Late last year, NIST’s schedule for developing their continuous monitoring guidance document called for three rounds of public comment on evolving drafts of SP 800-137. As FISMA Focus highlighted, the second public draft of SP 800-137 was cancelled in January. In April, FISMA Focus noted that even the planned final public draft of the document appeared to be cancelled along with the rest of the schedule for the document’s development.
NIST is now reporting that they expect the final version of SP 800-137 by the end of September 2011. As NIST explains, they “are working through the public comments with our DoD and Intelligence Community partners and are on target for a final version by the end of the fiscal year.”
Thus, it appears that NIST will not be soliciting additional comments on SP 800-137. The question is why not? Continuous monitoring is far too critical a component of cybersecurity for the government’s guidance not to receive a thorough public vetting. In that the Initial Public Draft of SP 800-137 was often vague on such basic issues as defining the term “continuous monitoring,” the value of additional stakeholder review and advice seemed evident.
It is NIST’s prerogative to finalize SP 800-137 without the benefit of additional public comments. The agency should, however, provide an explanation for their decision to not seek additional comment as they planned.
The Center for Regulatory Effectiveness’ comments on the Initial Public Draft of SP 800-137 may be found here.