Spotlight: Information Security Continuous Monitoring

By Lon Berman, CISSP

No longer just a technical issue, instead a strategic program to manage cybersecurity risk.

Targeted cyber attacks are a strategic organizational problem. Cyber attackers are more sophisticated than ever before, and it has become vitally important to understand how to manage risk and implement a continuous monitoring program.  More than just a technical exercise, Continuous Monitoring is a strategic program to manage cybersecurity risk. It is a cornerstone of the Risk Management Framework (RMF) that is now the standard information security life cycle process for DoD, Federal Agencies and the Intelligence Community. 

Many agencies have disparate information security systems and need improved system visibility, the ability to identify cyber threats and eliminate risks as soon as possible. The NIST Risk Management Framework (RMF) emphasizes the importance of near real-time risk management and continuous information systems authorization through continuous monitoring processes which supports the overall RMF six step process for information and risk management.

Enterprise-Wide Continuous Monitoring: NIST SP 800-137

NIST SP 800-137 is designed to assist organizations in developing a continuous monitoring strategy and implementing an enterprise-wide program. It speaks to the following processes as “essential to organization-wide continuous monitoring:”

Ongoing assessment security controls with assessment frequencies based on an organization-wide continuous monitoring strategy. 

Configuration management and change control processes for organizational information systems, throughout their system development life cycle (SDLC), with consideration of their operating environments and their role(s) in supporting the organization’s core mission processes. 

Security impact analyses (SIA) on changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission and/or organizational functions. 

Security status reporting to organizational officials designed to enable data-driven risk mitigation decisions with minimal response times and acceptable data. Considerations include organization relevant threat data. 

Optimizing security metrics is considered essential in NIST SP 800-137. “Metrics are measures that have been organized into meaningful information to support decision making. Metrics are developed for system-level data to make it meaningful in the context of mission or organizational risk management.” Data should be collected in a way that most accurately pinpoints and validates actual risk. 

Considerations for an organization-wide continuous monitoring program

  • Has your organization formally established and implemented an enterprise-wide continuous monitoring program?
  • Has a formal continuous monitoring strategy been established?
  • Have specific roles and responsibilities been assigned within the program
  • How do you analyze data and report findings?
  • What processes are in place to respond to findings?
  • How often do you review and update your monitoring program and strategy?
  • What role does automation play in your program?

Additional NIST Special Publications (SP):

NIST SP 800-39 – Applying the Risk Management Framework to Federal Information Systems, establishes a Risk Management Framework (RMF) promotes the concept of near-real-time risk management through the implementation of a robust continuous monitoring process.

NIST SP 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations exists to “help ensure that appropriate security requirements and security controls are applied to all federal information and information systems.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.