We are pursuing an iterative approach, initially focusing on achieving a better understanding of – and finding consensus on – the definition of the term measurements related to cybersecurity.  Working closely with collaborators from the private and public sectors as well as academia, NIST will explore foundational components to facilitate and advance the dialogue on measurements such as common taxonomy and nomenclature.  The intent is to develop a foundation for improved communications necessary to enable inclusive participation in building future approaches to and tools for measuring the effectiveness and efficiency of cybersecurity approaches more meaningfully.

NIST’s initial focus will be on developing a compilation of its research, standards & guidelines, and tools. We will aim to bring a common understanding and a foundation to communicate regarding cybersecurity measurements before developing a roadmap and pursuing specific research activities. Depending on insights provided by others, NIST plans to then address issues such as defining “good or bad” measurements, measurements as part of vulnerability assessments, or measurements used in conformity assessment (e.g, product labeling).

NIST will rely heavily on input from others in designing this program and will develop a roadmap for future activities – including what it will not address. At this point, for example, NIST does not anticipate developing ways to measure the effectiveness of government agencies’ programs for improving cybersecurity; those are considered to be programmatic versus system issues.