans of action and milestones. 78% 0% 22% Include a prioritized list of the agency\u2019s cyber-related critical infrastructure 78% 0% 22% Describe milestones for the initiatives described and target dates for completing each milestone 83% 0% 20% Describe the agency's current capabilities for prioritization of federal cyber assets 83% 7% 13% Describe the status of major initiatives that are underway or planned for addressing cyber-related deficiencies 89% 0% 13% The Ponemon study goes on to indicate the only about 38% of the annual security budget supports business objectives.\u00a0When you review this against the GAO metrics of 44% of plans going untouched, it seems unlikely that the budgets in US agencies are aligned with agency missions if no strategic security plans are in place that should be crafted with agency objectives and government directives driving the themes.Another alarming\u00a0number\u00a0that may seem low to some is the asset information percentages: Summarize locations and assets that support the primary functions 67% 17% 22% If agencies don\u2019t know the locations of their assets or don\u2019t know what assets support primary functions of critical infrastructure, then there is no way they can secure them. In addition, you cannot have a plan to remediate what you don\u2019t know you have and you cannot include this in a budget since it is unknown. \u00a0Therefore it is difficult to provide alignment with agency objectives and government directives. A core components of any IT plan (not security) is asset management with configuration management being the twin sister. Combine this with the following metric: Include a prioritized list of the agency\u2019s cyber-related critical infrastructure 78% 0% 22% and the asset discovery process aligned to critical systems and it certainly seems that we as a nation are at risk of penetration and data leakage since we do not know what we have and therefore don\u2019t know what we don\u2019t know. Keep in mind that this is 5 years now after the initial Presidential directive and guidance was released.\u00a0Also keep in mind the millions of records lost that we know of, and the ingenuity of criminal and state sponsored elements to devise and execute penetration efforts against US critical infrastructures.There are many more metrics we could cover that describe the state of current agency efforts to security the nation\u2019s critical infrastructure but I believe this is enough to demonstrate the current maturity of the efforts.Strategic\u00a0plans should be in place as a core and standard component of any security program; constantly updated as the threat environment changes. Programs derive from the strategy as a tool to direct execution.\u00a0The execution is managed using program and project management that drives gap analysis and remediation activities which should occur continuously and not once a year.\u00a0Management, technical, and operational controls need to be established to enable continuous monitoring of critical infrastructures in order to provide an \u2018anytime\u2019 view of agency (or private corporation) security posture.\u00a0Easier said than done and a completely different topic but this would remove the need for point-in-time C&A efforts.The metrics tell the story and they cross both public and private sectors. \u00a0What I get from the metrics in brief is as follows:\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Leadership needs to come from the topo\u00a0\u00a0 Agency and Company heads should make information security a highly prioritized enterprise initiative\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Strategic vision is requiredo\u00a0\u00a0 Tactical must follow but it should not lead\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security must align to business and agency missions\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security and IT must meld together into a cohesive force\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Assets must be discovered continuously\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Assets must be monitored continuously\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 This needs to be done yesterdayWhat do you see?