Legislation calling on the National Institute of Standards and Technology to develop outcome metrics to demonstrate the effectiveness of the NIST Cybersecurity Framework is scheduled to be considered – and likely amended – at a markup session of the House Science, Space and Technology Committee on March 1.
The measure, known as the NIST Cybersecurity Framework, Assessment and Auditing Act of 2017, would require NIST to develop outcome-based and quantifiable metrics in coordination with a public-private workgroup within six months of enactment of the legislation.
Since the framework’s publication in 2014, Internet Security Alliance CEO Larry Clinton has been a champion of getting NIST to develop metrics. “We are three years in and don’t have any objective data indicating that it has actually changed anybody’s behavior, that behavior has resulted in the improvement of security and whether the expenditures to reach those levels of security are cost-justified,” Clinton says….SOURCE