Federal agencies, under the Federal Information Security Modernization Act of 2014 (FISMA) and Office of Management and Budget (OMB) circulars and memoranda, are directed to implement a program to continuously monitor organizational information security status. A comprehensive continuous monitoring program serves as a risk management and decision support tool used at each level of an organization. Strategies and business objectives at the organizational level direct activities needed at the mission and business level, and direct system level functions and implemented technologies in support of continuous monitoring. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, provides guidance on ISCM program development.

Draft NIST Special Publication (SP) 800-137A describes an approach for the development of Information Security Continuous Monitoring (ISCM) program assessments that can be used to evaluate ISCM programs that were developed in accordance with NIST SP 800-137. An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization's ISCM program, to include review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data. The ISCM assessment approach can be used as presented or as the starting point for an organization-specific methodology. It includes example evaluation criteria and assessment procedures that can be applied to organizations.

A public comment period for this document is open through February 28, 2020. See the publication details for a copy of the draft publication, Element Catalog (spreadsheet), and instructions for submitting comments—preferably using the comment template provided.

NOTE: A call for patent claims is included on page iv of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.