Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8212 (Initial Public Draft)

ISCMA: An Information Security Continuous Monitoring Program Assessment

Date Published: October 2020
Comments Due: November 13, 2020 (public comment period is CLOSED)
Email Questions to:


Kelley Dempsey (NIST), Victoria Pillitteri (NIST), Chad Baer (DHS), Ron Rudman (MITRE), Robert Niemeyer (MITRE), Susan Urban (MITRE)


Draft NIST Interagency Report (NISTIR) 8212 provides an operational approach to the assessment of an organization's information security continuous monitoring (ISCM) program.  The ISCM assessment (ISCMA) approach is consistent with the ISCM Program Assessment, as described in NIST SP 800-137A, Assessing ISCM Programs: Developing an ISCM Program Assessment.  The ISCMA process proceeds according to the following five steps:

  1. Plan the approach
  2. Evaluate the elements
  3. Score the judgments
  4. Analyze the results
  5. Formulate actions

Included with the ISCMA approach in this report is ISCMAx, a free, publicly-available working implementation of ISCMA that can be tailored to fit the needs of the implementing organization. ISCMAx produces a detailed scorecard, associated graphical output, and identifies conditions that may warrant further analysis. The ISCMAx tool is a Microsoft Excel application and can be used in the Windows operating system; it does not run on the Macintosh operating system. NISTIR 8212 provides complete instructions for both using ISCMAx as provided, and for tailoring ISCMAx, if desired.

See the Supplemental Material on this page for two ISCMAx tool macro-enabled spreadsheets, for Recommended Judgments and Alternate Judgments. For instructions on how to use those workbooks, please refer to Sections 3, 4, and 5 of Draft NISTIR 8212.

We encourage you to use the comment template for organizing and submitting your comments.

NOTE: A call for patent claims is included on page vi of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



assessment; continuous monitoring; information security continuous monitoring; information security continuous monitoring assessment; ISCM; ISCMA; ISCMAx
Control Families

None selected