NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations

This is a Hard copy of the NIST Special Publication 800-137, Information Security Continuous Monitoring For Federal Information Systems And Organizations. The Risk Management Framework (RMF) developed by NIST, t describes a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. Ongoing monitoring is a critical part of that risk management process. In addition, an organization’s overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital, particularly when resources are limited and agencies must prioritize their efforts. Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Any effort or process intended to support ongoing monitoring of information security across an organization begins with leadership defining a comprehensive ISCM strategy encompassing technology, processes, procedures, operating environments, and people. This strategy: Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization; Includes metrics that provide meaningful indications of security status at all organizational tiers; Ensures continued effectiveness of all security controls; Verifies compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines; Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets; Ensures knowledge and control of changes to organizational systems and environments of operation; and Disclaimer This hardcopy is not published by National Institute of Standards and Technology (NIST), the US Government or US Department of Commerce. The publication of this document should not in any way imply any relationship or affiliation to the above named organizations and Government.