Continuous Monitoring (Due 9 April) (5 Pages) (5 References)

I N F O R M A T I O N S E C U R I T Y

Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930

SEPTEMBER 2011

U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary

National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary for Standards and Technology and
Director

Information Security Continuous
Monitoring (ISCM) for Federal Information
Systems and Organizations

Kelley Dempsey
Nirali Shah Chawla
Arnold Johnson
Ronald Johnston
Alicia Clay Jones
Angela Orebaugh
Matthew Scholl
Kevin Stine

NIST Special Publication 800-137

Special Publication 800-137 Information Security Continuous Monitoring for
Federal information Systems and Organizations

______________________________________________________________________________________________

PAGE ii

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.

Special Publication 800-137 Information Security Continuous Monitoring for
Federal information Systems and Organizations

______________________________________________________________________________________________

PAGE iii

Authority

This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III.

Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

NIST Special Publication 800-137, 80 pages

(September 2011)

National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic mail: [email protected]

Certain commercial entities, equipment, or materials may be identified in this document in order to
describe an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.

There may be references in this publication to other publications currently under development by NIST
in accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines,
and procedures, where they exist, remain operative. For planning and transition purposes, federal
agencies may wish to closely follow the development of these new publications by NIST.

Organizations are encouraged to review all draft publications during public comment periods and
provide feedback to NIST. All NIST publications, other than the ones noted above, are available at
http://csrc.nist.gov/publications.

Special Publication 800-137 Information Security Continuous Monitoring for
Federal information Systems and Organizations

______________________________________________________________________________________________

PAGE iv

Acknowledgements

The authors, Kelley Dempsey, Arnold Johnson, Matthew Scholl and Kevin Stine of the National
Institute of Standards and Technology (NIST), Ronald Johnston of the Department of Defense
Chief Information Officer, Defense-wide Information Assurance Program (DOD-CIO, DIAP),
Alicia Clay Jones and Angela Orebaugh of Booz Allen Hamilton, and Nirali Shah Chawla of
PricewaterhouseCoopers LLP (PwC), wish to thank their colleagues who reviewed drafts of this
document and contributed to its technical content. The authors would like to acknowledge their
colleagues for their keen and insightful assistance with technical issues throughout the
development of the document. And finally, the authors gratefully acknowledge and appreciate
the significant contributions from individuals and organizations in the public and private sectors
whose thoughtful and constructive comments improved the overall quality and usefulness of this
publication.

Special Publication 800-137 Information Security Continuous Monitoring for
Federal information Systems and Organizations

______________________________________________________________________________________________

PAGE v

Table of Contents

CHAPTER ONE INTRODUCTION …………………………………………………………………………… 1

1.1 BACKGROUND ………………………………………………………………………………………… 2
1.2 RELATIONSHIP TO OTHER PUBLICATIONS ………………………………………………………… 2
1.3 PURPOSE ………………………………………………………………………………………………. 3
1.4 TARGET AUDIENCE …………………………………………………………………………………… 3
1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION …………………………………………………. 4

CHAPTER TWO THE FUNDAMENTALS …………………………………………………………………… 5
2.1 ORGANIZATION-WIDE VIEW OF ISCM………………………………………………………………. 6
2.2 ONGOING SYSTEM AUTHORIZATIONS …………………………………………………………… 10
2.3 ROLE OF AUTOMATION IN ISCM…………………………………………………………………… 12
2.4 ISCM ROLES AND RESPONSIBILITIES ……………………………………………………………. 13

CHAPTER THREE THE PROCESS ……………………………………………………………………….. 16
3.1 DEFINE ISCM STRATEGY …………………………………………………………………………… 17
3.2 ESTABLISH AN ISCM PROGRAM…………………………………………………………………… 24
3.3 IMPLEMENT AN ISCM PROGRAM ………………………………………………………………….. 30
3.4 ANALYZE DATA AND REPORT FINDINGS ………………………………………………………… 31
3.5 RESPOND TO FINDINGS ……………………………………………………………………………. 33
3.6 REVIEW AND UPDATE THE MONITORING PROGRAM AND STRATEGY ………………………. 34

APPENDIX A REFERENCES ………………………………………………………………………………. A-1

APPENDIX B GLOSSARY …………………………………………………………………………………. B-1

APPENDIX C ACRONYMS ………………………………………………………………………………… C-1

APPENDIX D TECHNOLOGIES FOR ENABLING ISCM ………………………………………………… D-1

Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations

PAGE vi

EXECUTIVE SUMMARY
n today’s environment where many, if not all, of an organization’s mission-critical functions
are dependent upon information technology, the ability to manage this technology and to
assure confidentiality, integrity, and availability of information is now also mission-critical. In

designing the enterprise architecture and corresponding security architecture, an organization
seeks to securely meet the IT infrastructure needs of its governance structure, missions, and core
business processes. Information security is a dynamic process that must be effectively and
proactively managed for an organization to identify and respond to new vulnerabilities, evolving
threats, and an organization’s constantly changing enterprise architecture and operational
environment.

The Risk Management Framework (RMF) developed by NIST,1

describes a disciplined and
structured process that integrates information security and risk management activities into the
system development life cycle. Ongoing monitoring is a critical part of that risk management
process. In addition, an organization’s overall security architecture and accompanying security
program are monitored to ensure that organization-wide operations remain within an acceptable
level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital,
particularly when resources are limited and agencies must prioritize their efforts.

Information security continuous monitoring (ISCM) is defined as maintaining
ongoing awareness of information security, vulnerabilities, and threats to support
organizational risk management decisions.

Any effort or process intended to support ongoing monitoring of information security across an
organization begins with leadership defining a comprehensive ISCM strategy encompassing
technology, processes, procedures, operating environments, and people. This strategy:

• Is grounded in a clear understanding of organizational risk tolerance and helps officials set
priorities and manage risk consistently throughout the organization;

• Includes metrics that provide meaningful indications of security status at all organizational
tiers;

• Ensures continued effectiveness of all security controls;

• Verifies compliance with information security requirements derived from organizational
missions/business functions, federal legislation, directives, regulations, policies, and
standards/guidelines;

• Is informed by all organizational IT assets and helps to maintain visibility into the security of
the assets;

• Ensures knowledge and control of changes to organizational systems and environments of
operation; and

• Maintains awareness of threats and vulnerabilities.

1 See NIST Special Publication (SP) 800-37, as amended, Guide for Applying the Risk Management Framework to

Federal Information Systems: A Security Life Cycle Approach.

I

Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations

PAGE vii

An ISCM program is established to collect information in accordance with preestablished
metrics, utilizing information readily available in part through implemented security controls.
Organizational officials collect and analyze the data regularly and as often as needed to manage
risk as appropriate for each organizational tier. This process involves the entire organization,
from senior leaders providing governance and strategic vision to individuals developing,
implementing, and operating individual systems in support of the organization’s core missions
and business processes. Subsequently, determinations are made from an organizational
perspective on whether to conduct mitigation activities or to reject, transfer, or accept risk.

Organizations’ security architectures, operational security capabilities, and monitoring processes
will improve and mature over time to better respond to the dynamic threat and vulnerability
landscape. An organization’s ISCM strategy and program are routinely reviewed for relevance
and are revised as needed to increase visibility into assets and awareness of vulnerabilities. This
further enables data-driven control of the security of an organization’s information infrastructure,
and increase organizational resilience.

Organization-wide monitoring cannot be efficiently achieved through manual processes alone or
through automated processes alone. Where manual processes are used, the processes are
repeatable and verifiable to enable consistent implementation. Automated processes, including
the use of automated support tools (e.g., vulnerability scanning tools, network scanning devices),
can make the process of continuous monitoring more cost-effective, consistent, and efficient.
Many of the technical security controls defined in NIST Special Publication (SP) 800‐53,
Recommended Security Controls for Federal Information Systems and Organizations, as
amended, are good candidates for monitoring using automated tools and techniques. Real‐time
monitoring of implemented technical controls using automated tools can provide an organization
with a much more dynamic view of the effectiveness of those controls and the security posture of
the organization. It is important to recognize that with any comprehensive information security
program, all implemented security controls, including management and operational controls, must
be regularly assessed for effectiveness, even if the monitoring of such controls cannot be
automated or is not easily automated.

Organizations take the following steps to establish, implement, and maintain ISCM:

• Define an ISCM strategy;

• Establish an ISCM program;

• Implement an ISCM program;

• Analyze data and Report findings;

• Respond to findings; and

• Review and Update the ISCM strategy and program.

A robust ISCM program thus enables organizations to move from compliance-driven risk
management to data-driven risk management providing organizations with information necessary
to support risk response decisions, security status information, and ongoing insight into security
control effectiveness.

Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations

PAGE 1

CHAPTER ONE

INTRODUCTION
nformation security continuous monitoring (ISCM) is defined as maintaining ongoing
awareness of information security, vulnerabilities, and threats to support organizational risk
management decisions. 2 This publication specifically addresses assessment and analysis of

security control effectiveness and of organizational security status in accordance with
organizational risk tolerance. Security control effectiveness is measured by correctness of
implementation and by how adequately the implemented controls meet organizational needs in
accordance with current risk tolerance (i.e., is the control implemented in accordance with the
security plan to address threats and is the security plan adequate).3

• Maintaining situational awareness of all systems across the organization;

Organizational security status
is determined using metrics established by the organization to best convey the security posture of
an organization’s information and information systems, along with organizational resilience given
known threat information. This necessitates:

• Maintaining an understanding of threats and threat activities;

• Assessing all security controls;

• Collecting, correlating, and analyzing security-related information;

• Providing actionable communication of security status across all tiers of the organization;
and

• Active management of risk by organizational officials.

Communication with all stakeholders is key in developing the strategy and implementing the
program. This document builds on the monitoring concepts introduced in NIST SP 800-37 Rev.
1, Guide for Applying the Risk Management Framework to Federal Information Systems: A
Security Life Cycle Approach. An ISCM program helps to ensure that deployed security controls
continue to be effective and that operations remain within stated organizational risk tolerances in
light of the inevitable changes that occur over time. In cases where security controls are
determined to be inadequate, ISCM programs facilitate prioritized security response actions based
on risk.

An ISCM strategy is meaningful only within the context of broader organizational needs,
objectives, or strategies, and as part of a broader risk management strategy, enabling timely

2 The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are

assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect
organization information. Data collection, no matter how frequent, is performed at discrete intervals.

3 NIST SP 800-53A, as amended, defines security control effectiveness as “the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the
security requirements for the system.”

I

Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations

PAGE 2

management, assessment, and response to emerging security issues. Information collected
through the ISCM program supports ongoing authorization decisions. 4

ISCM, a critical step in an organization’s Risk Management Framework (RMF), gives
organizational officials access to security-related information on demand, enabling timely risk
management decisions, including authorization decisions. Frequent updates to security plans,
security assessment reports, plans of action and milestones, hardware and software inventories,
and other system information are also supported. ISCM is most effective when automated
mechanisms are employed where possible for data collection and reporting. Effectiveness is
further enhanced when the output is formatted to provide information that is specific, measurable,
actionable, relevant, and timely. While this document encourages the use of automation, it is
recognized that many aspects of ISCM programs are not easily automated.

1.1 BACKGROUND
The concept of monitoring information system security has long been recognized as sound
management practice. In 1997, Office of Management and Budget (OMB) Circular A-130,
Appendix III5

The Federal Information Security Management Act (FISMA) of 2002 further emphasized the
importance of continuously monitoring information system security by requiring agencies to
conduct assessments of security controls at a frequency appropriate to risk, but no less than
annually.

required agencies to review their information systems’ security controls and to
ensure that system changes do not have a significant impact on security, that security plans
remain effective, and that security controls continue to perform as intended.

Most recently, OMB issued memorandum M-11-33, FY 2011 Reporting Instructions for the
Federal Information Security Management Act and Agency Privacy Management.6

Tools supporting automated monitoring of some aspects of information systems have become an
effective means for both data capture and data analysis. Ease of use, accessibility, and broad
applicability across products and across vendors help to ensure that monitoring tools can be
readily deployed in support of near real-time, risk-based decision making.

The
memorandum provides instructions for annual FISMA reporting and emphasizes monitoring the
security state of information systems on an ongoing basis with a frequency sufficient to make
ongoing, risk-based decisions.

1.2 RELATIONS HIP TO OTHER S PECIAL P UBLICATIONS
NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information
System View, describes three key organization-wide ISCM activities: monitoring for
effectiveness, monitoring for changes to systems and environments of operation, and monitoring

4 See OMB Memoranda M-11-33, Question #28, for information on ongoing authorization

(http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf).
5 OMB Circular A-130 is available at http://www.whitehouse.gov/omb/circulars_a130_a130trans4.
6 OMB memorandum M-11-33 is available at

http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf.

http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf�

http://www.whitehouse.gov/omb/circulars_a130_a130trans4�

http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf�

Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations

PAGE 3

for compliance. NIST SP 800-37 describes monitoring security controls at the system level (RMF
Step 6) and also includes an organization-wide perspective, integration with the system
development life cycle (SDLC), and support for ongoing authorizations. The concepts presented
in NIST SP 800-39 and NIST SP 800-37 are expanded upon in order to provide guidelines
sufficient for developing an ISCM strategy and implementing an ISCM program.

The tiered approach herein mirrors that described in NIST SP 800-37 and NIST SP 800-39 where
Tier 1 is organization, Tier 2 is mission/business processes, and Tier 3 is information systems. In
NIST SP 800-39, these tiers are used to address risk management from varying organizational
perspectives. In this document, the tiers are used to address perspectives for ISCM for each tier.
Organization-wide, tier-specific ISCM policies, procedures, and responsibilities are included for
the organization, mission/business processes, and information systems tiers. Automation is
leveraged where possible, and manual (e.g., procedural) monitoring methodologies are
implemented where automation is not practical or possible.

The ISCM program will evolve over time as the program matures in general, additional tools and
resources become available, measurement and automation capabilities mature, and changes are
implemented to ensure continuous improvement in the organizational security posture and in the
organization’s security program. The monitoring strategy is regularly reviewed for relevance and
accuracy in reflecting organizational risk tolerances, correctness of measurements, applicability
of metrics, and effectiveness in supporting risk management decisions.

1.3 P URP OS E
The purpose of this guideline is to assist organizations in the development of an ISCM strategy
and the implementation of an ISCM program that provides awareness of threats and
vulnerabilities, visibility into organizational assets, and the effectiveness of deployed security
controls. The ISCM strategy and program support ongoing assurance that planned and
implemented security controls are aligned with organizational risk tolerance, as well as the ability
to provide the information needed to respond to risk in a timely manner.

1.4 TARGET AUDIENCE
This publication serves individuals associated with the design, development, implementation,
operation, maintenance, and disposal of federal information systems, including:

• Individuals with mission/business ownership responsibilities or fiduciary responsibilities
(e.g., heads of federal agencies, chief executive officers, chief financial officers);

• Individuals with information system development and integration responsibilities (e.g.,
program managers, information technology product developers, information system
developers, information systems integrators, enterprise architects, information security
architects);

• Individuals with information system and/or security management/oversight responsibilities
(e.g., senior leaders, risk executives, authorizing officials, chief information officers, senior
information security officers7

7 At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may

also refer to this position as the Chief Information Security Officer.

);

Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations

PAGE 4

• Individuals with information system and security control assessment and monitoring
responsibilities (e.g., system evaluators, assessors/assessment teams, independent verification
and validation assessors, auditors, or information system owners); and

• Individuals with information security implementation and operational responsibilities (e.g.,
information system owners, common control providers, information owners/stewards,
mission/business owners, information security architects, information system security
engineers/officers).

1.5 ORG ANIZATION OF THIS S P ECIAL P UBLICATION
The remainder of this special publication is organized as follows:

• Chapter 2 describes the fundamentals of ongoing monitoring of information security in
support of risk management;

• Chapter 3 describes the process of ISCM, including implementation guidelines; and

• Supporting appendices provide additional information regarding ISCM including: (A) general
references; (B) definitions and terms; (C) acronyms; and (D) descriptions of technologies for
enabling ISCM.

Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations

PAGE 5

CHAPTER TWO

THE FUNDAMENTALS
ONGOING MONITORING IN SUPPORT OF RISK MANAGEMENT

his chapter describes the fundamental concepts associated with organization-wide
continuous monitoring of information security and the application of ISCM in support of
organizational risk management decisions (e.g., risk response decisions, ongoing system

authorization decisions, Plans of Action and Milestones (POA&M) resource and prioritization
decisions, etc.). In order to effectively address ever-increasing security challenges, a well-
designed ISCM strategy addresses monitoring and assessment of security controls for
effectiveness, and security status monitoring. 8

The process of implementing ISCM as described in Chapter Three is:

It also incorporates processes to assure that
response actions are taken in accordance with findings and organizational risk tolerances and to
assure that said responses have the intended effects.

• Define the ISCM strategy;

• Establish an ISCM program;

• Implement the ISCM program;

• Analyze and Report findings;

• Respond to findings; and

• Review and Update ISCM strategy and program.

ISCM strategies evolve in accordance with drivers for risk-based decision making and
requirements for information. These requirements may come from any tier in the organization.
Organizations implement ISCM based on requirements of those accountable and responsible for
maintaining ongoing control of organizational security posture to within organizational risk
tolerances. The implementation is standardized across the organization to the greatest extent
possible so as to minimize use of resources (e.g., funding for purchase of tools/applications, data
calls, organization-wide policies/procedures/templates, etc.) and to maximize leveragability of
security-related information. Upon analysis, the resulting information informs the discrete
processes used to manage the organization’s security posture and overall risk. ISCM helps to
provide situational awareness of the security status of the organization’s systems based on
information collected from resources (e.g., people, processes, technology, environment) and the
capabilities in place to react as the situation changes.

…