NIST SP 800-137

Editors Note: The public is encouraged to raise any questions they have regarding the content of the NIST guidance in this Interactive Public Docket so others might share their views in preparation of comments to NIST.

NIST has published the Initial Public Draft of Special Publication 800-137 “Information Security Continuous Monitoring for Federal Information Systems and Organizations.”

NIST’s Notice is below and the draft document is attached.

DRAFT Information Security Continuous Monitoring for Federal Information Systems and Organizations

December 21, 2010 marks the tenth anniversary of the Data Quality Act (DQA), also known as the Information Quality Act, 44 U.S.C § 3516, note.

The DQA has deep roots developed over nearly a half-century as the result of a seed planted during the Johnson Administration which germinated in the Nixon Administration, was watered by the Carter Administration and whose product was harvested by the Reagan Administration, made available to the public in the Bush I Administration and subsequently enhanced by the Clinton Administration and promoted by the Bush II and Obama Administrations. See: http://thecre.com/ombpapers/SystemsAnalysisGroup.htm and http://thecre.com/quality/20010924_fedinfotriangle.html

The Department of Homeland Security is solicity information regarding continuous monitoring capabilities. Specifically, DHS “is performing market research to determine industry interest and capabilities for information security continuous monitoring solutions.” The request for information is not a “request for proposal and in no way commits the Government to award a contract.”

DHS states that “Solutions must define and operate in a near real-time manner” and “must be capable of being implemented across a range of computing environments” including “geographically diverse networks” and “disconnected computing assets…that are disconnected from an agency’s enterprise even though the agency has to account for them (e.g. laptops, mobile devices)….”