Organizations in government tend to be overly optimistic about their capabilities and performance, reference OPM's epic failure. Cyber security is too important to be left to self-assessments. An organization should be externally assessed and rated by unbiased and competent evaluators. Risk is only one aspect of management performance. Governance, culture and technical competence are but three key facets that determine an agency’s ability to manage their cyber security status. Only an outside grading of these factors can assure management attention to achieving a satisfactory result. Government is inherently isolated from performance standards and must rely on independent verification. A framework needs to be established, such as the FEDRAMP process, to evaluate and compel agencies to expected performance.