CYBR 650 - Blog 4 - NIST SP 800-137A DRAFT Released

BLOG 3 – NIST 800-137A DRAFT – Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

The most significant change from the DoD Information Assurance Certification and Accreditation Process or DIACAP to the Risk Management Framework (RMF) is the ability to have the system continually authorized after successfully implementing the Information System Continuous Monitoring or ISCM strategy.  After being approved in RMF Step 2, the ISCM describes the plan of how the system owner intends to continuously implement, monitor and test the security controls approved by the authorizing official (AO).  Successfully demonstrating this should allow for continuous authorization of the system with the expectation that all security-relevant changes have been addressed and a current snapshot of the system is always available by auditors for testing and evaluation. 

The National Institute of Standards and Technology (NIST) has created their Special Publication 800-137A to help meet Federal Information Security Modernization Act of 2014 (FISMA) standards by describing an approach for ISCM evaluations to ensure compliancy with the intentions of the approved strategy.  This publication should not be confused with NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations which details how organizations should develop an ISCM strategy.  As 800-137A, this document details how the assessment of the ISCM should be done to deliver, “organizational leadership with information on the effectiveness and completeness of the organization's ISCM program, to include review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data (NIST, 2020)

From a high level, the NIST SP 800-137A performs five unique functions:

1.      Offers guidance on the development of an ISCM program assessment process for all organizational risk management level as defined in the NIST SP 800-39 Managing Risk from Information Systems: An Organizational Perspective.

2.      Describes how an ISCM program assessment relates to important security concepts and processes, such as the NIST Risk Management Framework (RMF), organization-wide risk management levels, organizational governance, metrics applicable to ISCM, and ongoing authorization.

3.      Describes the properties of an effective ISCM program assessment

4.      Presents a set of ISCM program assessment criteria, with references to the sources from which the criteria are derived, that can be adopted by an organization and used for ISCM program assessments or as a starting point for further development of organization’s assessment criteria

5.      Defines a way to conduct ISCM program assessments by using assessment procedures, defined in the companion document containing the ISCM Program Assessment Element Catalog, designed to produce a repeatable assessment process.

(NIST, 2020)

The assessment of the ISCM helps determine the maturity, effectiveness and consequently the health of the cybersecurity program.  This publication outlines a six-step process for successful implementation of an ISCM strategy:

1.      Define ISCM Strategy

2.      Establish ISCM Program

3.      Implement ISCM Program

4.      Analyze ISCM Data and Report Findings

5.      Respond to ISCM Findings

6.      Review and Update ISCM Program and Strategy

 (NIST, 2020)

The assessment process outlined in this document attempts to rate the overall implementation of these steps to determine if there is residual organizational risk not being addressed by the security controls being reviewed during the ISCM implementation. 

Based on the criteria specified above, this publication then uses a variety of sources to evaluate the programs ISCM strategy.  These sources include publications from NIST, OMB Circulars, FISMA 2014, Executive Directives and even “Practitioner experience based on collective professional experience in ISCM, security engineering, network security, systems engineering and information technology.” (NIST, 2020). 

The publication finishes by helping the reader determine such subjective evaluation topics such as Judgement Values, Evaluation Criteria, Assessment Elements, Evidence Gathering and Analysis and even being so humble as to when to determine when a judgement is Not Applicable.  The document concludes with instruction on Reporting of Assessment Results to convey residual operational program risk and how the assessment was performed.  This is directed to program management with the expectation that the main audience would be the information security personnel. 

This document provides great value to the information security leadership and authorizing official to help baseline expectations in how ISCMs should be implemented at various organizational and system levels.  While very detailed, it does a great job of detailing a structured approach to evaluating an ISCM with both objective benchmarks and subjective input to provide the organization a realistic picture of the effectiveness of their ISCM strategy.

References:

Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment, (January, 2020), National Institute for Standards and Technology.  Retrieved on January 13, 2020 from https://csrc.nist.gov/publications/detail/sp/800-137a/draft