Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Continuous Monitoring of Information Security: An Essential Component of Risk Management



Shirley M. Radack


This bulletin summarizes the information presented in NIST Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. The guide helps organizations develop an ISCM strategy and implement an ISCM program that provides awareness of threats and vulnerabilities of information systems, and that facilitates the assessment of organizational assets and the effectiveness of security controls. The bulletin explains the importance of information system continuous monitoring in protecting information systems and information, the role of ISCM in the Risk Management Framework, the integration of ISCM in organizational risk assessment activities, and the details of the organizational ISCM process. References are provided to additional sources of information on ongoing monitoring of information systems and on the Risk Management Framework.
ITL Bulletin -


cyber security, Federal Information Security Management Act, information security, information system continuous monitoring, information system life cycle, information technology, risk assessment, Risk Management Framework, security controls, security impact assessments, security plans, security requirements, security risks, threats to systems, vulnerabilities


Radack, S. (2011), Continuous Monitoring of Information Security: An Essential Component of Risk Management, ITL Bulletin, National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed April 12, 2024)
Created October 25, 2011, Updated January 27, 2020