Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Measurements for Information Security


These are standard publications and guidelines that provide perspectives and frameworks to inform, measure, and manage cybersecurity vulnerabilities and exposures.


NIST SP 800-55 Vol. 1 (Initial Public Draft) Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures

Volume 1 — Identifying and Selecting Measures is a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and likelihood modeling.


NIST SP 800-55 Vol. 2 (Initial Public Draft) Measurement Guide for Information Security: Volume 2 — Developing an Information Security Measurement Program

Volume 2 – Developing an Information Security Measurement Program is a methodology for developing and implementing a structure for an information security measurement program.


SP 800-30 Rev.1 Guide for Conducting Risk Assessment

This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems throughout their system development life cycle.


SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View

This document provides guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.


SP 800-53 Rev. 5 (Draft) Security and Privacy Controls for Federal Information Systems and Organizations

This document provides a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things devices.


SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations

This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations.


SP 800-137A Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

This publication describes an approach for the development of Information Security Continuous Monitoring (ISCM) program assessments that can be used to evaluate ISCM programs within federal, state, and local governmental organizations, and commercial enterprises.


SP 800-161 Rev. 1 PRE-DRAFT Call for Comments: Supply Chain Risk Management Practices for Federal Information Systems and Organizations

NIST seeks the input of SP 800-161 stakeholders to ensure Revision 1 will continue to deliver a single set of cyber supply chain risk management practices to help federal departments and agencies manage the risks associated with the acquisition and use of IT/OT products and services in a way that is functional and usable.


Cybersecurity Framework (CSF)

This voluntary Framework consists of standards, guidelines and best practices to manage cybersecurity risk.  The Cybersecurity Framework version 1.1, section 4.0 provides details related to measurement/self-assessment.


Cryptographic Standards and Guidelines

Users of the former "Crypto Toolkit" can now find that content under this project. It includes cryptographic primitives, algorithms and schemes are described in some of NIST's Federal Information Processing Standards (FIPS), Special Publications (SPs) and NIST Internal/Interagency Reports (NISTIRs).


NISTIR 8011 Automation Support for Security Control Assessments 

These volumes provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.

  • Volume 1 introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. 
  • Volume 2 addresses the Hardware Asset Management (HWAM) information security capability.
  • Volume 3 addresses the Software Asset Management (SWAM) information security capability. 
  • Volume 4 addresses the management of risk created by defects present in software on the network.


NISTIR 8286 (Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)

This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing.  NISTIR 8286 connects Cybersecurity ERM through use of risk register.


NISTIR 8289 Quantities and Units for Software Product Measurements

This report collects and organizes the most important quantities used in software metrics, focusing on software as a product rather than its development process.




Created July 01, 2020, Updated January 29, 2024