Continuous Monitoring of Information Security: An Essential Component of Risk Management

NIST has released a bulletin which summarizes the information in SP 800-137,  Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.  NIST states that,

The bulletin explains the importance of information system continuous monitoring in protecting information systems and information, the role of ISCM in the Risk Management Framework, the integration of ISCM in organizational risk assessment activities, and the details of the organizational ISCM process. References are provided to additional sources of information on ongoing monitoring of information systems and on the Risk Management Framework.

The bulletin is attached below.



Continuous Monitoring for Wireless Networks

NIST’s Draft SP 800-153 provides continuous monitoring recommendations for wireless networks.  NIST recommendations contained in the draft Guidelines for Securing Wireless Local Area Networks (WLANs) include implementing continuous monitoring tools which can detect all of the following:

— Unauthorized WLAN devices, including rogue APs and unauthorized client devices

— WLAN devices that are misconfigured or using weak WLAN protocols and protocol implementations

— Unusual WLAN usage patterns, such as extremely high numbers of client devices using a particular AP, abnormally high volumes of WLAN traffic involving a particular client device, or many failed attempts to join the WLAN in a short period of time


Federal CIO Emphasizes Continuous Monitoring for FedRAMP

From: FederalNewsRadio.com 1500 AM.

Federal CIO VanRoekel details his ‘first’ priorities

With nearly three months on the job, federal chief information officer Steven VanRoekel is putting a new shine on some long-standing technology priorities.

VanRoekel gave his first major policy speech on Tuesday night, since taking over for Vivek Kundra in August, signaling how he plans to move the administration’s IT reform ball forward.


Continuous monitoring requires strong leadership — and software

From: www.FederalNewsRadio.com 1500 AM

By Jack Moore
Federal News Radio

For federal agencies, staying compliant with FISMA — the Federal Information Security Management Act — can feel like an endless process.

And in the ever-shifting world of federal IT and cybersecurity, to some extent, it is never-ending.

However, there’s a new guide to help agencies meet their continuous monitoring requirements.

Bruce Levinson, the editor of FISMA Focus at the Center for Regulatory Effectiveness, joined the Federal Drive to discuss the center’s recent survey on agency FISMA compliance. with Tom Temin and Amy Morris


ICE not sitting on cyber laurels

From: FederalNewsRadio.com 1500 AM

By Jason Miller

One of the cybersecurity employees at the Homeland Security Department’s Immigration and Customs Enforcement directorate turned a phishing attack into a lessons learned for the rest of the department.

Jeff Eisensmith, ICE’s chief information security officer, said one of his employees strung out the attacker for a week and used this episode to help other ICE employees understand the dangers of phishing attacks.

Eisensmith said this example is part of the way ICE is improving the security of its network.


CRE Announces Federal Cybersecurity Best Practices: FISMA Continuous Monitoring

Study Fills Needs for Applied Best Practices Guidance

The Center for Regulatory Effectiveness (CRE), a regulatory watchdog, is releasing a best practices assessment of agency compliance with FISMA’s continuous monitoring requirements.

Studies have found only limited, insufficient agency adherence with FISMA’s continuous monitoring mandates. One survey found almost half of federal IT professionals were unaware of continuous monitoring requirements. A recent GAO report found that two-thirds of agencies “did not adequately monitor networks” to protect them “from intentional or unintentional harm.”

The CRE study fills the information gap by providing senior and staff level cybersecurity professionals with practical guidance in effectively implementing Information Security Continuous Monitoring (ISCM).


Survey of Federal IT Professionals: Almost Half Unaware of Continuous Monitoring Requirements

An annual survey by InformationWeek of  “131 federal IT pros” found that almost half the surveyed professionals were unaware of NIST’s continuous monitoring requirement:

NIST gives agencies guidelines for implementing continuous monitoring, including both network and system-level monitoring, in their IT environments. While 21% of survey respondents have implemented continuous monitoring, a surprising 48% were not familiar with the requirements.

The complete survey report is attached below.



SP 800-126 Revision 2 (SCAP) Released

Editor’s Note:  SP 800-126 rev. 2 is attached below.

From: NIST

I am pleased to announce the final release of NIST Special Publication (SP) 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications.


NIST Emphasizes Role of Automation, Metrics in Continuous Monitoring

NIST has finalized Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, the document is attached below. 
The newly finalized guidance document explains that the federal requirement for the monitoring of information systems originated in OMB’s Circular A-130 originally published in 1997.  The Circular requires agencies to “Review Security Controls.”  Specifically, the Circular directs agencies to “Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system.”  Thus, SP 800-137 builds on long-standing federal policy requirements for IT security. 
SP 800-137 provides a very broad, conceptual definition of continuous monitoring: 
Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. 

The finalized document recognizes the essential role of automated systems in ensuring the monitoring of federal information systems.  NIST explains that: