NIST Unveils Continuous Monitoring Draft Guidance

Wednesday, January 25 2012
National Institute of Standards and Technology.
The National Institute of Standards and Technology is seeking public comment on three interagency reports that provide guidance on the continuous monitoring for security vulnerabilities of information systems.

FFebruary 17 Deadline for Public Comments on 3 Interagency Reports.

They are:

  1. NIST Interagency Report 7756: CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. CAESARS stands for Continuous Asset Evaluation, Situational Awareness and Risk Scoring.
  2. NIST Interagency Report 7799: Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications.
  3. NIST Interagency Report 7800: Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains.

According to NIST:

IR 7756

IR 7756 presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security's CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that allows organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries and provide overall situational awareness. The model design is focused on allowing organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.

IR 7799

IR 7799 provides the technical specifications for the continuous monitoring reference model presented in IR 7756. These specifications allow multi-instance continuous monitoring implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring and policy compliance reporting.

A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications - workflows, subsystems and interfaces - are written to be data domain agnostic, which means that they can be used for continuous monitoring regardless of the data domain that is being monitored.

IR 7800

IR 7800 binds together the continuous monitoring workflows and capabilities described in IR 7799 to specific data domains, focusing on the asset management, configuration and vulnerability data domains. It leverages the Security Content Automation Protocol version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.

NIST requests comments on the draft guidance be submitted to fe-comments@nist.gov by Feb. 17.

Story Highlights: 
  • A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model.
  • IR 7800 binds together the continuous monitoring workflows and capabilities described in IR 7799 to specific data domains, focusing on the asset management, configuration and vulnerability data domains.