"Agency computer systems are vulnerable because many lack basic controls,
and one of the best ways to improve information technology security is
to improve the metrics for how departments measure how these basic
controls are implemented."
Golly. Those in charge of rewriting FISMA have figured out that they probably need information security metrics to track government departments' performance.
OK guys, the next baby step is to work out what metrics are needed.
I'll put money on "number of security incidents" being one of the 'cutting edge security metrics' about to be proposed, followed shortly by some bright spark noticing and promoting NISP SP 800-55 as The Answer.
With that and the news about the hacking of three well-known US electronic voting systems, I'm glad I don't live in the Good Ol' US of Eh?