Federal agencies are directed to implement a program to continuously monitor their organizational information security status. NIST Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, has provided guidance on developing an ISCM program—a comprehensive continuous monitoring program that serves as a risk management and decision support tool and is used across each level of an organization.
NIST has now published SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment, which describes an approach to developing program assessments to evaluate ISCM programs established in accordance with NIST SP 800-137. An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization’s ISCM program, including a review of ISCM strategies, policies, procedures, and operations. An ISCM program assessment developed under the guidance in SP 800-137A evaluates the ISCM program itself (i.e., the structure and governance of the ISCM program) rather than the results of the ISCM program or the continuous monitoring technologies used. Creating, adopting, or using an ISCM program assessment can help reduce the overall risk to organizations by identifying gaps in an ISCM program, in the implementation of an ISCM program, or in the operational use of ISCM results.
The ISCM assessment approach can be used as presented or as the starting point for an organization-specific methodology. It includes an ISCM Program Assessment Element Catalog with example evaluation criteria and assessment procedures that can be applied to organizations.
To enhance usability, the ISCM Program Assessment Catalog is provided as a separate MS Excel file. See the publication details for a link to the publication and catalog.