[sacm] Fwd: [sw.assurance] ISCMA: An Information Security Continuous Monitoring Program Assessment -- Draft NISTIR 8212 Available for Comment

Ira McDonald <blueroofmusic@gmail.com> Wed, 07 October 2020 17:59 UTC

Return-Path: <blueroofmusic@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 384FF3A0F88 for <sacm@ietfa.amsl.com>; Wed, 7 Oct 2020 10:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISJV5kFO2zam for <sacm@ietfa.amsl.com>; Wed, 7 Oct 2020 10:59:38 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2CFA3A0F80 for <sacm@ietf.org>; Wed, 7 Oct 2020 10:59:37 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id x26so1031197uan.11 for <sacm@ietf.org>; Wed, 07 Oct 2020 10:59:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=FvUI5WpXGQi+7wLpCAdwi5QBF66sa6efuyCzBLM/pIE=; b=MNsy4AgHM5dbvE6Ar37XZEFJ0TNm9eAvTCTKjqC/LgeVh7ojkuam2D31NnIMUGeqdS PmFRnPkjl5La2floVE4oZGso2TPh8EIx9jfnZ6Z4tzc1Mq0l28i4TpkDW4yBuS0m1aMf yBluO5j0rbMBs46ATGtPqPlE26X0jlLDCMh+0fs7F1Uib3na/VyWu7U7/KSdqLfAbIjP AIA81irtXLrEMBcPdT4HDShZpQp4GMjtFNtOVB0Zz11NqejyJJRyU1s+SnrE1UeYp02R kax3f0/hUzyveOxWJ36e/IXk4FNFsRusmYCpPX8QwBOwIhs4Q7ld+0Mz2XWkM1nZ+5uS NlkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=FvUI5WpXGQi+7wLpCAdwi5QBF66sa6efuyCzBLM/pIE=; b=UO9uxuNf5begqw3skZQT/dFAgVwjnZAP6DAJm2qK8zCOc08oW3w9+RJQMNZRkCPI56 PioZa06nThWXR63lKNrzZwkMMc7Y9e8T5SluXPP22NzJ+US0XAtxPR6OodVof5zPOuk+ 0NNJNzddfn9AzlYBDyocaGTjdF3awDRCdFNZg81XyZLrBhfRlowiBwZiiQ0JJXh/yjMI UTGWI40yT6qm8Fu/pspGc1LXlJs/Kdb2apIYIDYw+eUh4v7iRbb1ZCmGuSJvVpROryR1 A66doJCkKdciCikQJ85sI0J2Lq8Eu0mV/avRZGanPQLqFDcqKBv4XS87QUs6Y8PxioZt eTIQ==
X-Gm-Message-State: AOAM531w6D+Ki3/HbI4PK06LCWTzEhkRRU35ogg/dU45oeEgKgbogJp6 FG2bxPy7wiiPGpR+r/elnK1e4HMqJ21FdpCykxIStwNM
X-Google-Smtp-Source: ABdhPJyvqnk6TO0zjxjiQFsKCQ+qs8gmJlzQIcbymIRXTohHXuRlpfVhV9AkclhZ0VnoqC32S9rMiW7ELHVv1Y8LU3Y=
X-Received: by 2002:ab0:4d42:: with SMTP id k2mr2645910uag.10.1602093576566; Wed, 07 Oct 2020 10:59:36 -0700 (PDT)
MIME-Version: 1.0
References: <05BBA2CC-613D-4634-91E6-7E7431F56AA3@nist.gov>
In-Reply-To: <05BBA2CC-613D-4634-91E6-7E7431F56AA3@nist.gov>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Wed, 07 Oct 2020 13:59:18 -0400
Message-ID: <CAN40gStbJfj1oYiZy700xQBR42akggZJ70Lwkub8RQVTOP1FbA@mail.gmail.com>
To: sacm <sacm@ietf.org>, Ira McDonald <blueroofmusic@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000873de505b1187ac6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/F-i_RkK8qpzpfbRyACLw-MqDJ1g>
Subject: [sacm] Fwd: [sw.assurance] ISCMA: An Information Security Continuous Monitoring Program Assessment -- Draft NISTIR 8212 Available for Comment
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 17:59:42 -0000

---------- Forwarded message ---------
From: 'Pillitteri, Victoria Yan (Fed)' via sw.assurance <
sw.assurance@list.nist.gov>
Date: Wed, Oct 7, 2020 at 10:32 AM
Subject: [sw.assurance] ISCMA: An Information Security Continuous
Monitoring Program Assessment -- Draft NISTIR 8212 Available for Comment
To: sec-cert <sec-cert@nist.gov>


Draft NIST Interagency Report (NISTIR) 8212, *ISCMA: An Information
Security Continuous Monitoring Program Assessment
<https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDIsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9uaXN0aXIvODIxMi9kcmFmdCJ9.G2gw4qUn8Ju043R_tDcaYHld1VfOCcEs_Hqfy8X7owo/s/134140706/br/86276861934-l>*,
provides an operational approach to the assessment of an organization's
information security continuous monitoring (ISCM) program.  The ISCM
assessment (ISCMA) approach is consistent with the ISCM Program Assessment,
as described in NIST SP 800-137A, *Assessing ISCM Programs: Developing an
ISCM Program Assessment*.  The ISCMA process proceeds according to the
following five steps:

   1. Plan the approach
   2. Evaluate the elements
   3. Score the judgments
   4. Analyze the results
   5. Formulate actions

Included with the ISCMA approach in this report is ISCMAx, a free,
publicly-available working implementation of ISCMA that can be tailored to
fit the needs of the implementing organization. ISCMAx produces a detailed
scorecard with associated graphical output and identifies conditions that
may warrant further analysis. The ISCMAx tool is a Microsoft Excel
application and can be used in the Windows operating system; it does not
run on the Macintosh operating system. NISTIR 8212 provides complete
instructions for both using ISCMAx as provided, and for tailoring ISCMAx,
if desired. For instructions on using the ISCMAx tool, refer to Sec. 3, 4,
and 5 of Draft NISTIR 8212.

 *A public comment period for this document is open through November 13,
2020.*  See the publication details
<https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDMsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9uaXN0aXIvODIxMi9kcmFmdCJ9.hlO6TaHJmyf3xdk4tsGGBax5axnS4tuIjol8Jc2ABbI/s/134140706/br/86276861934-l>
 for a copy of the draft publication, ISCMAx tool (Recommended Judgment and
Alternate Judgment, macro-enabled spreadsheet), and instructions for
submitting comments—preferably using the comment template provided.  For
any questions, please contact sec- <sec-cert@nist.gov>cert@nist.gov.

*NOTE: A call for patent claims is included on page vi of this draft. For
additional information, see the Information Technology Laboratory (ITL)
Patent Policy--Inclusion of Patents in ITL Publications
<https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL3d3dy5uaXN0Lmdvdi9pdGwvaW5mb3JtYXRpb24tdGVjaG5vbG9neS1sYWJvcmF0b3J5LWl0bC1wYXRlbnQtcG9saWN5LWluY2x1c2lvbi1wYXRlbnRzLWl0bC1wdWJsaWNhdGlvbnMifQ.M2JmaalJk2iJ_ryyvdqPXrsdjv9HEDrm0E7MOVBZdhM/s/134140706/br/86276861934-l>.*

Publication details:
https://csrc.nist.gov/publications/detail/nistir/8212/draft
<https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDUsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9uaXN0aXIvODIxMi9kcmFmdCJ9.yM4-8QcLZHqTLsstelCVZutlEWVpuDPF_Gr7Jdheu3c/s/134140706/br/86276861934-l>

ITL Patent Policy:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications
<https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDYsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL3d3dy5uaXN0Lmdvdi9pdGwvaW5mb3JtYXRpb24tdGVjaG5vbG9neS1sYWJvcmF0b3J5LWl0bC1wYXRlbnQtcG9saWN5LWluY2x1c2lvbi1wYXRlbnRzLWl0bC1wdWJsaWNhdGlvbnMifQ.T5vFUg6Xa4qV7pLBq-KHZh0OZPYWr3YeUOYhbe_wM5c/s/134140706/br/86276861934-l>



-- 

Victoria Yan Pillitteri

National Institute of Standards and Technology

victoria.yan@nist.gov





-- 
To unsubscribe from this group, send email to
sw.assurance+unsubscribe@list.nist.gov
View this message at https://list.nist.gov/sw.assurance
---
To unsubscribe from this group and stop receiving emails from it, send an
email to sw.assurance+unsubscribe@list.nist.gov.