NIST 800-53A – 3rd draft available

Third draft of NIST 800-53A published June 2007 (here) includes guidance for SCM, of which I have been evangelizing lately (here), (here), and (here).


Conducting a thorough point-in-time assessment of the security controls in an organizational information system is a necessary, but not sufficient condition to demonstrate security due diligence. Effective information security programs should also include an aggressive continuous monitoring program to check the status of the security controls in the information systems on an ongoing basis. The ultimate objective of the continuous monitoring program is to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates. Continuous monitoring, the fourth phase in the security certification and accreditation process, is a proven technique to address the security impacts on information systems resulting from changes to hardware, software, firmware, or operational environment. A well-designed  and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to appropriate organizational officials in order to take appropriate risk mitigation actions and make credible, risk-based authorization decisions regarding the operation of the information system. Continuous monitoring programs provide organizations with an effective tool for producing ongoing updates to information system security plans, security assessment reports, and POAMs. An effective continuous monitoring program requires:

  • Configuration management and control processes for the information system;
  • Security impact analysis of changes to the information system;
  • Assessment of selected security controls in the information system; and
  • Security status reporting to appropriate agency officials

If only there was a company that provided continuous monitoring of security controls, one that was able to continuously discover, assess, remediate and enforce the health and security of computing devices in real-time and at enterprise scale (here), oh wait I am the CTO for such a company.

3 thoughts on “NIST 800-53A – 3rd draft available

  1. Does “continuous monitoring” mean that if our operations are 24/365 that the monitoring should be staffed 24/365?

  2. Yes and no – continuous monitoring doesn’t mean that someone has to physically be sitting in “lean forward” mode in a state of cat-like readiness staring at a screen all night, but that the organization can show that their ability to respond to operational failures or security incidents is not limited or bounded by time. This can be accomplished through staffing, it can also be accomplished through automated responses controls and threshold alerting, etc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s