NIST has published the final version of Special Publication (SP) 800-55, Measurement Guide for Information Security, which comprises:
Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and likelihood modeling. Major updates to SP 800-55v1 include:
Volume 2, Developing an Information Security Measurement Program, provides a flexible methodology and workflow. Major updates to SP 800-55v2 include:
For more information on SP 800-55, see NIST’s Measurements for Information Security project, and send inquiries to cyber-measures@list.nist.gov.
*****
NIST is also introducing a Metrics and Measures Community of Interest with a roundtable in 2025. For more information, see the Measurements for Information Security project and direct questions and comments to cyber-measures@list.nist.gov.
Security and Privacy: audit & accountability, maintenance, planning, risk management, security measurement
Laws and Regulations: OMB Circular A-11