Definition and purpose

The purpose of NIST 800-137 is to help federal agencies and organizations to define a continuous monitoring strategy and establish and implement a continuous monitoring program that provides visibility into organizational assets, awareness of threats and vulnerabilities, and ongoing assurance of the effectiveness of deployed security controls.

Building on the monitoring concepts introduced in NIST SP 800-37, this publication focuses on assessing and analyzing security control effectiveness and organizational security status in accordance with organizational risk tolerance to better support organizational risk management decisions.

Governing Body

The National Institute of Standards and Technology (NIST) is the governing body responsible for the 800 series of publications, including NIST 800-137.

Last updated

NIST 800-137 was published in 2011 and has had no major updates. 

Applies to

NIST 800-137 primarily applies to organizations that manage and operate federal information systems. However, while it is designed for the federal sector, its principles and concepts may be adapted for use in other industries or organizations.

Controls and requirements

NIST 800-137 does not present a set of controls or requirements in the same manner as a compliance standard. Instead, it covers the fundamentals and process for developing an information security continuous monitoring (ISCM) strategy and implementing an

ISCM program. This process includes key steps, including:

• Defining the ISCM strategy
• Establishing an ISCM program
• Implementing the ISCM program
• Analyzing and reporting findings
• Responding to findings
• Reviewing and updating ISCM strategy and program

Please refer to the official NIST SP 800-137 publication for more details.

Audit type, frequency, and duration

Since NIST 800-137 is a guide for developing and implementing a continuous monitoring strategy and program and not a compliance standard, it does not dictate specific audit types, frequencies, or durations. 

Organizations are expected to review the monitoring strategy and program regularly to ensure that the organization is operating within acceptable risk tolerance levels, that metrics remain relevant, and that data is current and complete. Each organization can establish its own procedure for reviewing and updating this strategy based on its needs and information security maturity.