NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

• Assists organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program to providE visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls.
• ISCM provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the controls are inadequate.

NIST SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

• An approach for the development of ISCM program assessments that can be used to evaluate ISCM programs.
• An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization’s ISCM program, including the review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data.

NISTIR 8212, ISCMA: An Information Security Continuous Monitoring (ISCM) Program Assessment

• An example methodology for assessing an organization’s ISCM program and reference implementation tool that is directly usable for conducting an ISCM assessment.

NISTIR 8011, Automation Support for Security Control Assessments: Multiple Volumes

• A series of publications to support automated assessment of most of the security controls in NIST SP 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed.
• For effective automated assessment, testable defect checks are defined that bridge the determination statement to the broader security capabilities to be achieved and to the SP 800-53 security control items.
• Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior).

NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

• Guidelines for building effective assessment plans, detailing the process for conducing control assessments, and a comprehensive set of procedures for assessing the effectiveness of the SP 800-53 controls.
• The assessment procedures are used as a starting point for and as input to the assessment plan.