NIST’s “Capstone” FISMA Publication Provides Superb Understanding of Risk Monitoring

NIST’s Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View was described by the agency as “the capstone publication” of the Joint Task Force, “a federal cyber security partnership made up of the Department of Defense, the Intelligence Community and NIST.”

Of particular note, SP 800-39 introduced the

three-tiered risk management approach that recommends federal agencies focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how information security risk is assessed, responded to, and monitored over time in the context of critical missions and business functions.

The document, which references NIST’s draft continuous monitoring guidance document SP 800-137, provides a crucial understanding of risk monitoring including the benefits of automated monitoring over manual monitoring.

Among this Risk Monitoring Strategy issues on which SP 800-29 provides in-depth supplemental guidance are:

  • Monitoring Compliance
  • Monitoring Effectiveness
  • Monitoring Changes, including Information System and Environments of Operation
  • Automated Versus Manual Monitoring
  • Frequency of Monitoring

With respect to the Risk Monitoring function, the document explains that

output from the risk monitoring step is the information generated by: (i) verifying that required risk response measures are implemented and that information security requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines, are satisfied; (ii) determining the ongoing effectiveness of risk response measures; and (iii) identifying changes to organizational information systems and environments of operation. Outputs from the risk monitoring step can be useful inputs to the risk framing, risk assessment, and risk response steps.

SP 800-39 is a must read document for everyone with information security responsibilities, irrespective of whether they are inside or outside government.

Attached below is the Risk Monitoring Section of SP-800-39. The entire document may be found here



Leave a Reply

Your email address will not be published.

Please Answer: *