Continuous monitoring guidance under way at NIST
NIST's new guidance and FAQ will help agencies improve security
The National Institute of Standards and Technology is developing new guidance for federal agencies to deploy continuous network monitoring strategies.
Although continuous monitoring practices are hardly new – NIST released its first publication on the subject in May 2004 — the need for more detailed approaches has gained new urgency under Federal Chief Information Officer Vivek Kundra and recent legislative moves to reform the Federal Information Security Management Act, which would make continuous monitoring a requirement.
The new guidance, to be released in NIST SP 800-137 later this summer for public comment, will focus “more on a continuous process [around monitoring] than just continuous monitoring” itself, Kelley Dempsey, a senior NIST information security specialist said June7 during a Government Technology Research Alliance conference.
“Organizations need to develop strategies on situational awareness,” Dempsey said.
Next steps for continuous network monitoring
Continuous monitoring puts the emphasis on risk, not compliance
The new guidance document is expected to incorporate NIST’s broader approach for implementing network security configurations and controls using risk-based management principles.
It will also focus in greater detail on what categories and types of security controls should be monitored, strategies for determining the frequency of reports and what details should be included in those reports.
Dempsey acknowledged that NIST doesn’t currently have a baseline for how frequently security controls need to be monitored or reviewed or how often they need to be reported. And she said NIST was not likely to make specific recommendations, saying that “We’ll leave that to organizations to (make those decisions) based on their mission and risk tolerance.”
She added however, that NIST is considering assembling an appendix listing a sampling of monitoring frequencies.
NIST also just released a new document, June 1, providing answers to frequently asked questions about continuous monitoring, as one of six steps described in its recently revised publication on Risk Management Framework to Federal Information Systems (SP 800-37) to secure federal systems.
NIST makes clear that continuous monitoring on its own does not provide a comprehensive, enterprisewide risk management approach. Rather, it is a key component in the risk management process. NIST has been working with the Defense Department, the Intelligence Community and the Committee on National Security Systems to develop a unified information security framework for the federal government and its contractors.
The fundamental tenet of the unified information security framework is an enterprisewide risk management approach to information security that focuses on the total life cycle of information systems, and is implemented across three hierarchical tiers within an organization — at the mission and governance level, the business process level and at the information systems level.
A continuous monitoring program, however, allows an organization to track the security state of an information system on an ongoing basis and maintain the security authorization for the system over time. Understanding the security state of information systems is essential in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and missions/business processes.
Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.