Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Workshop on Software Measures and Metrics to Reduce Security Vulnerabilities

The Federal Cybersecurity Research and Development Strategic Plan seeks to fundamentally alter the dynamics of security, reversing adversaries' asymmetrical advantages. Achieving this reversal is the mid-term goal of the plan, which calls for "sustainably secure systems development and operation." Part of the mid-term (3-7 years) goal is "the design and implementation of software, firmware, and hardware that are highly resistant to malicious cyber activities ..." and reduce the number of vulnerabilities in software by orders of magnitude. Measures of software play an important role.

Industry requires evidence to tell how vulnerable a piece of software is, what techniques are most effective in developing software with far fewer vulnerabilities, determine the best places to deploy countermeasures, or take any of a number of other actions. This evidence comes from measuring, in the broadest sense, or assessing properties of software. With useful metrics, it is straight-forward to determine which software development technologies or methodologies lead to sustainably secure systems.

The goal of this workshop is to gather ideas on how the Federal Government can best use taxpayer money to identify, improve, package, deliver, or boost the use of software measures and metrics to significantly reduce vulnerabilities. We call for position statements from one to three paragraph long. Position statements may be on any subject like the following:

  • existing measures of software that can make a difference in three to seven years,
  • means of validating software measures or confirming their efficacy (meta-measurements),
  • quantities (properties) in software that can be measured,
  • standards (in both étalon and norme senses) needed for software measurement,
  • cost vs. benefit of software measurements,
  • surmountable barriers to adoption of measures and metrics,
  • areas or conditions of applicability (or non-applicability) of measures,
  • software measurement procedures (esp. automated ones), or
  • sources of variability or uncertainty in software metrics or measures.

The output of this workshop and other efforts is a plan for how best the Federal Government can employ taxpayer money to significantly curtail software vulnerabilities in the mid-term.


Position statements must be one to three paragraphs long. A "position" may include articulations of a problem, an issue to discuss, as well as a solution or opinion. The program committee will review the position statements, and invite some to make a presentation. Position statements will be published if agreed to by both the author and the program committee. Send statements to Elizabeth Fong efong [at] (efong[at]nist[dot]gov) by 22 May 2016.

We will send invitations to submitters by 8 June 2016.

Important Dates

  • 22 May: deadline to submit statements
  • 8 June: invitations to present sent
  • 27 June: deadline to register (no on-site registration)
  • 12 July: Workshop

If you are not registered, you will not be allowed on site. Registered attendees will receive security and campus instructions prior to the workshop.

NON U.S. CITIZENS PLEASE NOTE: All foreign national visitors who do not have permanent resident status and who wish to register for the above meeting must supply additional information. Failure to provide this information prior to arrival will result, at a minimum, in significant delays (up to 24 hours) in entering the facility. Authority to gather this information is derived from United States Department of Commerce Department Administrative Order (DAO) number 207-12. When registration is open, the required NIST-1260 form will be available as well. *New Visitor Access Requirement: Effective July 21, 2014, Under the REAL ID Act of 2005, agencies, including NIST, can only accept a state-issued driver's license or identification card for access to federal facilities if issued by states that are REAL ID compliant or have an extension.Click here for a list of alternative identification and further details>>

Created May 13, 2016