NIST updates outline first-ever cybersecurity measurements

For the first time, organizations seeking an objective way to quantify cybersecurity performance can use updated federal guidelines aimed at measuring the impact of cybersecurity interventions and business objectives.

The updated draft guidelines (PDF) released this week by the National Institute for Standards and Technology (NIST) include specific updates regarding cybersecurity metrics, considerations supply chain risk management and common terminology used to communicate with outside partners and vendors.

The NIST Cybersecurity Framework, originally released in 2014, has provided a baseline for cyber defense. The agency plans to accept any additional comments on the updated guidance through April 10.

The draft updates incorporate comments NIST solicited over the past year. During that time, both the College of Healthcare Information Management Executives (CHIME) and the Health Information Management and Systems Society (HIMSS) have submitted critiques calling for NIST to develop metrics to measure progress within the framework and a standardized approach to communicate with outside organizations.  

RELATED: HHS OCR maps HIPAA Security Rule to NIST Cybersecurity Framework

The guideline laid out four metrics for cybersecurity measurement covering risk management behaviors along with activities and achievements tied to specific outcomes.  

“In the update we introduce the notion of cybersecurity measurement to get the conversation started,” said Matt Barrett, NIST’s program manager for the Cybersecurity Framework, in an announcement. “Measurements will be critical to ensure that cybersecurity receives proper consideration in a larger enterprise risk management discussion.”

NIST also expanded its guidelines for cyber supply chain risk management, including recommendations for communicating cybersecurity requirements with vendors and partners, creating contracts and verifying those requirements are met.