NIST issues draft guidance for IT security metrics
- By William Jackson
- May 05, 2006
The National Institute of Standards and Technology has released the initial public draft of its Special Publication 800-80
titled Guide for Developing Performance Metrics for Information Security.
NIST is inviting public comment on the guidance, which provides a methodology for linking information security program performance to agency performance. It is a companion guide to SP 800-55
, titled Security Metrics for Information Technology Systems, and uses security controls spelled out in a third NIST publication, SP 800-53
Recommended Security Controls for Federal Information Systems.
The publications are intended to help agencies comply with government mandates, including the Federal Information Security management Act and the President's Management Agenda. They offer templates and candidate metrics to facilitate implementation for each of the 17 control families identified in SP 800-53. The goal is for agencies to provide the appropriate level of protection for IT systems, recognizing that information security has become an essential business function for agencies.
'The guide describes the information security performance metrics development process as a means for tying information security controls implementation, efficiency and effectiveness to an agency's success in its mission-critical activities,' NIST says.
Comments on the draft should be sent by June 19 to Chief, Computer Science Division, Information Technology Laboratory, Attn: Comments on Draft SP 800-80, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, MD 20899-8930, or e-mailed to firstname.lastname@example.org
William Jackson is a Maryland-based freelance writer.