Abstract:This guideline has been prepared for use by federal agencies. It may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of C… Show more
“…Agencies typically meet this requirement with ongoing security control assessments, which focus on a selected subset of system-specific and common controls used by each system. Guidance on continuous monitoring in the first version of Special Publication 800-37 recommended this approach, based in part on an assumption that comprehensive security control monitoring is infeasible [3]. Many organizations conduct annual security control assessments, dividing the total controls each year so that all controls are re-assessed at least once during the typical three-year authorization cycle.…”
Section: The Role Of Continuous Monitoring In the Risk Management Framentioning
confidence: 99%
“…These requirements direct system owners to review their implemented security controls at a frequency "commensurate with the acceptable level of risk for the system" and when significant modifications occur to the system, or at least every three years regardless of whether the system or its environment has changed [2]. The initial system certification and accreditation guidance NIST published to support FISMA requirements prescribed three continuous monitoring program requirements for agencies: configuration management and configuration control processes; security impact analyses of any changes to the system; and assessment of a selected subset of security controls with assessment results reported to agency officials [3]. Under the revised certification and accreditation process using the Risk Management Framework, the focus of security control monitoring activities in step 6 of the RMF is on security impact analysis and control re-assessment prompted by planned changes to information systems or their environments.…”
“…Agencies typically meet this requirement with ongoing security control assessments, which focus on a selected subset of system-specific and common controls used by each system. Guidance on continuous monitoring in the first version of Special Publication 800-37 recommended this approach, based in part on an assumption that comprehensive security control monitoring is infeasible [3]. Many organizations conduct annual security control assessments, dividing the total controls each year so that all controls are re-assessed at least once during the typical three-year authorization cycle.…”
Section: The Role Of Continuous Monitoring In the Risk Management Framentioning
confidence: 99%
“…These requirements direct system owners to review their implemented security controls at a frequency "commensurate with the acceptable level of risk for the system" and when significant modifications occur to the system, or at least every three years regardless of whether the system or its environment has changed [2]. The initial system certification and accreditation guidance NIST published to support FISMA requirements prescribed three continuous monitoring program requirements for agencies: configuration management and configuration control processes; security impact analyses of any changes to the system; and assessment of a selected subset of security controls with assessment results reported to agency officials [3]. Under the revised certification and accreditation process using the Risk Management Framework, the focus of security control monitoring activities in step 6 of the RMF is on security impact analysis and control re-assessment prompted by planned changes to information systems or their environments.…”
“…This section provides a summary of the major points provided by Kenneth van Wyk in his SEPG tutorial [van Wyk 2007]. The security problem is reinforced by the continuous growth of software vulnerabilities that more than double each year, as demonstrated by CERT research.…”
Section: 4 B Software Security-setting the Stagementioning
confidence: 99%
“…• Security must not be always saying "no" and thus regarded as an impediment to the organization [van Wyk 2007]. Software security problems are complicated.…”
Section: 4 B Software Security-setting the Stagementioning
“…In this case, federal agencies would need to define a much more rigorous and formal certification process than the one in NIST SP-800-37, which is the certification standard currently in use. 19 In the FAA, NAS accrediting organizations have shown a marked resistance to using the protection profiles for accrediting systems.…”
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.