New NIST Guidance on Measuring Your Company’s Cybersecurity Program

The National Institute of Standards and Technology (NIST) recently revised one of their special publications they have designed to guide organizations in ways to measure the effectiveness of their cybersecurity programs.

Data-Driven, Risk-Base Assessments

One of NIST’s stated goals in drafting Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security is to help organizations to make data-driven, risk-based decisions to achieve their information security goals, shifting away from primarily general, qualitative assessments to quantitative measures.

The SP is designed to be used in conjunction with NIST’s Cybersecurity Framework and/or Risk Management Framework and supports the trend toward data-empowered decision making.

Targeted Audiences and Purposes

The two-volume SP-800-55 Rev. 2 is broken out by purpose and intended audience.

• Volume 1 — Identifying and Selecting Measures focuses on helping an organization’s cybersecurity specialists develop, select, prioritize and evaluate cybersecurity measures, and provides guidance on data analysis and modeling techniques.
• Volume 2 — Developing an Information Security Measurement Program focuses on helping members of an organization’s C-suite to develop and implement an effective cybersecurity measurement program and offers a multistep workflow implementation timeline.

NIST is requesting public comments by March 18, 2024, and provides comment templates to use for the respective volumes.

Implications

The latest draft guidance from NIST continues a lengthy list of cybersecurity-related guidance and standards that are relevant to government contractors and suppliers of product and services solutions to federal agencies.

Many of areas covered in this latest SP-800-55 Rev. 2, which contractor cybersecurity officials would assess, may impact to how well their company measures up against various other government cyber- standards, such as requirements around protecting government Controlled Unclassified Information (CUI). NIST has been busy updating these standards and guidance documents and others, as well.

Last November, NIST released updated guidance on how federal agencies and government contractors should protect the confidentiality of CUI on their systems. The draft updates to NIST’s SP 800-171 Rev. 3 and SP 800-171A Rev. 3 provide updated security requirements and a set of assessment procedures, respectively. The public comment period for both SP 800-171 documents was extended from the original January 12 to January 26, 2024.

In March 2022, NIST issued finalized guidelines on assessing contractor cybersecurity of federal CUI. This supplement to the SP 800-171 guidance documents is aimed at individuals with system development, information security, and privacy responsibilities, and those who need to assess their organizations’ CUI protection capabilities and practices.

Those who are familiar with the SP 800-171 guidance publications recognize them as the underlying standards upon with the Department of Defense (DoD) is building their Cybersecurity Maturity Model Certification (CMMC) program and the Homeland Security (DHS) will measure contractor cybersecurity for their recently announced Cybersecurity Readiness Factor (CRF) plan.

As more agencies expect contractors to meet NIST cybersecurity standards and use them to inform their contract award decisions, companies that fall behind in meeting these standards will risk losing business.