Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-55 Rev. 2 (Initial Working Draft)

Performance Measurement Guide for Information Security

Date Published: November 14, 2022
Comments Due: February 27, 2023 (public comment period is CLOSED)
Email Questions to:


Katherine Schroeder (NIST), Hung Trinh (NIST)


This working draft of SP 800-55 Revision 2 is an annotated outline that will enable further community discussions and feedback. Comments received by the deadline will be incorporated to the extent practicable. NIST will then post a complete public draft of SP 800-55 Rev. 2 for an additional comment period.

The comment period is open through February 13, February 27, 2023. Submit comments to with “Comment on NIST SP 800-55r2 initial working draft” in the subject field.

Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally identifiable information and confidential business information should not be included (e.g., account numbers, Social Security numbers, names of other individuals). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.

Note to Reviewers

We seek input on the changes being proposed to SP 800-55. New sections are noted as new additions to SP 800-55. Many are also marked by a “Note to Reviewer” with a request for feedback. These questions are meant to facilitate discussion and should not discourage input on any other topics within this annotated outline. There are three additional questions for reviewer consideration. These questions are:

  1. CIOs and CISOs: What measurement and metrics guidance would benefit your program?
  2. How to best communicate information security measurement needs up and down the organizational structure?
  3. Examples: What kinds of measures and metrics examples or templates could this publication provide that would be helpful in your work?

This working draft also has sections with only minor planned changes marked as “intentionally left out of this review cycle” to allow for readers to focus on the more substantial proposed changes. The Initial Public Draft will include the full proposed text for all sections of the document. Feedback is still welcome on the sections not highlighted in this Initial Working Draft.  

A virtual public forum was held on December 13, 2022, to introduce the working draft of SP 800-55 and highlight the various questions for reviewers within the document through a panel of practitioners across different sectors.



information security; metrics; measures; security controls; performance; reports
Control Families

None selected


Download URL

Supplemental Material:
None available

Related NIST Publications:
SP 800-55 Rev. 1

Document History:
09/24/20: SP 800-55 Rev. 2 (Draft)
11/14/22: SP 800-55 Rev. 2 (Draft)
01/17/24: SP 800-55 Vol. 1 (Draft)