NIST SP 800-137

From: Fierce Government IT

NIST, in conjunction with DHS, has developed an “enterprise continuous monitoring technical reference architecture that extends the framework provided by the DHS Federal Network Security CAESARS [Continuous Asset Evaluation, Situational Awareness and Risk Scoring] architecture.” The document’s goal “is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.”

DHS developed their Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CAESARS) Reference Architecture Report in response to an OMB memo directing DHS, State, Treasury and Justice “to evaluate their continuous monitoring (CM) best practices and scale them across the government.”

The Office of Management and Budget is using the budget process to force agencies to implement software that continuously monitors their networks.

The OMB gave agency chief information officers (CIOs) until the end of fiscal 2012 to install the monitoring software, according a report by Federal News Radio 1500 AM.

The deadline was contained in a guidance sent to CIOs by federal CIO Vivek Kundra as part of the 2012 budget request, the report said.

In addition, OMB instructed agencies to use the CyberScope tool to submit reports on compliance with the Federal Information Security Management Act (FISMA) by Sept. 30, 2011. The OMB had originally given federal agencies until Nov. 15, 2010, to implement CyberScope.

In its new report, Cybersecurity Two Years Later, the Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th Presidency discusses the important security role of continuous monitoring in the context of the emergence of cloud computing.

We are in another technological transition, moving to automated services and “cloud” computing, where we will depend on networks for essential services. Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense. Much of the burden of security will shift from consumers and businesses to service providers that may be better equipped to meet advanced challenges. The move to the cloud is not a silver bullet that will solve all cybersecurity problems, but it is part of a larger move to a more mature infrastructure that includes the automation of security practices and monitoring—such as the Security Content Automation Protocol (SCAP)—particularly if we find a better way for service providers to work more effectively with government agencies.