NIST Standards for Cybersecurity
The NIST standards for cybersecurity are developed by NIST’s Information Technology Laboratory (ITL) and have been adopted by the US Government. In addition, NIST has developed a program for the development of checklists for securing IT systems which is now owned by DISA (Defense Information Systems Agency).
NIST & Continuous Monitoring
Continuous monitoring is one of six steps initially described in the Risk Management Framework (RMF), NIST Special Publication 800‐37, Revision 1, Applying the Risk Management Framework to Federal Information Systems. The Federal Information Security Management Act of 2002 (FISMA) requires Federal agencies to annually report the security posture of their information systems.
The "Snapshot" Audit Approach
Prior to May 2010, agencies assessed their security posture of deployed systems using a “snapshot” certification and accreditation process based on a periodic schedule and at a predefined fixed point in time. Under this approach, agencies required system owners to reauthorize systems on a multi-year cycle, placing little emphasis on the use of automation
to continuously monitor critical IT controls.
New Guidelines Emphasize Continuous Monitoring
In April 2010, the Office of Management and Budget (OMB) issued new guidance on FISMA reporting requirements that emphasized continuous monitoring to provide ongoing, near real-time risk management and operational security for IT systems defined by NIST SP800-137.
The NIST 800 Series of Standards for Cybersecurity
The NIST 800 Series of standards for cybersecurity have become the defacto standard for securing network data systems in the United States and many other countries. The information is disseminated in the form of Special Publications (SP) and covers many different aspects of computer security in the form of guidelines, recommendations, technical specifications, frameworks, and programs.
NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, details the guidelines for implementing a continuous monitoring program that builds on the monitoring concepts introduced in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
Specific FISMA requirements encompass NIST SP 800-53, SP 800-37, SP 800-137, and the Federal Information Processing Standards (FIPS) publications 199 and 200. Many of the technical security controls defined in NIST Special Publication (SP) 800‐53, Recommended Security Controls for Federal Information Systems and Organizations, are central to a continuous monitoring program using automated tools and techniques.