NIST Publishes Draft Implementation Guidance for Continuously Monitoring an Organization's IT System Security

Three new draft reports published by the National Institute of Standards and Technology (NIST) are designed to help both public and private organizations improve the security of their information management systems by developing capabilities for continuous monitoring of security. Comments are requested on the drafts.

For many organizations, information is one of their most valuable assets. Over the past decade, the IT security world has been moving ever closer to implementing diverse sets of security tools that enable tracking the security of enterprise-wide computer systems. "Organizations need to have 'situational awareness' over their information systems and to understand their security posture in a constantly evolving IT environment," explains NIST computer scientist David Waltermire. This requires an organization to have a dynamic process to identify and respond to new vulnerabilities and developing threats.

"Some organizations are already adopting continuous monitoring programs and acquiring tools to help, Waltermire said, "but there is little technical guidance on implementing a standardized approach. That is the goal of these three new publications."

The first of the three drafts, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model (NIST Interagency Report 7756 Second Public Draft) (available at http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdf), provides a reference model for organizations to collect data from across a diverse set of security tools, analyze the data, score the data, enable user queries and provide overall situational awareness. The model is designed so organizations can meet these goals by leveraging their existing security tool investments and avoiding designing and paying for custom solutions. It was developed using the Department of Homeland Security (DHS) continuous monitoring framework named Continuous Asset Evaluation, Situational Awareness, and Risk Scoring architecture (CAESARS) as a starting point.

"Organizations are already using CAESARS, but the architecture lacked specific requirements enabling product interoperability and interorganizational information sharing between different systems within the enterprise environment," Waltermire said.

The second document, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications (NISTIR 7799) (available at http://csrc.nist.gov/publications/drafts/nistir-7799/Draft-NISTIR-7799.pdf), provides the technical specifications for the continuous monitoring reference model presented in NISTIR 7756 with enough specificity to enable instrumentation of existing products and development of new capabilities by vendors. The specifications in NISTIR 7799 define an ecosystem in which a variety of interoperable products can be combined into a continuous monitoring solution.

The third document, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration and Vulnerability Management Domains (NISTIR 7800) (available at http://csrc.nist.gov/publications/drafts/nistir-7800/Draft-NISTIR-7800.pdf), augments the reference model with guidance on addressing these specific areas. It does this by leveraging the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability-scan content, and it recommends reporting results in an SCAP-compliant format.

NIST is asking for public comment on the three draft publications. Please send comments to fe-comments [at] nist.gov (fe-comments[at]nist[dot]gov) by February 17. For clarity, please be sure to note which publication is the subject of your comments.

Two earlier publications provide roots for continuous monitoring. NIST's Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (Special Publication 800-137), published in September 2011, was written to help organizations apply NIST's Risk Management Framework* to understand their security posture against threats and vulnerabilities and to determine how effectively their security controls are working. An Office of Management and Budget(OMB) memorandum (M-11-33** emphasizes monitoring the security state of information systems on an ongoing basis to enable ongoing, risk-based decisions.

* Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37 Rev. 1) can be found at http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.

**OMB memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, is available online.