NIST is planning to update NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security. For more details on an opportunity to provide input, see the Call for Comments which is open through December 10, 2020 November 19, 2020.

Even as cybersecurity-based risks and the costs of dealing with those risks are increasing, measuring cybersecurity remains an under-developed topic—one in which there is not even a standard taxonomy for terms such as “measurements” and “metrics.” Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution not only to the cybersecurity community but much more broadly.

Building on its previous efforts, NIST is undertaking a more focused program on measurements related to cybersecurity.  The goal is to support the development and alignment of technical measurements to determine effect of cybersecurity initiatives and responses on high-level organizational objectives that will support decision making by senior executives and oversight by boards of directors. The initiative will involve and rely upon extensive collaboration with the research, business, and government sectors, including those already offering measurement tools and services. 

Learn more about this initiative at Measurements for Information Security.