Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Assessing Information Security Continuous Monitoring (ISCM) Programs: NIST Special Publication 800-137A Now Available

NIST has published Special Publication (SP) 800-137A, "Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment."

Federal agencies are directed to implement a program to continuously monitor their organizational information security status. NIST Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, has provided guidance on developing an ISCM program—a comprehensive continuous monitoring program that serves as a risk management and decision support tool and is used across each level of an organization.

NIST has now published SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment, which describes an approach to developing program assessments to evaluate ISCM programs established in accordance with NIST SP 800-137. An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization’s ISCM program, including a review of ISCM strategies, policies, procedures, and operations. An ISCM program assessment developed under the guidance in SP 800-137A evaluates the ISCM program itself (i.e., the structure and governance of the ISCM program) rather than the results of the ISCM program or the continuous monitoring technologies used. Creating, adopting, or using an ISCM program assessment can help reduce the overall risk to organizations by identifying gaps in an ISCM program, in the implementation of an ISCM program, or in the operational use of ISCM results. 
The ISCM assessment approach can be used as presented or as the starting point for an organization-specific methodology. It includes an ISCM Program Assessment Element Catalog with example evaluation criteria and assessment procedures that can be applied to organizations. 

To enhance usability, the ISCM Program Assessment Catalog is provided as a separate MS Excel file. See the publication details for a link to the publication and catalog.

Released May 21, 2020