Measurement Guide for Information Security | NIST Releases Volumes 1 and 2 of SP 800-55

National Institute of Standards and Technology (NIST) sent this bulletin at 12/04/2024 11:14 AM EST
NIST

View As Web Page
Header

NIST Cybersecurity and Privacy Program

Measurement Guide for Information Security | NIST Releases Volumes 1 and 2 of SP 800-55

NIST has published the final version of Special Publication (SP) 800-55, Measurement Guide for Information Security, which comprises:

  • SP 800-55v1, Volume 1 — Identifying and Selecting Measures
  • SP 800-55v2, Volume 2 — Developing an Information Security Measurement Program

Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and likelihood modeling. Major updates to SP 800-55v1 include:

  • Introductory guidance on statistical analysis
  • Exploration of terminology relevant to the measurement and analysis of information technology
  • New information about measures documentation, reporting, data quality, and uncertainty
  • Expanded information on selecting and prioritizing measures, including information about developing, testing, and validating measures; comparing measures and assessment results; prioritizing measures; using likelihood and impact modeling; weighing scales; and evaluating methods for supporting continuous improvement

Volume 2, Developing an Information Security Measurement Program, provides a flexible methodology and workflow. Major updates to SP 800-55v2 include:

  • A new workflow for developing and implementing an information security measurement program
  • Expanded sections on measurement program benefits, program scope, foundations for a successful program, roles and responsibilities, the programmatic value of metrics, measures communication, organizational considerations, manageability, and data management concerns

For more information on SP 800-55, see NIST’s Measurements for Information Security project, and send inquiries to cyber-measures@list.nist.gov.

*****

NIST is also introducing a Metrics and Measures Community of Interest with a roundtable in 2025. For more information, see the Measurements for Information Security project and direct questions and comments to cyber-measures@list.nist.gov.

Read Sp 800-55 Vol. 1

Read SP 800-55 Vol. 2

NIST Cybersecurity and Privacy Program
Questions/Comments about this notice: cyber-measures@list.nist.gov
CSRC Website questions: csrc-inquiry@nist.gov