Date Published: November 14, 2022
Comments Due:
Email Questions to:
Planning Note (02/07/2023):
The comment period has been extended to February 27, 2023 (it was originally 2/13).
Author(s)
Katherine Schroeder (NIST), Hung Trinh (NIST)
Announcement
This working draft of SP 800-55 Revision 2 is an annotated outline that will enable further community discussions and feedback. Comments received by the deadline will be incorporated to the extent practicable. NIST will then post a complete public draft of SP 800-55 Rev. 2 for an additional comment period.
The comment period is open through February 13, February 27, 2023. Submit comments to cyber-measures@list.nist.gov with “Comment on NIST SP 800-55r2 initial working draft” in the subject field.
Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally identifiable information and confidential business information should not be included (e.g., account numbers, Social Security numbers, names of other individuals). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.
Note to Reviewers
We seek input on the changes being proposed to SP 800-55. New sections are noted as new additions to SP 800-55. Many are also marked by a “Note to Reviewer” with a request for feedback. These questions are meant to facilitate discussion and should not discourage input on any other topics within this annotated outline. There are three additional questions for reviewer consideration. These questions are:
- CIOs and CISOs: What measurement and metrics guidance would benefit your program?
- How to best communicate information security measurement needs up and down the organizational structure?
- Examples: What kinds of measures and metrics examples or templates could this publication provide that would be helpful in your work?
This working draft also has sections with only minor planned changes marked as “intentionally left out of this review cycle” to allow for readers to focus on the more substantial proposed changes. The Initial Public Draft will include the full proposed text for all sections of the document. Feedback is still welcome on the sections not highlighted in this Initial Working Draft.
A
virtual public forum was held on December 13, 2022, to introduce the working draft of SP 800-55 and highlight the various questions for reviewers within the document through a panel of practitioners across different sectors.
This document provides guidance on how an organization can use metrics to identifies the adequacy of an in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.
This document provides guidance on how an organization can use metrics to identifies the adequacy of an in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate...
See full abstract
This document provides guidance on how an organization can use metrics to identifies the adequacy of an in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.
Hide full abstract
Keywords
information security; metrics; measures; security controls; performance; reports
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
