To secure agency systems, start at the top

NIST outlines an organizational-level approach to continuous monitoring

Effective IT security requires a top-down approach, with strategic planning at the organizational level rather than on a system-by-system basis, the National Institute of Standards and Technology says in newly released draft guidelines for continuous monitoring.

Many, if not all, of an agency’s IT systems are mission-critical these days, and periodic snapshots of their status do not provide adequate assurance of security, according to the initial public draft of Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.”

Continuous monitoring to assess security status and enable incident response is now the standard for security assessment and maintenance.

“Information security is a dynamic process that must be effectively managed to respond to new vulnerabilities, evolving threats and an organization’s constantly changing enterprise architecture and operational environment,” the publication states.

Related stories:

Agencies slowly gain ground on continuous monitoring

FISMA's future may lie in State Department security model

The publication offers guidelines on the development of a continuous monitoring strategy and the implementation of a program based on that strategy. The program should provide visibility into assets and an awareness of threats and vulnerabilities to the system, and expose the effectiveness of security controls being used. It also should allow the organization to determine if the security controls are aligned properly with its risk tolerance and help the organization respond if it finds that security controls are not adequate.

Continuous monitoring is a critical element in the Risk Management Framework NIST developed. The framework is defined as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Ongoing awareness is essential to the ability to respond to risks as situations evolve because of changes in dynamic IT systems and threats. Data is collected and analyzed as often as needed to manage risk appropriately at each organizational tier.

“This involves the entire organization, from senior leaders providing governance and strategic vision to individuals developing, implementing, and operating individual systems in support of the organization’s core missions and business processes,” the guidelines state.

The process requires both manual data collection and automated tools to be effective. Manual and automated tools and methods include sampling, common protocols and reference architectures. Many of the security controls defined by NIST in SP 800-53, Recommended Security Controls for Federal Information Systems,” are amenable to automated monitoring. But NIST warns that controls that are not easily subject to automated monitoring must be assessed on a regular basis.

Steps for establishing, implementing and maintaining a continuous monitoring program are:

  • Define the continuous monitoring strategy.
  • Establish measures and metrics.
  • Establish monitoring and assessment frequencies.
  • Implement a continuous monitoring program.
  • Analyze data and report findings.
  • Respond with mitigating strategies, or reject, transfer or accept risk.
  • Review and update the continuous monitoring strategy and program.

Comments on the draft of SP 800-137 should be sent by March 15 to

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • power grid (elxeneize/

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Wed, Dec 22, 2010 WOR

Yeah, I don't know. Top down has usually meant HQ is told it needs to be done by OMB. They swallow some vendors sales pitch hook line and sinker. They foist the unworkable program on the agency, while getting their executives offices exempted because "their work is to important to risk getting delayed". We'll see.

Wed, Dec 22, 2010 Jeffrey A. Williams

Rather than START at the top, a bottoms-up approach would yeald better results. Certainly managment active participation is required but they must know the technology and trust their technicians to provide the proper input knowledge regarding the ever evolving threat picture.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group