Saturday, October 8, 2011

NIST: Continuous Monitoring Guidance Issued

NIST: Also Revises SCAP Special Report

NIST made public its guidance on how best to employ continuous monitoring to assure the security of information and information systems.

Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations defines an information security continuous monitoring strategy and establishing an information security continuous monitoring program.

The National Institute of Standards and Technology said the purpose of the guideline is to assist organizations in the development of a continuous monitoring strategy and implement a program that provides awareness of threats and vulnerabilities, visibility into organizational assets and information about the effectiveness of deployed security controls.

According to the publication, the strategy:
  • Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization.
  • Includes metrics that provide meaningful indications of security status at all organizational tiers.
  • Ensures continued effectiveness of all security controls.
  • Verifies legislation, directives, regulations, policies and standards/guidelines.
  • Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets.
  • Ensures knowledge and control of changes to organizational systems and environments of operation.
  • Maintains awareness of threats and vulnerabilities.
NIST also unveiled the final release of SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol: SCAP Version 1.2.

SCAP consists of a suite of specifications for standardizing the format and nomenclature in which software flaw and security configuration information is communicated, to machines and humans. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content and the SCAP requirements not defined in the individual component specifications.

Major changes in version 1.2 include the addition Asset Reporting Format;, Asset Identification, Common Configuration Scoring System; and Trust Model for Security Automation Data, which provides support for digitally signing SCAP source and result content.

No comments: