These are standard publications and guidelines that provide perspectives and frameworks to inform, measure, and manage cybersecurity vulnerabilities and exposures.
SP 800-55 Rev. 1 Performance Measurement Guide for Information Security
This document provides guidance on how an organization, using metrics, identifies the adequacy of in-place security controls, policies, and procedures. NIST is planning to update this Special Publication.
SP 800-30 Rev.1 Guide for Conducting Risk Assessment
This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems throughout their system development life cycle.
SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
This document provides guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.
This document provides a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things devices.
This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations.
This publication describes an approach for the development of Information Security Continuous Monitoring (ISCM) program assessments that can be used to evaluate ISCM programs within federal, state, and local governmental organizations, and commercial enterprises.
NIST seeks the input of SP 800-161 stakeholders to ensure Revision 1 will continue to deliver a single set of cyber supply chain risk management practices to help federal departments and agencies manage the risks associated with the acquisition and use of IT/OT products and services in a way that is functional and usable.
This voluntary Framework consists of standards, guidelines and best practices to manage cybersecurity risk. The Cybersecurity Framework version 1.1, section 4.0 provides details related to measurement/self-assessment.
Cryptographic Standards and Guidelines
Users of the former "Crypto Toolkit" can now find that content under this project. It includes cryptographic primitives, algorithms and schemes are described in some of NIST's Federal Information Processing Standards (FIPS), Special Publications (SPs) and NIST Internal/Interagency Reports (NISTIRs).
NISTIR 8011 Automation Support for Security Control Assessments
These volumes provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.
NISTIR 8286 (Draft) Integrating Cybersecurity and Enterprise Risk Management (ERM)
This document is intended to help individual organizations within an enterprise improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. NISTIR 8286 connects Cybersecurity ERM through use of risk register.
NISTIR 8289 Quantities and Units for Software Product Measurements
This report collects and organizes the most important quantities used in software metrics, focusing on software as a product rather than its development process.
Security and Privacy: security measurement