Email this Article Email   

CHIPS Articles: NIST asks: How do you measure cybersecurity?

NIST asks: How do you measure cybersecurity?
Performance Measurement Guide for Information Security: Pre-Draft Call for Comments
By CHIPS Magazine - September 25, 2020
The National Institute of Standards and Technology planning to update NIST Special Publication (SP) 800-55 Revision 1, Performance Measurement Guide for Information Security.

Even as cybersecurity-based risks and the costs of dealing with those risks are increasing, measuring cybersecurity remains persistent question — one in which there is not even a standard taxonomy for terms such as “measurements” and “metrics.” Development of, and agreement on, reliable ways to measure risk and effectiveness would be a major advancement and contribution not only to the cybersecurity community but much more broadly, NIST officials reported in a release.

Every organization wants to gain maximum value and effect for its finite cybersecurity-related investments. This includes managing risk to the enterprise and optimizing the potential reward of cybersecurity policies, programs, and actions. Providing reliable answers to these questions requires a systematic approach to cybersecurity measurement. That includes taking into account the limits of current knowledge. “The goal of cybersecurity measurement efforts and tools is to enable and improve the quality and utility of information to support technical and high-level decision making. Those decisions made at the higher level can affect the entire enterprise and ideally should be made with broader and more purposeful management of risk in mind,” NIST advised.

The list of topics (see box below) covers the major areas in which NIST is considering updates, including improvements to the guide and awareness, applications, and uses of the guide. Comments received by the deadline will be incorporated to the extent practicable. Once completed, the resulting draft of SP 800-55 Rev. 2 will be provided for public review and comment.

Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally identifiable information and confidential business information should not be included. The comment period is open through Nov. 19, 2020. Submit comments to, with “Performance Measurement Guide for Information Security Request for Comments” in the Subject field.

Questions or comments regarding PRE-Draft SP 800-55 Rev. 2 can be sent to

A. Improvements to the Performance Measurement Guide for Information Security

    The following topics are intended to help NIST and its partners learn about experiences in applying and using the Performance Measurement Guide for Information Security. and explore opportunities for improvement.

  • A.1 Describe what content of the Performance Measurement Guide for Information Security is being used and how you are using it.
  • A.2 Describe what components of the Performance Measurement Guide for Information Security have been least useful to you and why.
  • A.3 Share any key concepts or topics that you believe are missing from the Performance Measurement Guide for Information Security. Please explain what they are and why they merit special attention.
  • A.4 Describe how the Performance Measurement Guide for Information Security can be more useful, relatable, and actionable to a variety of audiences (e.g., executives, different parts of the organization, external stake holders).
  • A.5 Describe the potential benefits or challenges experienced when aligning the Performance Measurement Guide for Information Security more closely with other related standards, guidelines, or resources (e.g., NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations; NIST SP 800-30, Guide for Conducting Risk Assessments).
  • A.6 Describe which components of the Performance Measurement Guide for Information Security you think are best left as static content and should not change until the next revision and which components could be managed as dynamic content (i.e., require more frequent changes or updates to accommodate new information as it becomes available).

B. Awareness, Applications, and Uses of the Performance Guide for Information Security>

Recognizing that an effective metrics program can provide useful data for decision-making and improve performance and accountability, NIST solicits information about awareness of the Performance Measurement Guide for Information Security, its application, and its use by organizations and individuals.

  • B.1 Describe how you come up with your performance measurements and how you are using performance measurements now. Describe how you would like to use them in the future.
  • B.2 Describe how performance measurements enable your organization to improve information security accountability and bolster your information security activities’ effectiveness.
  • B.3 Describe how your performance measurements provide quantifiable data for assessing individual information systems, and enterprise-wide information security programs.
  • B.4 Describe how your organization assesses the impact that your information system and program security activities have on the ability to carry out the organization’s mission and demonstrate that your information security practices contribute to the organization's successful operations. If applicable, explain the relationship and use of performance measurement between security risk management and enterprise risk management.
  • B.5 Describe how measurements are used throughout the system development life cycle (SDLC) to monitor the implementation of appropriate security controls.
  • B.6 Describe how performance measurements help your organization implement and maintain a cybersecurity risk management program.
  • B.7 Describe any existing tools, resources, or publications that your organization uses to measure cybersecurity risk.
  • B.8 Describe how your organization facilitates communications by making the performance measurements related to information security more relatable and actionable to C-suite executives. For example, describe how risk level implications impact business processes and goals.
  • B.9 Describe how your organization manages common taxonomy for performance measurement related to information security to facilitate better communication between different parts of the organization and stakeholders.
  • B.10 Describe how your company creates a culture of awareness and transparency while incorporating and improving quantifiable performance measurements over time.

Measurements for Information Security initiative:

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer