Governments cannot defend what they cannot see.

There are a number of third party tools similar to Security Scorecard… in use by industry operators and industry security service providers. These “scorecards” provide a rating of cybersecurity postures of corporate entities through a non-intrusive “outside-in” view of security metrics and cyber threat intelligence signals. Tools and services such as this, if in wider use, could better inform industry of certain vulnerabilities to act upon and decrease gaps in cybersecurity. The Security Scorecard report does include several of the security measures required by the pipeline security directive. As such, TSA’s security directives and the implementation of required measures could be validated by the Security Scorecard or similar tools to readily identify potential security gaps.

“Tools and services such as [security ratings], if in wider use, could better inform industry of certain vulnerabilities to act upon and decrease gaps in cybersecurity. The SecurityScorecard report does include several of the security measures required by the pipeline security directive. As such, TSA’s security directives and the implementation of required measures could be validated by the SecurityScorecard or similar tools to readily identify potential security gaps.”

"The emergence of security ratings has increased the use of cyber risk quantification to calculate and measure cyber risk exposure. These security ratings provide a starting point for companies’ cybersecurity capabilities and help elevate cyber risk to the level of board decision-making."

"For even trusted sources, program managers should maintain continuous awareness of source compromises and be prepared to respond to sudden loss of trust in a repository."