New NIST Guidance Offers Update on Gauging Cyber Performance

The National Institute of Standards and Technology (NIST) continues to hone the guidance it offers to government organizations around cybersecurity.

NIST on Wednesday released an update to its directives for government agencies, which it is calling NIST Special Publication (SP) 800-55. The document, which is organized in two volumes, is designed to help government organizations measure the effectiveness of their cybersecurity efforts.

The first volume, known as “Identifying and Selecting Measures,” focuses on how to implement a cybersecurity program so that it can be both measured and analyzed “to identify the adequacy of in-place security policies, procedures, and controls,” according to the document. It also explains evaluating measures and prioritizing them.

The second volume, titled “Developing an Information Security Measurement Program,” is designed to give guidance on how a government organization should run a cybersecurity measurement program that facilitates communication about the program among the numerous stakeholders involved, whether they are upper-level C-suite leaders or technical experts.

Some of the most significant changes included in the new guidance involve expanded sections on measuring and analyzing cybersecurity results quantitatively. The new volumes are also aimed at broadening the intended audience beyond federal agencies to all entities focused on cybersecurity.