NIST has released a revised draft of its Special Publication 800-37, focusing on transforming the federal government’s information system certification and accreditation processes. The updated framework emphasizes continuous monitoring and updating of security controls throughout a system’s lifecycle, from initial design through daily operations.
The six-step Risk Management Framework outlined in the publication places equal importance on defining and implementing appropriate security controls, while also emphasizing continuous monitoring to provide ongoing situational awareness of a system’s security state. This approach aims to build security capabilities into information systems from the start.
The final document, dated February 2010, is now available for public comment until December 31, 2009. Comments should be sent to sec-cert@nist.gov. The publication was developed by the Joint Task Force Transformation Initiative, which includes NIST, the Office of the Director of National Intelligence, the Department of Defense, and the Committee on National Security Systems, working together to create a common information security framework for the federal government and its contractors.
Keywords: Security Controls, Continuous Monitoring, Risk Management Framework
