The need and desire for metrics on cybersecurity has been a priority request from OSD leadership for ten years. When “cyber” became a quasi-official warfighting “domain” a decade ago, major programs of record were categorized as “cyber” programs. As such, the programs needed quantitative program parameters so that DoD leadership could track financial progress, technical performance, and capability milestones. Those program parameters, though, surpassed what the science and the state-of-the-art could provide. Eventually, the definition and standardization of workable cyber security metrics became a subject of study itself. This talk will summarize the speaker’s experience with DoD needs for cyber security metrics, the S&T communities suggestions, the current state of practice, and speculation on additional metrics for the future. In particular, metrics will be proposed that track capabilities, maturity, mission support, cost, and adversarial advantage.