Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Measurement Guide for Information Security | NIST Releases Volumes 1 and 2 of SP 800-55
December 04, 2024

NIST has published the final version of Special Publication (SP) 800-55, Measurement Guide for Information Security, which comprises:

  • SP 800-55v1, Volume 1 — Identifying and Selecting Measures·
  • SP 800-55v2, Volume 2 — Developing an Information Security Measurement Program

Volume 1, Identifying and Selecting Measures, provides a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and likelihood modeling. Major updates to SP 800-55v1 include:

  • Introductory guidance on statistical analysis
  • Exploration of terminology relevant to the measurement and analysis of information technology
  • New information about measures documentation, reporting, data quality, and uncertainty
  • Expanded information on selecting and prioritizing measures, including information about developing, testing, and validating measures; comparing measures and assessment results; prioritizing measures; using likelihood and impact modeling; weighing scales; and evaluating methods for supporting continuous improvement

Volume 2, Developing an Information Security Measurement Program, provides a flexible methodology and workflow. Major updates to SP 800-55v2 include:

  • A new workflow for developing and implementing an information security measurement program
  • Expanded sections on measurement program benefits, program scope, foundations for a successful program, roles and responsibilities, the programmatic value of metrics, measures communication, organizational considerations, manageability, and data management concerns

For more information on SP 800-55, see NIST’s Measurements for Information Security project, and send inquiries to cyber-measures@list.nist.gov.

*****

NIST is also introducing a Metrics and Measures Community of Interest with a roundtable in 2025. For more information, see the Measurements for Information Security project and direct questions and comments to cyber-measures@list.nist.gov.

Related Topics

Security and Privacy: audit & accountability, maintenance, planning, risk management, security measurement

Laws and Regulations: OMB Circular A-11

Created December 02, 2024, Updated December 04, 2024