For the information security program to be defined as effective under the FISMA maturity model, establish metrics and performance metrics to evaluate the effectiveness of configuration management, incident response, ISCM, and contingency planning policies and procedures, and processes to collect data, analyze results, and develop corrective actions.