Dr. Ron Ross, a Fellow at NIST and leader of the FISMA Implementation Project, emphasized the importance of continuous monitoring in discussing the forthcoming NIST SP 800-53, Rev. 4 set of security controls. Dr. Ross stated that Rev. 4 supports “A New Cyber Defense Vision — Build it right — Continuously Monitor.” The presentation was provided at a meeting of the Internet Security and Privacy Advisory Board (ISPAB) held on the NIST campus in Gaithersburg, MD.
The presentation described four key aspects of the future of cyber defense:
- Develop risk-aware mission business processes;
- Develop and implement enterprise architectures with embedded information security architectures;
- Use information technology wisely considering the current threat landscape (capabilities, intent, targeting); and
- Develop and implement robust continuous monitoring programs.
Dr. Ross identified three primary purposes of continuous monitoring:
- Determine effectiveness of risk mitigation measures;
- Identify changes to information systems and environments of operation; and
- Verify compliance.
The bottom line emphasized by Dr. Ross is that continuous monitoring should “increase situational awareness to help determine risk to organizational operations and assets, individuals, other organizations, and the Nation.”
NIST expects to release a final public draft of SP SP 800-53, Rev 4 in July 2012 for a short comment period of about two weeks with the final document intended for publication in September 2012.