Continuous Monitoring

Continuous monitoring (CM) is defined as determining the security impact of proposed or actual changes to the information system and its environment of operation (NIST, 2014). Information security CM (ISCM) must continually evaluate risks to the information system, and involves detecting changes in threats and vulnerabilities and continuously assessing their impact (Dempsey et al., 2013).

The CM definition is specific to information system changes (typically system administrator and developer functions with respect to an information system, with countermeasures in the configuration management family). ISCM is generally applicable to vulnerabilities and threats, mitigated by all families of controls in NIST 800-53 (18 security controls and eight privacy controls). The definitions are supplemental, rather than conflicting (NIST, 2013).

A CM strategy should include periodic as well as real-time monitoring of selected controls across all families, as appropriate to the management of risks to the information system, business operations, and the organization. For instance, in federal systems, the authorizing official (AO) accepts the CM strategy as part of the system security plan, and the organization then implements and assesses the controls identified.

An issue with CM is responding to risk changes with appropriate controls assessments and changes in a correspondingly continuous way, since the risk management framework (RMF) authorization process typically requires reporting, analysis, and approval, sometimes by a team of organization officials. This would preclude real-time responses, and it burdens responses scheduled on a periodic basis. Expected delay times and effort in assessment and risk remediation must be considered as costs or constraints in the analysis.

Fortunately, several controls incorporate real-time or periodic changes in their definition, and escape the RMF authorization bottleneck. Examples include IP address filtering [whitelisting], auditing [AU-5, response to audit processing failures, AU-14, session audit] (NIST, n.d.) and alerting [SI-3, malicious code protection, SI-4, information system monitoring] (NIST, 2013) for file expropriation and malicious code.

Security information and event management (SIEM) technologies implemented through SI-3 and SI-4 controls can detect processor use trends and perhaps insider threats through policy conformance violations, but responses will likely require AO intervention, as well as similar intervention for email threats (all variants of phishing) and advanced persistent threats that are detectable but cannot generally be mitigated in an automated process.

References

Dempsey, K., Chawla, N. S., Johnson, A., Johnston, R., Jones, A. C., Orebaugh, A., Scholl, M., & Stine, K. (2011, September). Special publication 800-137: Information security continuous monitoring (ISCM) for federal information systems and organizations. National Institute of Standards and Technology.  http://dx.doi.org/10.6028/NIST.SP.800-137

National Institute of Standards and Technology (NIST). (n.d.). Assessment cases. Computer Security Resource Center. http://csrc.nist.gov/groups/SMA/fisma/assessment-cases.html

National Institute of Standards and Technology (NIST). (2013). Special publication 800-53A, Revision 4: Assessing security and privacy controls in federal information systems and organizations. http://dx.doi.org/10.6028/NIST.SP.800-53Ar4

National Institute of Standards and Technology (NIST). (2014). Special publication 800-37, Revision 1: Guide for applying the risk management framework to federal information systems. http://dx.doi.org/10.6028/NIST.SP.800-37r1