NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-6Measures of Performance

Develop, monitor, and report on the results of information security and privacy measures of performance.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy.

Practitioner Notes

You need metrics to know whether your security program is actually working. This control requires you to define, track, and report measurable security indicators to leadership on a regular basis.

Example 1: Track metrics like: percentage of systems with current authorization, average time to patch critical vulnerabilities, number of overdue POA&M items, phishing simulation click rate, and percentage of staff who completed security training. Report these monthly to leadership.

Example 2: In Microsoft 365 Defender, use the Secure Score dashboard as a baseline performance metric. Track your score over time and set quarterly improvement goals. Export the recommended actions list and use it to prioritize security improvements that measurably increase your score.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process