U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Monitor Step

At A Glance

RMF Monitor Step

 

Purpose: Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions
 
Outcomes: 

  • system and environment of operation monitored in accordance with continuous monitoring strategy
  • ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
  • output of continuous monitoring activities analyzed and responded to
  • process in place to report security and privacy posture to management
  • ongoing authorizations conducted using results of continuous monitoring activities

 


Resources for Implementers


NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

  • Assists organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program to providE visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls.
  • ISCM provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the controls are inadequate.

NIST SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

  • An approach for the development of ISCM program assessments that can be used to evaluate ISCM programs.
  • An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization’s ISCM program, including the review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data.

NISTIR 8212, ISCMA: An Information Security Continuous Monitoring (ISCM) Program Assessment

  • An example methodology for assessing an organization’s ISCM program and reference implementation tool that is directly usable for conducting an ISCM assessment.

NISTIR 8011, Automation Support for Security Control Assessments: Multiple Volumes

  • A series of publications to support automated assessment of most of the security controls in NIST SP 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed.
  • For effective automated assessment, testable defect checks are defined that bridge the determination statement to the broader security capabilities to be achieved and to the SP 800-53 security control items.
  • Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior).

NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

  • Guidelines for building effective assessment plans, detailing the process for conducing control assessments, and a comprehensive set of procedures for assessing the effectiveness of the SP 800-53 controls.
  • The assessment procedures are used as a starting point for and as input to the assessment plan.

 

 


Back to About the RMF

Created November 30, 2016, Updated October 19, 2021