NIST states that their draft Continuous Monitoring Technical Reference Architecture document “is broadly applicable to diverse networks including industry, civilian government, state government, tribal, and military networks. Expected users of this document include Chief Information Security Officers, Chief Technology Officers, security tool vendors, security tool testing laboratories, security program managers, and enterprise architects.”
NIST noted that their participation in developing the Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CAESARS) Reference Architecture “led to an architectural design that could support industry as well as government and a design well integrated with existing and emerging security automation standards.”
NIST explains that, “[i]f successful, CAESARS FE [Framework Extension] and the security products that support it will enable organizations to compose diverse security products together into a hierarchical data aggregation architecture that supports a large variety of CM consumers from both the security disciplines and general information technology (IT) management domains. The challenge will be to minimally define the required functionality so that security tool vendors can cost-effectively participate while ensuring a necessary level of interoperability between vendor products. This will require ongoing discussions, collaboration, and development within government and industry.”
Comments on the draft document, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture, NIST Interagency Report 7756 (Draft), are due March 11, 2011. For more information about the document, please see FISMA Focus’ Continuous Monitoring Forum, http://www.thecre.com/cm/?p.