This is actually an interesting discussion: Critical Infrastructure: Better Cybersecurity Metrics Needed. From a high level view there is nothing you can object here. Definitely we need better metrics and definitely it would help us to understand the maturity of security in any given company â€“ not just the critical infrastructure. But wait, I think that this is a discussion we are having since quite a while in the security community. Personally I was looking into this since some time and was blogging about this as well (The Debate on Security Metrics, Security Metrics â€“ a Failure?, Security Metrics â€“ Part 2). I was asking the same question again and again: Has anybody found some reasonable security metrics?
I typically run a test when somebody presents metrics to me: Which decision am I unable to take if I do not have this metric (me or somebody else)? If I do not get an answer, it is not worth the effort spent to collect it. Unfortunately, this is exactly where we typically fail.
So, the government asking for better metrics makes more than sense but we need something which makes sense and there I fear that we jump on the wrong train.
If somebody has a good approach, I would definitely be more than happy to learn. Maybe academia has something?