«

»

Jan
19

NIST Continuous Monitoring Technical Reference Architecture Drafts Posted

From: NIST

Community Members,

I am pleased to announce the posting of three NIST Interagency Reports (NISTIRs) pertaining to continuous monitoring.  These documents contain information that was presented during a series of conference calls late last year and at the 7th Annual IT Security Automation Conference in November, 2011.

The first document, the second public draft of NISTIR 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture, presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.

The second document, draft NISTIR 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications, provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.

The last document, draft NISTIR 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains, binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.

NIST requests comments on draft NISTIRs 7756, 7799 and 7800 by February 17th, 2012. Please send all comments to fe-comments@nist.gov.

The drafts can be accessed at:

http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7756

http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7799

http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7800

Leave a Reply

Please Answer: *