This document supports the development, selection, and implementation of measures to be used at the information system and program levels.

These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance-related data—--providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an organization's success in achieving its mission.

The performance measures development process described in this guide will assist information security practitioners in establishing a relationship between information system and program security activities and the organizational mission. The ability to communicate and demonstrate this relationship supports proof of value for information security initiatives within the organization.