The public is taking an increasing interest in ensuring that IT assets of federal agencies are protected from cybersecurity attacks. FISMA is addressing this concern, in part, by initiating a standard setting process for continuous monitoring.
The actions taken by NIST for the federal sector could have a very significant impact on the private sector because pending legislation would provide the federal government with the authority to mandate cybesecurity measures on the private sector.
The National Telecommunications and Information Administration (NTIA) recently issued a Notice of Inquiry to solicit the views of the public on the impacts of mandating public sector cyber controls on the private sector; please see this post .
It is important to note that NTIA made all of the comments it received in response to the NOI available to the public. It is essential that the public be able to review the comments of others in order that they benefit from the considered opinions of others.
CRE has notified NIST in the attached letter that NIST should also release for review by the public all comments that it receives in a response to a request for comments related to the development of continuous monitoring standards.
I think the important thing is to comply with the intent of the compliance regulations, and not just the letter. Continuous monitoring is vital for maintaining a secure and effective enterprise, not just for keeping the auditors happy.