Why Is NIST Not Requesting Additional Public Comments on SP 800-137?

Late last year, NIST’s schedule for developing their continuous monitoring guidance document called for three rounds of public comment on evolving drafts of SP 800-137.   As FISMA Focus highlighted, the second public draft of SP 800-137 was cancelled in January.  In April, FISMA Focus noted that even the planned final public draft of the document appeared to be cancelled along with the rest of the schedule for the document’s development.

NIST is now reporting that they expect the final version of SP 800-137 by the end of September 2011.  As NIST explains, they “are working through the public comments with our DoD and Intelligence Community partners and are on target for a final version by the end of the fiscal year.”


Continuous monitoring best weapon against ZeuS Trojan

From: ITbusiness.ca

A former NSA and FBI security expert suggests that rather than throwing money at the problem, CISOs should rethink their security strategy.

by Nestor E. Arellano 

It all started with a sudden spike in network activity from the machine traced to a user with the same first name as the company’s CEO. The key question at that moment was: Is this a legitimate activity or not?


Just Getting Started

By Ericka Chickowski, Dark Reading

Federal agencies still have a long way to go in implementing continuous monitoring. Only 29% of agencies have the tools in place to continuously monitor their IT systems in a meaningful way, an Office of Management and Budget report in March found.

Most agencies are still in the information-gathering stage of continuous monitoring programs, says Mike Yaffe, product marketing manager for Core Security Technologies.


DHS Releases Continuous Monitoring Reporting Metrics

DHS has  released Version 1.0 of  their “FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics” which includes the metrics for Continuous Monitoring. 

There are two continuous monitoring questions on which data must be reported:

  1. The percentage of data from a list of potential data feeds that “are being monitored at appropriate frequencies and levels in the Agency” and
  2. The extent to which “‘the data collected, correlated, and being used to drive action to reduce risks” based on a 1-5 scale  “with 1 being that “All continuous monitoring data is correlated.


SCAP (Security Content Automation Protocol) Validation Testing Update

From: NIST

Dear Security Automation Community,

So that the community can plan in advance for upcoming validation requirements, NIST is announcing the revised SCAP validation program slated for late FY11 Q4/ early FY12 Q1.

The new validation program constitutes a significant expansion in test bundle content to exercise the various specification constructs of greatest interest to the operational and planned use cases pertaining to community and government interest. NIST will also provide a public test suite for vendors and developers of products that use SCAP to test and calibrate their implementations according to SCAP 1.2 specifications prior to entering formal laboratory validation.