IPY-03: measure the number of data flows where the traffic is decrypted for analysis. If this number is not 0, this control is not effective.

[pritikin]

This is a proposed effectiveness metric from Walt Williams

IPY-03-M2
To test for effectiveness, measure the number of data flows where the traffic is decrypted for analysis. If this number is not 0, this control is not effective.

[pritikin]

The current IPY-03-M2 metric does track this:
"This metric measures the percentage of data flows that use an approved, standardized cryptographic security function for interoperable transmissions of data."

Some improvements would be to track amount of data transmitted vs just the count of flows. There may be tons of unencrypted low risk / low quantity of data flows which would skew the metric as currently written.

But a secondary concern voice in the oct 13th call is around CEK key management (and insertion of MiTM). We'll create a CEK proposal for that.

[mosi-k-platt]

In the spirit of "don't let perfect be the enemy of good", I don't think 100% should be the SLO for a metric. If we don't expect 100% uptime for mission-critical systems, then why should expectations change for security controls which may not be as critical?