Federal agencies, under the Federal Information Security Modernization Act of 2014 (FISMA) and Office of Management and Budget (OMB) circulars and memoranda, are directed to implement a program to continuously monitor organizational information security status. A comprehensive continuous monitoring program serves as a risk management and decision support tool used at each level of an organization, the National Institute of Standards and Technology said in a release.
All federal agencies must comply with the provisions of FISMA 2014. FISMA 2014 was passed as a response to the increasing number of cyberattacks on federal government networks and sytems; it amended existing laws to enable the federal government to better respond to cyber threats.
FISMA 2014 directs agencies to submit an annual report regarding major incidents to OMB, the Department of Homeland Security, Congress, and the Comptroller General (GAO). It requires such reports to include: (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.
FISMA 2014 provides for the use of automated tools in agencies' information security programs, including for periodic risk assessments, testing security procedures, and detecting, reporting, and responding to security incidents. It calls on DHS to oversee Executive Branch civilian agencies compliance.
NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, provides guidance for ISCM program development.
“Strategies and business objectives at the organizational level direct activities needed at the mission and business level, and direct system level functions and implemented technologies in support of continuous monitoring,” NIST explained.
Draft NIST Special Publication (SP) 800-137A describes an approach for the development of Information Security Continuous Monitoring program assessments that can be used to evaluate ISCM programs that were developed in accordance with NIST SP 800-137. An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization's ISCM program, to include review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data.
ISCM program assessments can be used to evaluate ISCM programs within federal, state, and local governmental organizations, and commercial enterprises, NIST advised.
The ISCM assessment approach can be used as presented or as the starting point for an organization-specific methodology. It includes example evaluation criteria and assessment procedures that can be applied to organizations.
NIST is seeking comments on both the draft publication and element catalog. Reviewers are encouraged to use the comment template for submitting comments by the Feb. 28, 2020 deadline.
Please email comments to: firstname.lastname@example.org.