Legislation before Congress would require agencies to implement new ways to measure information security, including detailed blue-team analysis and red-team assaults on IT systems.

Most civilian agencies have not conducted blue/red team analysis, but it's been a common practice for years within Defense and intelligence agencies.

Among the leading organizations conducting blue/red team analysis for the Department of Defense, intelligence agencies and some units at the Department of Homeland Security is the three-year-old Vulnerability Analysis and Operations Groups at the National Security Agency.

Tony Sager serves as the group's chief, and he says such testing requires far more planning between his organization and client agencies than most people would expect. "It's not freeform, turn a bunch of people loose," Sager says. "There's a lot of consideration given to what is it that the customer would like to learn."

GovInfoSecurity.com Managing Editor Eric Chabrow interviewed Sager on how blue teams and red teams function.