The Evolution of Continuous Monitoring

When organizations first started efforts towards FISMA compliance, the requirement of Continuous Monitoring (CM) was interpreted at a high level. To most organizations, CM meant conducting quarterly risk assessments, periodic vulnerability scanning, and annual FISMA assessments. However, with the emergence of cloud computing and FedRAMP, CM began to be viewed as a more vital component of the overall security program.

Continuous MonitoringDoD’s Risk Management Framework (RMF) recognized this trend. In fact, the System Security Plan template offered on the Defense Security Service web site contains a CM block for each of the NIST 800-53 controls. The organization is expected to record its strategy to continuously monitor each applicable control. Therefore, rather than applying CM at the system or even the 800-53 family level, CM is now expected at the individual control level.

NIST is supporting this trend by publishing the NISTR 8011 series to provide guidelines for automated CM for those controls that lend themselves to quantitative measures. As opposed to the classical 800-53 control families, the guidelines are organized by “assessment objects” defined as “anything that can have a security defect” for example Hardware Assets and Software Assets. NIST has published the Overview volume as well as Hardware Assessment Management and will eventually publish eleven additional volumes. Once completed, they will represent a compendium of techniques for continually assessing control performance.

BSC Systems is preparing our clients for the new CM approach by supplementing our extensive control checklists and templates with the RMF and NISTR information. In addition to capturing objective evidence of each control correct functioning during FISMA and HIPAA assessments, we will also assist clients in defining a robust approach to CM for each control. This is a big step for most organizations and we recognize that many CM strategies will require incremental improvements over time. However, it is only a matter of time before control-level CM will become a requirement and IT security budgets will demand that many of these be automated.