Appendix C

Combining NIST SP 800-55 and SP 800-26

(Reference to Chapter 7)

NIST SP 800-55, Appendix A, provides examples of how the security topics and questions in 800-26 can be combined into a security matrix. If you are working with Federal agencies providing IA services, the FISMA reporting requirements shown in Table C.1 will be familiar. They are included here to provide a reference for how SP 800-55 and SP 800-26 are combined to show a metric. An example of the security metric for FISMA Requirement 1.1 is shown in Table C.2 and FISMA Requirement 5.2 in Table C.3.

Note that OMB FISMA metrics require both numbers and percentages for some or just numbers for other metrics. While Table 7.4 lists all metrics as percentages, the raw number ...

Get Official (ISC)2® Guide to the CISSP®-ISSEP® CBK® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.