GovDefenders Wednesdays: Continuous Monitoring is not like a Mobius Strip: How to get in the Loop
GovDefenders Wednesdays is a weekly written by Van Ristau, DLT Solutions’ Chief Technology Officer. Throughout the month, he’ll explore the world of public sector cybersecurity; introducing concepts, offering opinions, providing resources, and identifying ways to protect your agency. Follow Van at @VanRistau for additional news.
If you are new to the topic of continuous monitoring (CM), don’t despair. By taking an evening or two to review the resources below, I’m sure that you will begin to understand the rationale for CM in its cybersecurity context and be ready to begin formulating your own implementation plan.
NIST Special Publication 800-137 (SP 800-137) Information Security Continuous Monitoring for Federal Information Systems and Organizations
Published in September 2011, this document describes the CM process and identifies it as a critical element of the Risk Management Framework (RMF) developed by NIST. The goal of the RMF is to ensure that information security and risk management activities are integrated with the system development life cycle.
NIST IR 7800 Jan. 20, 2012 DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains
NIST is an internal report that addresses asset management, Configuration, and Vulnerability data, leveraging the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content.
FedRAMP Continuous Monitoring Strategy Guide
A resource specifically focused on CM for cloud services. It has been developed to support the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program with an approved, consistent approach to security assessment, authorization, and continuous monitoring for cloud services.
Solutions for Federal Government
Our vendor partner Symantec has been a leader in the development of solutions for Continuous Monitoring. DLT Solutions has current, relevant experience implementing continuous monitoring within the Federal Government. Take a look at Symantec’s Solutions for Federal Government web site. Specifically, focus on the following resource links on that page:
SANS Institute
Last, but certainly not least, on the SANS Institute website you will find many webcasts on the topic of Continuous Monitoring. SANS has been one of the key leaders in information security education for several decades.