NIST 800-137 Continuous Monitoring Guidance Released

For those of you who are experiencing challenges with visibility into your networked environments, and are just now embarking on a monitoring strategy, NIST has made public its newest guidance on how best to employ continuous monitoring to assure the security of information and systems.  Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations defines an information security monitoring strategy and establishes a continuous monitoring program that provides awareness of threats and vulnerabilities, visibility into organizational assets, and information about the effectiveness of deployed security controls.

Information security is a dynamic process, and must be effectively and proactively managed to identify and respond to new vulnerabilities, evolving threats, and an organization’s constantly changing operational environment.

From the guide; Information Security Continuous Monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.   Any effort or process intended to support ongoing monitoring of information security across an organization begins with leadership defining a comprehensive ISCM strategy encompassing technology, processes, procedures, operating environments, and people.

The strategy:

  • Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization;
  • Includes metrics that provide meaningful indications of security status at all organizational tiers;
  • Ensures continued effectiveness of all security controls;
  • Verifies compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines;
  • Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets;
  • Ensures knowledge and control of changes to organizational systems and environments of operation;
  • Maintains awareness of threats and vulnerabilities.

An ISCM program will collect information in accordance with predefined metrics using information available in part through security controls.  Staff collect and analyze the data as often as needed to manage risk appropriately for the organization.  This process should involve the entire organization, from senior leaders providing governance and strategic vision, to individuals developing, implementing, and operating information systems in support of the organization’s core missions and business processes.

Organizations who adopt a strategic and tactical methodology like ISCM will improve their security architectures, operational security capabilities, and monitoring processes over time to better respond to the dynamic threat and vulnerability landscape.  An ISCM strategy and program and are revised as needed to increase visibility into assets and awareness of vulnerabilities, further enabling data-driven control of the security of an organization’s information infrastructure, and increasing resilience.

Manual processes or even automated processes alone cannot efficiently achieve consistent enterprise-wide monitoring.  Where manual processes are used, the processes must be repeatable and verifiable to enable consistent implementation.  Automated processes, including the use of vulnerability scanning tools, network scanning devices, etc, can make the process of continuous monitoring more cost-effective, consistent, and efficient.

Real‐time monitoring of implemented technical controls using automated tools can provide an organization with a much more dynamic view of the effectiveness of their controls and the current security posture of the organization.

The tools and technologies that support continuous monitoring fall into 11 domains:

  1. Vulnerability Management;
  2. Patch Management;
  3. Event Management;
  4. Incident Management;
  5. Malware Detection;
  6. Asset Management;
  7. Configuration Management;
  8. Network Management;
  9. License Management;
  10. Information Management;
  11. Software Assurance.

Organizations can take the following steps to establish, implement, and maintain ISCM:

  • Define an ISCM strategy;
  • Establish an ISCM program;
  • Implement an ISCM program;
  • Analyze data and Report findings;
  • Respond to findings;
  • Review and Update the ISCM strategy and program.

A robust ISCM program enables organizations to move from compliance-driven risk management to data-driven risk management providing organizations with information necessary to support risk response decisions, security status information, and ongoing insight into security control effectiveness.  the guidance in this publication is detailed, comprehensive, and complete.

-=[Shameless Plug:  I’m available to help at the time of this posting…]=-