NIST SP 800-37r1dF Appendix G
MANAGING AND TRACKING THE SECURITY STATE OF INFORMATION SYSTEMS
A critical aspect of managing risk from information systems involves the continuous monitoring of the security controls employed within or inherited by the system. Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. An effective organizational information security program also includes a rigorous continuous monitoring program integrated into the system development life cycle. The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur. Continuous monitoring is a proven technique to address the security impacts on an information system resulting from changes to the hardware, software, firmware, or operational environment. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make credible, risk-based decisions regarding the operation of the information system. Continuous monitoring programs provide organizations with an effective mechanism to update security plans, security assessment reports, and plans of action and milestones.
G.1 MONITORING STRATEGY
Organizations develop a strategy and implement a program for the continuous monitoring of security control effectiveness including the potential need to change or supplement the control set, taking into account any proposed/actual changes to the information system or its environment of operation. The monitoring program is integrated into the organization's system development life cycle processes. A robust continuous monitoring program requires the active involvement of information system owners and common control providers, chief information officers, senior information security officers, and authorizing officials. The monitoring program allows an organization to: (i) track the security state of an information system on a continuous basis; and (ii) maintain the security authorization for the system over time in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and represents a significant change in the way security authorization activities have been employed in the past.
An effective organization-wide continuous monitoring program includes:
- Configuration management and control processes for organizational information systems;
- Security impact analyses on actual or proposed changes to organizational information systems and environments of operation;
- Assessment of selected security controls (including system-specific, hybrid, and common controls) based on the organization-defined continuous monitoring strategy;
- Security status reporting to appropriate organizational officials; and
- Active involvement by authorizing officials in the ongoing management of information system-related security risks.
With regard to configuration management and control, it is important to document the proposed or actual changes to the information system and its environment of operation and to subsequently determine the impact of those proposed or actual changes on the overall security state of the system. Information systems and the environments in which those systems operate are typically in a constant state of change (e.g., upgrading hardware, software, or firmware; redefining the missions and business processes of the organization; discovering new threats). Documenting information system changes as part of routine SDLC processes and assessing the potential impact those changes may have on the security state of the system is an essential aspect of continuous monitoring, maintaining the current authorization, and supporting a decision for reauthorization when appropriate.
G.2 SELECTION OF SECURITY CONTROLS FOR MONITORING
The criteria for selecting which security controls to monitor and for determining the frequency of such monitoring are established by the information system owner or common control provider in collaboration with the authorizing official or designated representative, chief information officer, senior information security officer, and risk executive (function). The selection criteria reflect the organization's priorities and importance of the information system (or in the case of common controls, the information systems inheriting the controls) to organizational operations and assets, individuals, other organizations, and the Nation in accordance with FIPS 199 or CNSS Instruction 1253. Organizations may use recent risk assessments (including current threat and vulnerability information), history of cyber attacks, results of previous security assessments, and operational requirements in guiding the selection of security controls to be monitored and the frequency of the monitoring process.
Priority for security control monitoring is given to the controls that have the greatest volatility and the controls that have been identified in the organization's plan of action and milestones. Security control volatility is a measure of how frequently a control is likely to change over time subsequent to its implementation. For example, security policies and procedures in a particular organization may not be likely to change from one year to the next and thus would likely be security controls with lower volatility. Access controls or other (technical) security controls that are subject to the direct effects or side effects of frequent changes in hardware, software, and/or firmware components of an information system would, therefore, likely be controls with higher volatility. Security controls identified in the plan of action and milestones are also a priority in the continuous monitoring process, due to the fact that these controls have been deemed to be ineffective to some degree. Organizations also consider specific threat information including known attack vectors (i.e., specific vulnerabilities exploited by threat sources) when selecting the set of security controls to monitor and the frequency of such monitoring. The authorizing official and the senior information security officer approve the set of security controls that are to be monitored on an ongoing basis as well as the frequency of the monitoring activities.
G.3 CRITICAL DOCUMENT UPDATES AND STATUS REPORTING
Continuous monitoring results are considered with respect to any necessary updates to the security plan, security assessment report, and plan of action and milestones, since these documents are used to guide future risk management activities. Updated security plans reflect any modifications to security controls based on the risk mitigation activities carried out by information system owners or common control providers. Updated security assessment reports reflect additional assessment activities conducted by assessors to determine security control effectiveness based on modifications to the security plan and deployed controls. Updated plans of action and milestones: (i) report progress made on the current outstanding items listed in the plan; (ii) address vulnerabilities discovered during the security impact analysis or security control monitoring; and (iii) describe how the information system owner or common control provider intends to address those vulnerabilities. The results of monitoring activities are reported to authorizing officials on an ongoing basis in the form of status reports. Other key organizational officials (e.g., risk executive [function], senior information security officer) receive the results of continuous monitoring activities as needed or as requested. With the use of automated support tools and effective organization-wide security program management practices, authorizing officials have the capability to access the most recent documentation in the authorization package at any time to determine the current security state of the information system, to help manage risk, and to provide essential information for potential reauthorization decisions. The monitoring of security controls and changes to the information system and its environment of operation, continues throughout the system development life cycle. Summaries of monitoring results are provided to the senior information security officer and the risk executive (function).
- A continuous monitoring program within an organization involves a different set of activities than Security Incident Monitoring or Security Event Monitoring programs.
- Near real-time risk management of information systems can be facilitated by employing automated support tools to execute various steps in the RMF including authorization-related activities. In addition to vulnerability scanning tools, system and network monitoring tools, and other automated support tools that can help to determine the security state of an information system, organizations can employ automated security management and reporting tools to update critical documents in the authorization package including the security plan, security assessment report, and plan of action and milestones. The documents in the authorization package are considered "living documents” and updated accordingly based on actual events that may affect the security of the information system. Transitioning to a near real-time risk management environment will require the increased use of automated support tools over time as organizations integrate these technologies into their information security programs in accordance with available resources.
- Although the primary focus of continuous monitoring activities is on the effectiveness of security controls employed within and inherited by an information system, there are other equally important external factors in the environment of operation for a system that also require monitoring on an ongoing basis. These factors include, for example, changes in the organization's missions or business processes, changes in the threat space, and changes in tolerance for previously accepted risks).
- Through the use of automation, it is possible to monitor a greater number of security controls on an ongoing basis than is feasible using manual processes. As a result, organizations may choose to monitor a greater number of security controls with increased frequency.
- Organizations have significant latitude and flexibility in the breadth, depth, and formality of security status reports. At a minimum, security status reports describe or summarize key changes to security plans, security assessment reports, and plans of action and milestones. At the discretion of the organization, security status reports on information systems can be used to help satisfy the FISMA reporting requirement for documenting remedial actions on any security-related weaknesses or deficiencies.