NIST Draft Guidance for Monitoring IT System Security

Thursday, January 26, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

NIST Publishes Draft Implementation Guidance for Continuously Monitoring an Organization's IT System Security

Three new draft reports published by the National Institute of Standards and Technology (NIST) are designed to help both public and private organizations improve the security of their information management systems by developing capabilities for continuous monitoring of security. Comments are requested on the drafts.

For many organizations, information is one of their most valuable assets. Over the past decade, the IT security world has been moving ever closer to implementing diverse sets of security tools that enable tracking the security of enterprise-wide computer systems.

"Organizations need to have 'situational awareness' over their information systems and to understand their security posture in a constantly evolving IT environment," explains NIST computer scientist David Waltermire. This requires an organization to have a dynamic process to identify and respond to new vulnerabilities and developing threats.

"Some organizations are already adopting continuous monitoring programs and acquiring tools to help," Waltermire said, "but there is little technical guidance on implementing a standardized approach. That is the goal of these three new publications."

The first of the three drafts, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model (NIST Interagency Report 7756 Second Public Draft) (available at http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdf), provides a reference model for organizations to collect data from across a diverse set of security tools, analyze the data, score the data, enable user queries and provide overall situational awareness.

The model is designed so organizations can meet these goals by leveraging their existing security tool investments and avoiding designing and paying for custom solutions. It was developed using the Department of Homeland Security (DHS) continuous monitoring framework named Continuous Asset Evaluation, Situational Awareness, and Risk Scoring architecture (CAESARS) as a starting point.

"Organizations are already using CAESARS, but the architecture lacked specific requirements enabling product interoperability and interorganizational information sharing between different systems within the enterprise environment," Waltermire said.

The second document, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications (NISTIR 7799) (available at http://csrc.nist.gov/publications/drafts/nistir-7799/Draft-NISTIR-7799.pdf), provides the technical specifications for the continuous monitoring reference model presented in NISTIR 7756 with enough specificity to enable instrumentation of existing products and development of new capabilities by vendors. The specifications in NISTIR 7799 define an ecosystem in which a variety of interoperable products can be combined into a continuous monitoring solution.

The third document, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration and Vulnerability Management Domains (NISTIR 7800) (available at http://csrc.nist.gov/publications/drafts/nistir-7800/Draft-NISTIR-7800.pdf), augments the reference model with guidance on addressing these specific areas. It does this by leveraging the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability-scan content, and it recommends reporting results in an SCAP-compliant format.

NIST is asking for public comment on the three draft publications. Please send comments to fe-comments@nist.gov by February 17. For clarity, please be sure to note which publication is the subject of your comments.

Two earlier publications provide roots for continuous monitoring. NIST's Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (Special Publication 800-137), published in September 2011, was written to help organizations apply NIST's Risk Management Framework* to understand their security posture against threats and vulnerabilities and to determine how effectively their security controls are working.

An Office of Management and Budget(OMB) memorandum (M-11-33** emphasizes monitoring the security state of information systems on an ongoing basis to enable ongoing, risk-based decisions.

The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce.

* Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST SP 800-37 Rev. 1) can be found at http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf. **OMB memorandum M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, is available at http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-33.pdf.

Source:  http://www.nist.gov/itl/csd/monitoring-012412.cfm

Possibly Related Articles:
8231
Network->General
NIST Enterprise Security Government Headlines Network Security Monitoring DHS Guidelines IDS/IPS SCAP ISCM IT Security CAESARS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.