NIST SP 800-137

The Center for Regulatory Effectiveness (CRE) has obtained, via FOIA request, Microsoft’s comments to NIST on the Initial Public Draft of their continuous monitoring guidance document, SP 800-137.

Microsoft’s comments include a request that NIST “Please clarify what the ‘organization-wide tools’ mentioned” on p. 21 of the draft with respect to continuous monitoring strategy at organizational Tiers 1 and 2.

Microsoft’s complete comments are attached below.  CRE will be releasing the SP 800-137 comments of additional private sector and federal agency stakeholders.

Microsoft_Comments_SP800-137

The presentations from NIST’s March 21st Continuous Monitoring Architecture Workshop are available at http://scap.nist.gov/events/2011/cm_workshop/presentations/.

CRE has received information that SP 800-137 has NOT been cancelled.  Subsequent action on the continuous monitoring guidance document (release of either a revised public draft or a final document) is expected by no later than the end of September, possibily

NIST’s revised Development Schedule for FISMA Implementation deleted all reference to SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.  The Initial Public Draft of SP 800-137 was released by NIST on December 16, 2010 with a comment period ending on March 15, 2011.

NIST’s previous revision to the Development Schedule cancelled a planned 2nd Public Draft of SP 800-137 but otherwise left its development intact.

NIST has not yet provided any indication of: 1) Why SP-800-137 was deleted from the Development Schedule; 2) what the revised schedule means for the fate of the guidance document; or 3) what the deletion of the document may mean for implementation of continuous monitoring requirements by federal agencies.

From: Government Security News

Like many GSN readers, I followed the story of the WikiLeaks security breach very closely. When the Web site was effectively shut down by Amazon.com’s Web servers, and then had its funding cut off by banking institutions, WikiLeaks supporters fought back — hacking into those businesses’ systems and denying them service. 

This cyber attack, sponsored by no single government but affecting scores of companies and citizens, should give every federal agency pause. In a world where even the founder of Facebook has his Facebook page hacked, cyber-security can often seem an uphill battle. What applications are safe to use? What information is really secure? Where do you draw the line?     

From: FierceGovernmentIT