NIST Offers Continuous Monitoring GuidancePublic Feedback Sought for SP 800-137
The 79-page first draft of NISTSpecial Publication 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations is the latest government effort to move federal agencies from paper-based compliance with the Federal Information Security Management Act to one emphasizing continuous monitoring.
Still, as NIST points out in the draft report, continuous monitoring doesn't necessarily mean rejecting more traditional ways of securing IT.
"Organization-wide monitoring cannot be efficiently achieved through manual processes alone or through automated processes alone; however, automation, including the use of automated support tools, can make the process of continuous monitoring more costï¿½effective, consistent and efficient," the draft publication states.
In April, Federal Chief Information Officer Vivek Kundra issued a memorandum requiring federal agencies to move toward continuous monitoring of their IT systems as part of the FISMA compliance process. "This process is designed to shift our efforts away from a culture of paperwork reports," Kundra said in the memo. "The focus must be on implementing solutions that actually improve security."
Legislation before Congress, the National Defense Authorization Act of 2011, would require defense agencies to implement continuous monitoring. Several other bills introduced in the 111th Congress would require civilian agencies to continually monitor their IT systems, too, but none of those measures are likely to pass before both houses adjourn at year's end.
Continuous monitoring is a critical part of NIST's risk management framework, providing those watching IT systems with timely, vital information, especially when resources are limited.
NIST says many of the technical security controls defined in SP 800-53: Recommended Security Controls for Federal Information Systems serve as ideal candidates for monitoring using automated tools and techniques, providing organizations with a much more dynamic view of the security state of those controls. NIST requests comments on the initial public draft of SP 800-137 by March 15 to email@example.com.