Performance MNIST Special Publication 800-55 Revision 1 easurement Guide for Information Security Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson I N F O R M A T I O N S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 July 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology James M. Turner, Deputy Director Reports on Computer Systems Technology nd Technology ship for the Nation’s ce data, proof of ductive use of strative, s for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information security, and its collaborative activities with industry, government, and academic organizations. The Information Technology Laboratory (ITL) at the National Institute of Standards a (NIST) promotes the U.S. economy and public welfare by providing technical leader measurement and standards infrastructure. ITL develops tests, test methods, referen concept implementations, and technical analyses to advance the development and pro information technology. ITL’s responsibilities in clude the development of management, admini technical, and physical standards and guideline ii Authority This document has been developed by the National Institute of Standards and Technology (NIST) in nagement Act rements, and for t such standards and security systems. This guideline is consistent with the requirements ency s. Supplemental vided in A-130, Appendix III. y nongovernmental tion would be Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superse ding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. furtherance of its statutory res ponsibilities under the Federal Information Security Ma (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requi providing adequate information security for all agenc y operations and assets, bu guidelines shall not apply to national of the Office of Management and Budget (O MB) Circular A-130, Section 8b(3), Securing Ag Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Section information is pro This guideline has been prepared for use by federal agencies. It may also be used b organizations on a voluntary basis and is not subj ect to copyright regulations. (Attribu appreciated by NIST.) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experime ntal procedure or concept adequately. Such identification is not intended to impl y recommendation or endorsement by NIST, nor is it intended to imply that the en materials, or equipment are necessarily the best available for the purpose. tities, iii Acknowledgements zabeth Lennon (NIST), ) who reviewed gratefully ciate the ma ny contributions from individua ls and organizations in the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. The authors wish to thank Joan Hash (NIST), Arnold Johnson (NIST), Eli Karen Scarfone (NIST), Kelley Dempsey (NIS T), and Karen Quigg (MITRE drafts of this document and/or contributed to its development. The authors also acknowledge and appre iv TABLE OF CONTENTS E ................... VIII ................... ......1 .........