Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-137A (Initial Public Draft)

Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

Date Published: January 2020
Comments Due: February 28, 2020 (public comment period is CLOSED)
Email Questions to:


Kelley Dempsey (NIST), Victoria Pillitteri (NIST), Chad Baer (CISA), Robert Niemeyer (MITRE), Ron Rudman (MITRE), Susan Urban (MITRE)


Federal agencies, under the Federal Information Security Modernization Act of 2014 (FISMA) and Office of Management and Budget (OMB) circulars and memoranda, are directed to implement a program to continuously monitor organizational information security status. A comprehensive continuous monitoring program serves as a risk management and decision support tool used at each level of an organization. Strategies and business objectives at the organizational level direct activities needed at the mission and business level, and direct system level functions and implemented technologies in support of continuous monitoring. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, provides guidance on ISCM program development.

Draft NIST Special Publication (SP) 800-137A describes an approach for the development of Information Security Continuous Monitoring (ISCM) program assessments that can be used to evaluate ISCM programs that were developed in accordance with NIST SP 800-137. An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization's ISCM program, to include review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data. The ISCM assessment approach can be used as presented or as the starting point for an organization-specific methodology. It includes example evaluation criteria and assessment procedures that can be applied to organizations.

We are seeking comments on both the draft publication and element catalog (see "Supplemental Material"); we encourage reviewers to use the comment template for submitting comments by the February 28, 2020 deadline.

NOTE: A call for patent claims is included on page iv of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



assessment; assessment element; assessment methodology; assessment procedure; continuous monitoring; information security continuous monitoring; ISCM program; ISCM program assessment
Control Families

None selected