Date Published: September 2020
Comments Due: December 10, 2020 (public comment period is CLOSED)
Email Questions to: cyber-measures@list.nist.gov
Planning Note (11/18/2020):
The comment period has been extended to December 10, 2020 (it was originally 11/19).
Summary
NIST is planning to update NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security. The public is invited to provide input by December 10, 2020 November 19, 2020, for consideration in the update.
Learn more about our Measurements for Information Security initiative.
Details
The list of topics below covers the major areas in which NIST is considering updates, including improvements to the guide and awareness, applications, and uses of the guide. Comments received by the deadline will be incorporated to the extent practicable. Once completed, the resulting draft of SP 800-55 Rev. 2 will be provided for public review and comment.
The comment period is open through December 10, 2020 November 19, 2020. Submit comments to Cyber-measures@list.nist.gov, with “Performance Measurement Guide for Information Security Request for Comments” in the Subject field.
Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally identifiable information and confidential business information should not be included (e.g., account numbers, Social Security numbers, names of other individuals). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.
A. Improvements to the Performance Measurement Guide for Information Security
The following topics are intended to help NIST and its partners learn about experiences in applying and using the Performance Measurement Guide for Information Security and explore opportunities for improvement.
A.1 Describe what content of the Performance Measurement Guide for Information Security is being used and how you are using it.
A.2 Describe what components of the Performance Measurement Guide for Information Security have been least useful to you and why.
A.3 Share any key concepts or topics that you believe are missing from the Performance Measurement Guide for Information Security. Please explain what they are and why they merit special attention.
A.4 Describe how the Performance Measurement Guide for Information Security can be more useful, relatable, and actionable to a variety of audiences (e.g., executives, different parts of the organization, external stake holders).
A.5 Describe the potential benefits or challenges experienced when aligning the Performance Measurement Guide for Information Security more closely with other related standards, guidelines, or resources (e.g., NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations; NIST SP 800-30, Guide for Conducting Risk Assessments).
A.6 Describe which components of the Performance Measurement Guide for Information Security you think are best left as static content and should not change until the next revision and which components could be managed as dynamic content (i.e., require more frequent changes or updates to accommodate new information as it becomes available).
B. Awareness, Applications, and Uses of the Performance Guide for Information Security
Recognizing that an effective metrics program can provide useful data for decision-making and improve performance and accountability, NIST solicits information about awareness of the Performance Measurement Guide for Information Security, its application, and its use by organizations and individuals.
B.1 Describe how you come up with your performance measurements and how you are using performance measurements now. Describe how you would like to use them in the future.
B.2 Describe how performance measurements enable your organization to improve information security accountability and bolster your information security activities’ effectiveness.
B.3 Describe how your performance measurements provide quantifiable data for assessing individual information systems, and enterprise-wide information security programs.
B.4 Describe how your organization assesses the impact that your information system and program security activities have on the ability to carry out the organization’s mission and demonstrate that your information security practices contribute to the organization's successful operations. If applicable, explain the relationship and use of performance measurement between security risk management and enterprise risk management.
B.5 Describe how measurements are used throughout the system development life cycle (SDLC) to monitor the implementation of appropriate security controls.
B.6 Describe how performance measurements help your organization implement and maintain a cybersecurity risk management program.
B.7 Describe any existing tools, resources, or publications that your organization uses to measure cybersecurity risk.
B.8 Describe how your organization facilitates communications by making the performance measurements related to information security more relatable and actionable to C-suite executives. For example, describe how risk level implications impact business processes and goals.
B.9 Describe how your organization manages common taxonomy for performance measurement related to information security to facilitate better communication between different parts of the organization and stakeholders.
B.10 Describe how your company creates a culture of awareness and transparency while incorporating and improving quantifiable performance measurements over time.
None selected
Publication:
None available
Supplemental Material:
None available
Related NIST Publications:
Document History:
09/24/20: SP 800-55 Rev. 2 (Draft)
Security and Privacy
audit & accountability; maintenance; planning; risk management; security measurement
Laws and Regulations
OMB Circular A-11