To secure agency systems, start at the top

NIST outlines an organizational-level approach to continuous monitoring

Effective IT security requires a top-down approach, with strategic planning at the organizational level rather than on a system-by-system basis, the National Institute of Standards and Technology says in newly released draft guidelines for continuous monitoring.

Many, if not all, of an agency’s IT systems are mission-critical these days, and periodic snapshots of their status do not provide adequate assurance of security, according to the initial public draft of Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.”

Continuous monitoring to assess security status and enable incident response is now the standard for security assessment and maintenance.

“Information security is a dynamic process that must be effectively managed to respond to new vulnerabilities, evolving threats and an organization’s constantly changing enterprise architecture and operational environment,” the publication states.


Related stories:

Agencies slowly gain ground on continuous monitoring

FISMA's future may lie in State Department security model


The publication offers guidelines on the development of a continuous monitoring strategy and the implementation of a program based on that strategy. The program should provide visibility into assets and an awareness of threats and vulnerabilities to the system, and expose the effectiveness of security controls being used. It also should allow the organization to determine if the security controls are aligned properly with its risk tolerance and help the organization respond if it finds that security controls are not adequate.

Continuous monitoring is a critical element in the Risk Management Framework NIST developed. The framework is defined as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Ongoing awareness is essential to the ability to respond to risks as situations evolve because of changes in dynamic IT systems and threats. Data is collected and analyzed as often as needed to manage risk appropriately at each organizational tier.

“This involves the entire organization, from senior leaders providing governance and strategic vision to individuals developing, implementing, and operating individual systems in support of the organization’s core missions and business processes,” the guidelines state.

The process requires both manual data collection and automated tools to be effective. Manual and automated tools and methods include sampling, common protocols and reference architectures. Many of the security controls defined by NIST in SP 800-53, Recommended Security Controls for Federal Information Systems,” are amenable to automated monitoring. But NIST warns that controls that are not easily subject to automated monitoring must be assessed on a regular basis.

Steps for establishing, implementing and maintaining a continuous monitoring program are:

  • Define the continuous monitoring strategy.
  • Establish measures and metrics.
  • Establish monitoring and assessment frequencies.
  • Implement a continuous monitoring program.
  • Analyze data and report findings.
  • Respond with mitigating strategies, or reject, transfer or accept risk.
  • Review and update the continuous monitoring strategy and program.

Comments on the draft of SP 800-137 should be sent by March 15 to 800-137comments@nist.gov.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.