From: NIST
Announcing Comment Period for NISTIR 8170, DRAFT The Cybersecurity Framework: Implementation Guidance for Federal Agencies
Email comments to: nistir8170@nist.gov (Subject: “Comments on Draft NISTIR 8170”) Comments due by: June 30, 2017
Further, aggregating essential information from [Security Assessment Report] SARs , [Plan of Action and Milestones] POA&Ms, and [System Security Plan] SSPs enables security Authorization decisions through continuous monitoring. Security control assessments, remediation actions, and key updates to the SARs, POA&Ms and SSPs for the system-at-hand can be considered in the context of the organization’s aggregate risk. The risk register is also curated using the on-going risk changes tracked through Risk Management Framework (RMF) Monitor activities. The risk register is a tool that helps the AO understand if accepting the system risk will drive overall risk beyond organizational tolerance. Organizing the risk register according to the language of the Core also enables a larger group of people to participate in and inform the Authorization decision. In particular, the understandable language of Functions and Categories of the Core enables non-cybersecurity experts to participate.
***
SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, supports the ongoing monitoring of security controls and the security state of systems. 800-137 provides guidance on developing an agency-wide information security continuous monitoring (ISCM) strategy and implementing an ISCM program. An ISCM program assists federal agencies in making informed risk management decisions by providing ongoing awareness of threats, vulnerabilities, and security control effectiveness.