Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-55 Vol. 2 (Initial Public Draft)

Measurement Guide for Information Security: Volume 2 — Developing an Information Security Measurement Program

Date Published: January 17, 2024
Comments Due: March 18, 2024 (public comment period is CLOSED)
Email Questions to: cyber-measures@list.nist.gov

Author(s)

Katherine Schroeder (NIST), Hung Trinh (NIST), Victoria Pillitteri (NIST)

Announcement

The initial public drafts (ipd) of NIST Special Publication (SP) 800-55, Measurement Guide for Information Security, Volume 1 – Identifying and Selecting Measures and Volume 2 – Developing an Information Security Measurement Program are available for comment after extensive research, development, and customer engagement.

In response to the feedback from the pre-draft call for comment and initial working draft (annotated outline), NIST continued to refine the publications by organizing the guidance into two volumes and developing more actionable and focused guidance in each. 

  • Volume 1 — Identifying and Selecting Measures is a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessment and provides basic guidance on data analysis techniques as well as impact and likelihood modeling.
  • Volume 2 – Developing an Information Security Measurement Program is a methodology for developing and implementing a structure for an information security measurement program.

Submit Your Comments

The public comment period is open now through March 18, 2024. We strongly encourage you to use these comment templates for Vol. 1 and Vol. 2, if possible, and submit it to cyber-measures@list.nist.gov.

Reviewers are encouraged to comment on all or part of each draft volume. NIST is specifically interested in comments, feedback, and recommendations for the following topics:

Volume 1:

  • The delineation between assessment and measurement
  • Additional feedback on the guidance on measures and its relationship to measures
  • Additional feedback on the approach to develop, select, and prioritize information security measures

Volume 2:

  • Insight on how organizations are using metrics as part of their information security measurement program
  • Additional feedback on the section on aggregating measures and risk communication
  • Additional feedback on the workflow for implementing an information security measurement program

Please direct questions and comments to cyber-measures@list.nist.gov.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy  Inclusion of Patents in ITL Publications.

Abstract

Keywords

assessment; information security; measurement; measures; metrics; performance; program; reports; security controls
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-55v2.ipd
Download URL

Supplemental Material:
Comment template (xlsx)
NIST news article

Publication Volumes:
SP 800-55 Vol. 1

Document History:
09/24/20: SP 800-55 Rev. 2 (Draft)
11/14/22: SP 800-55 Rev. 2 (Draft)
01/17/24: SP 800-55 Vol. 2 (Draft)
12/04/24: SP 800-55 Vol. 2 (Final)