Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

Dempsey, Kelley; Chawla, Nirali; Johnson, L.; Johnston, Ronald; Jones, Alicia; Orebaugh, Angela; Scholl, Matthew; Stine, Kevin

doi:https://doi.org/10.6028/NIST.SP.800-137

SP 800-137

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

Documentation Topics

Date Published: September 2011

Author(s)

Kelley Dempsey (NIST), Nirali Chawla (PwC), L. Johnson (NIST), Ronald Johnston (DoD), Alicia Jones (BAH), Angela Orebaugh (BAH), Matthew Scholl (NIST), Kevin Stine (NIST)

Abstract

The purpose of this guideline is to assist organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls. It provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate.

Keywords

Continuous monitoring; ISCM; information security; security; risk management

Control Families

Audit and Accountability; Assessment, Authorization and Monitoring; Configuration Management; Planning; Program Management; Risk Assessment

Documentation

Publication:
SP 800-137 (DOI)
Local Download

Supplemental Material:
Press Release (other)

Other Parts of this Publication:
SP 800-137A

Related NIST Publications:
White Paper NIST CSWP 3

Document History:
09/30/11: SP 800-137 (Final)

Topics

Security and Privacy
general security & privacy; planning; risk assessment

Laws and Regulations
Federal Information Security Modernization Act; OMB Circular A-130