NIST releases guidelines for IT security metrics

The National Institute of Standards and Technology has released its final version of guidelines for developing metrics to help ensure agencies meet IT security requirements.

NIST Special Publication 800-55, Security Metrics Guide for IT Systems is available online.

Requirements for securing and evaluating IT systems are included in a number of laws, including the Clinger-Cohen Act, Government Performance and Results Act, Government Paperwork Elimination Act and the Federal Information Security Management Act. The laws do not specify how the evaluation is to be done, and the NIST document provides guidance on developing and using metrics to do this job.

Metrics'measurable standards'monitor the effectiveness of goals and objectives established for IT security. They measure the implementation of security policy, the results of security services and the impact of security events on an agency's mission. The publication uses the critical elements, and security controls and techniques laid out in an earlier NIST publication, 800-26, Security Self-Assessment Guide for IT Systems.

According to the guidelines, worthwhile metrics must:

  • Yield quantifiable information, such as percentages, averages or other numbers

  • Be based on readily available data

  • Be based on repeatable processes

  • Be useful for tracking performance and directing resources.


  • About the Author

    William Jackson is a Maryland-based freelance writer.

    Featured

    • business meeting (Monkey Business Images/Shutterstock.com)

      Civic tech volunteers help states with legacy systems

      As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

    • data analytics (Shutterstock.com)

      More visible data helps drive DOD decision-making

      CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

    Stay Connected