Integrated machine learning

How to establish IAM metrics within the Zero Trust framework

An effective IAM metrics program needs to link specific IAM key performance indicators to broader IAM and organizational goals.


Government agencies are implementing Zero Trust plans mandated by President Biden’s Exeucitve Order on Improving the Nation’s Cybersecurity and the Office of Management and Budget (OMB) memorandum M-22-09. Zero Trust programs require the need to effectively measure identity and access management (IAM). To build or enhance an IAM metrics program, we recommend the following steps:

Linking IAM metrics to organizational goals

 

An effective IAM metrics program needs to link specific IAM key performance indicators (KPIs) to broader IAM and organizational goals. As shown below, we will reference the Zero Trust M-22-09 Identity strategic goal: “Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.”

To learn more about establishing new IAM metrics programs, download the whitepaper here

Summary 

By aligning strategic goals with supporting goals and KPIs, organizations can establish IAM metrics programs that focus on measuring outcomes and tracking progress toward desired objectives. This structured approach facilitates effective monitoring, evaluation and continuous improvement of the IAM program. In the ongoing effort to mature IAM within the Zero Trust framework, establishing and integrating IAM reporting and metrics is critical to success.

About this article

Related articles

Key trends in federal cybersecurity investment

Is your agency prepared to detect and respond to a cyber event?

The zero trust journey: transforming cyber defense

Zero trust is a security model that moves from static, network-based cyber defenses to a continuously validated security configuration across five key pillars.

How the government is prioritizing cybersecurity

How the government is prioritizing cybersecurity