Continuous Monitoring Guidance IssuedNIST Also Revises SCAP Special Report
Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations defines an information security continuous monitoring strategy and establishing an information security continuous monitoring program.
The National Institute of Standards and Technology said the purpose of the guideline is to assist organizations in the development of a continuous monitoring strategy and implement a program that provides awareness of threats and vulnerabilities, visibility into organizational assets and information about the effectiveness of deployed security controls.
According to the publication, the strategy:
- Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization.
- Includes metrics that provide meaningful indications of security status at all organizational tiers.
- Ensures continued effectiveness of all security controls.
- Verifies '>'>compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies and standards/guidelines.
- Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets.
- Ensures knowledge and control of changes to organizational systems and environments of operation.
- Maintains awareness of threats and vulnerabilities.
NIST also Monday unveiled the final release of SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.2.
SCAP consists of a suite of specifications for standardizing the format and nomenclature in which software flaw and security configuration information is communicated, to machines and humans. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content and the SCAP requirements not defined in the individual component specifications.
Major changes in version 1.2 include the addition Asset Reporting Format;, Asset Identification, Common Configuration Scoring System; and Trust Model for Security Automation Data, which provides support for digitally signing SCAP source and result content.