The re-vamped suite of NIST documents (SP 800-53 r3, 800-37 r1, 800-39, etc) are bringing a slightly stronger definition of continuous monitoring into play. The new definition is far better than the previous vague descriptions of the concept(which is “at least annually”). Currently in the Federal space continuous monitoring is interpreted to mean annually, for the most part. I have met very few Federal IT managers who embrace the idea that continuous actually means more than once a year. Is that due to a lack of understanding of the threats that exist? Or is it a thought process based on limited IT Security funds? Or is it a lack of understanding that FISMA should be about more than a paper drill? I can not give one answer because I am sure that all of those reasons are valid among many others.
The new terminology refers to continuous monitoring as “near real time” which in my mind does move the bar much closer to a realistic definition, although I would like to see a FISMA update and/or NIST go a bit further and separate “real time” from “periodic”. Real time monitoring almost always requires an automated tool to aid in 24/7/365 monitoring, while periodic monitoring can occur at a “near real time” frequency such as, hourly, daily, weekly or monthly depending upon how frequently the control activity is executed. The draft NIST documents mention near real time and continuous monitoring almost interchangeably, while in my mind they can be quite different. Periodic or near real time monitoring is required the majority of the time, while continuous monitoring (24/7/365) should be reserved for the most critical Security controls, and those which are executed frequently(i.e. attempts to access sensitive data, or multiple invalid login attempts).
Sphere: Related Content
