NIST’s FISMA implementation documents are increasingly important to the private sector as Congress comes closer to requiring that federal cybersecurity standards be applied to the private sector. For example, the Chairman of the House Homeland Security Committee has introduced legislation that would authorize the Department of Homeland Security to “establish and enforce risk-based cybersecurity requirements for private sector computer networks within covered critical infrastructures.”
Continuous monitoring is an integral component of the government’s FISMA Risk Management Framework. Government Computer News reported in June that a draft of NIST SP 800-137, the agency’s continuous monitoring guidance document, would be released for public comment, “later this summer….”
In September, NIST released an updated FISMA implementation publication development schedule that stated that the Initial Public Draft of SP 800-137 would be released in November 2010. There is no indication from NIST when release of the initial draft is now expected.
Increased agency interest in obtaining additional information about continuous monitoring is evidenced by the Department of Homeland Security’s issuance of a Request for Information (RFI) on continuous monitoring capabilities. The DHS RFI may be seen at http://www.thecre.com/cm/?p=68.
Once the SP 800-137 initial draft is released, NIST should promote full and informed public participation in the process of finalizing the document by publicly posting all comments received on its website. By allowing comments-on-comments, NIST would gain additional insights into the strengths and weaknesses of comments received, creating a truly collaborative public-private document development process. Repeated attempts to have NIST commit to a public disclosure have failed, see http://www.thecre.com/fisma/?p=92–so much for the President’s Open Government Initiative.
To further enhance transparency and informed public participation in the development of the continuous monitoring guidance document, the Center for Regulatory Effectiveness will be posting comments on our FISMA Focus Interactive Public Docket’s SP 800-137 Discussion Forum found at http://www.thecre.com/cm/.