Date Published: February 20, 2025
Comments Due:
Email Comments to:
Author(s)
Eduardo Takamura (NIST), Jeremy Licata (NIST)
Announcement
Summary
The NIST Risk Management Framework (RMF) Team has released the initial public draft (ipd) version of NIST Internal Report (IR) 8011v1r1 (Volume 1, Revision 1), Testable Controls and Security Capabilities for Continuous Monitoring: Volume 1 — Overview and Methodology.
We welcome your input and look forward to your comments by April 4, 2025. We encourage you to use this template to prepare your comments, which can be sent to 8011comments@list.nist.gov.
Details
IR 8011 provides a methodology for identifying testable controls – SP 800-53 controls that can be assessed and monitored using automatable tests – and for creating such tests in support of information security continuous monitoring. These testable controls are organized by continuous monitoring security capabilities which are sets of controls with a common defense purpose.
Using a six-step adversarial attack model, the methodology breaks down security capabilities into levels of abstraction towards the identification of smaller, targeted capabilities called sub-capabilities which offer optimal level of granularity for the development of control tests. These tests are created for controls that share common defense objectives and are grouped to support specific security capabilities for continuous monitoring.
Volume 1 introduces key terminology and foundational concepts, describes the methodology, and discusses conceptual operational considerations for a potential IR 8011 implementation. NIST uses these concepts and methodology to identify the sample control tests for security capabilities that are featured in subsequent volumes in the Series.
IR 8011v1r1 represents a major revision of the first and key volume in the multi-volume IR 8011 series. The NIST Risk Management Framework (RMF) Team welcomes feedback and input on any aspect of IR 8011v1r1 and additionally proposes a list of non-exhaustive questions and topics for consideration:
- Have you or your organization ever implemented the IR 8011 methodology? If so, under what capacity (developer/adopter)?
- Are you a developer of security or continuous monitoring tools that would be interested in incorporating the IR 8011 methodology into a solution?
- Is the IR 8011 methodology sound, logical and actionable?
- Is the language in this revision clear or is there any specific content that requires clarification?
- Are there any additional conceptual implementation considerations that you would propose to be included in the final version of this guide?
- If an IR 8011 community of interest is established in the future, would you be interested in participating? (If so, please leave a contact information).
- What are opportunities for improvement?
- Any other feedback on:
- Updates to the IR 8011 methodology
- Updates to the IR 8011 terminology and general language
- Typos and errors
Following the feedback received on this call for comments, the NIST RMF Team plans to issue a final version of IR 8011v1r1. If major changes to the ipd are necessary, a final public draft may be issued for another round of public comment before the publication is finalized. The intent is to publish guidance that can help operationalize the IR 8011 methodology.
NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
According to the NIST Risk Management Framework (RMF) methodology, SP 800-53 security and privacy controls are selected, implemented, assessed, and monitored to help achieve security and privacy objectives. Due to the sheer size, complexity, and scope of information technology footprints, the automation of control assessment and monitoring tasks is desired but not easily achieved. IR 8011 provides a method for identifying SP 800-53 controls that can be tested via automated means based on the assessment objectives and potential assessment methods in SP 800-53A. The IR 8011 methodology also includes a process for developing the actual tests for each testable control. This first volume in the IR 8011 multi-volume series introduces foundational concepts — including the concept of security capability for continuous monitoring — and describes each step of the IR 8011 methodology. This revision includes a new section on the envisioned operationalization of IR 8011 for the development and adoption of potential solutions. Subsequent volumes in the IR 8011 series provide a sample set of testable controls and automatable tests for specific security capabilities for continuous monitoring.
According to the NIST Risk Management Framework (RMF) methodology, SP 800-53 security and privacy controls are selected, implemented, assessed, and monitored to help achieve security and privacy objectives. Due to the sheer size, complexity, and scope of information technology footprints, the...
See full abstract
According to the NIST Risk Management Framework (RMF) methodology, SP 800-53 security and privacy controls are selected, implemented, assessed, and monitored to help achieve security and privacy objectives. Due to the sheer size, complexity, and scope of information technology footprints, the automation of control assessment and monitoring tasks is desired but not easily achieved. IR 8011 provides a method for identifying SP 800-53 controls that can be tested via automated means based on the assessment objectives and potential assessment methods in SP 800-53A. The IR 8011 methodology also includes a process for developing the actual tests for each testable control. This first volume in the IR 8011 multi-volume series introduces foundational concepts — including the concept of security capability for continuous monitoring — and describes each step of the IR 8011 methodology. This revision includes a new section on the envisioned operationalization of IR 8011 for the development and adoption of potential solutions. Subsequent volumes in the IR 8011 series provide a sample set of testable controls and automatable tests for specific security capabilities for continuous monitoring.
Hide full abstract
Keywords
actual state; assessment; automated control testing; conceptual implementation; control; desired state specification; information security continuous monitoring; security capability; sub-capability test; testable control; assessment method; authorization boundary; automation; boundary; capability; completeness; continuous monitoring; continuous monitoring dashboard; control assessment; control baseline; control item; control testing; dashboard; data quality test; desired state; foundational test; local test; mitigation; ongoing assessment; ongoing authorization, privacy control; root cause analysis; security automation; security control; sensitivity; specificity; test; test boundary; test object; test plan; testable; timeliness
Control Families
None selected
