Microsoft Seeks Clarification from NIST with Respect to Continuous Monitoring

The Center for Regulatory Effectiveness (CRE) has obtained, via FOIA request, Microsoft’s comments to NIST on the Initial Public Draft of their continuous monitoring guidance document, SP 800-137.

Microsoft’s comments include a request that NIST “Please clarify what the ‘organization-wide tools’ mentioned” on p. 21 of the draft with respect to continuous monitoring strategy at organizational Tiers 1 and 2.

Microsoft’s complete comments are attached below.  CRE will be releasing the SP 800-137 comments of additional private sector and federal agency stakeholders.



Continuous Monitoring Architecture Workshop 2011 Presentations

The presentations from NIST’s March 21st Continuous Monitoring Architecture Workshop are available at http://scap.nist.gov/events/2011/cm_workshop/presentations/.


UPDATE: SP 800-137 NOT Cancelled

CRE has received information that SP 800-137 has NOT been cancelled.  Subsequent action on the continuous monitoring guidance document (release of either a revised public draft or a final document) is expected by no later than the end of September, possibily


NIST Deletes Continuous Monitoring Guidance From FISMA Development Schedule

NIST’s revised Development Schedule for FISMA Implementation deleted all reference to SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.  The Initial Public Draft of SP 800-137 was released by NIST on December 16, 2010 with a comment period ending on March 15, 2011.

NIST’s previous revision to the Development Schedule cancelled a planned 2nd Public Draft of SP 800-137 but otherwise left its development intact.

NIST has not yet provided any indication of: 1) Why SP-800-137 was deleted from the Development Schedule; 2) what the revised schedule means for the fate of the guidance document; or 3) what the deletion of the document may mean for implementation of continuous monitoring requirements by federal agencies.


Where to draw the line in cyber-security: Continuous monitoring

From: Government Security News

By: Dusty Wince

Like many GSN readers, I followed the story of the WikiLeaks security breach very closely. When the Web site was effectively shut down by Amazon.com’s Web servers, and then had its funding cut off by banking institutions, WikiLeaks supporters fought back — hacking into those businesses’ systems and denying them service. 

This cyber attack, sponsored by no single government but affecting scores of companies and citizens, should give every federal agency pause. In a world where even the founder of Facebook has his Facebook page hacked, cyber-security can often seem an uphill battle. What applications are safe to use? What information is really secure? Where do you draw the line?     


NIST, GSA: Real cloud guidance by fall 2011

From: FierceGovernmentIT

Before year end the National Institute of Standards and Technology and the General Services Administration will release concrete information that will assist agencies in adopting cloud computing technology.

NIST expects a first draft of a “Cloud Computing Technology Roadmap” to be published as an interagency report by the end of fiscal 2011, announced Dawn Leaf, senior executive for cloud computing at NIST, April 7 during a cloud computing workshop at the agency in Gaithersburg, Md.