Measurement Guide for Information Security: NIST SP 800-55 Draft Volumes 1 and 2 Available for Comment

The initial public drafts (ipd) of NIST Special Publication (SP) 800-55, Measurement Guide for Information Security, Volume 1 — Identifying and Selecting Measures, and Volume 2 — Developing an Information Security Measurement Program, are now available for public review and comment through March 18, 2024. 

This update to SP 800-55 is comprised of two volumes. Volume 1 — Identifying and Selecting Measures is a flexible approach to the development, selection, and prioritization of information security measures. This volume explores both quantitative and qualitative assessments and provides basic guidance on data analysis techniques, as well as impact and likelihood modeling. Volume 2 — Developing an Information Security Measurement Program is a flexible methodology for developing and implementing a structure for an information security measurement program. 

To facilitate continued collaboration, the Cybersecurity Risk Analytics and Measurement Team proposes the establishment of a Community of Interest (CoI) in which practitioners and other enthusiasts can work together to identify cybersecurity measurement needs, action items, solutions to problems, and opportunities for improvement. Individuals and organizations who work or are planning to work with SP 800-55 and are interested in joining the Cybersecurity Measurement and Metrics CoI can contact the Cybersecurity Risk Analytics and Measurement Team at cyber-measures [at] list.nist.gov (cyber-measures[at]list[dot]nist[dot]gov).

Submit Your Comments

The public comment period for both drafts is open through March 18, 2024. See the publication details for volumes 1 and 2 to download the documents and comment templates. We strongly encourage you to comment on all or parts of both volumes and use the comment templates provided. 

Please direct questions and submit comments to cyber-measures [at] list.nist.gov (cyber-measures[at]list[dot]nist[dot]gov).