NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” provides guidance and best practices for establishing, implementing, and maintaining a continuous monitoring program for information security in federal agencies and organizations.
Definition and purpose
The purpose of NIST 800-137 is to help federal agencies and organizations to define a continuous monitoring strategy and establish and implement a continuous monitoring program that provides visibility into organizational assets, awareness of threats and vulnerabilities, and ongoing assurance of the effectiveness of deployed security controls.
Building on the monitoring concepts introduced in NIST SP 800-37, this publication focuses on assessing and analyzing security control effectiveness and organizational security status in accordance with organizational risk tolerance to better support organizational risk management decisions.
The National Institute of Standards and Technology (NIST) is the governing body responsible for the 800 series of publications, including NIST 800-137.
NIST 800-137 was published in 2011 and has had no major updates.
NIST 800-137 primarily applies to organizations that manage and operate federal information systems. However, while it is designed for the federal sector, its principles and concepts may be adapted for use in other industries or organizations.
Controls and requirements
NIST 800-137 does not present a set of controls or requirements in the same manner as a compliance standard. Instead, it covers the fundamentals and process for developing an information security continuous monitoring (ISCM) strategy and implementing an
ISCM program. This process includes key steps, including:
- Defining the ISCM strategy
- Establishing an ISCM program
- Implementing the ISCM program
- Analyzing and reporting findings
- Responding to findings
- Reviewing and updating ISCM strategy and program
Please refer to the official NIST SP 800-137 publication for more details.
Audit type, frequency, and duration
Since NIST 800-137 is a guide for developing and implementing a continuous monitoring strategy and program and not a compliance standard, it does not dictate specific audit types, frequencies, or durations.
Organizations are expected to review the monitoring strategy and program regularly to ensure that the organization is operating within acceptable risk tolerance levels, that metrics remain relevant, and that data is current and complete. Each organization can establish its own procedure for reviewing and updating this strategy based on its needs and information security maturity.