Continuous Monitoring Guidance Issued

NIST Also Revises SCAP Special Report
Continuous Monitoring Guidance Issued
NIST made public Monday its guidance on how best to employ continuous monitoring to assure the security of information and information systems.

Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations defines an information security continuous monitoring strategy and establishing an information security continuous monitoring program.

The National Institute of Standards and Technology said the purpose of the guideline is to assist organizations in the development of a continuous monitoring strategy and implement a program that provides awareness of threats and vulnerabilities, visibility into organizational assets and information about the effectiveness of deployed security controls.

According to the publication, the strategy:

  • Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization.

  • Includes metrics that provide meaningful indications of security status at all organizational tiers.

  • Ensures continued effectiveness of all security controls.

  • Verifies '>'>compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies and standards/guidelines.

  • Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets.

  • Ensures knowledge and control of changes to organizational systems and environments of operation.

  • Maintains awareness of threats and vulnerabilities.

NIST also Monday unveiled the final release of SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.2.

SCAP consists of a suite of specifications for standardizing the format and nomenclature in which software flaw and security configuration information is communicated, to machines and humans. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content and the SCAP requirements not defined in the individual component specifications.

Major changes in version 1.2 include the addition Asset Reporting Format;, Asset Identification, Common Configuration Scoring System; and Trust Model for Security Automation Data, which provides support for digitally signing SCAP source and result content.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.