[sacm] Fwd: [sw.assurance] ISCMA: An Information Security Continuous Monitoring Program Assessment -- Draft NISTIR 8212 Available for Comment
Ira McDonald <blueroofmusic@gmail.com> Wed, 07 October 2020 17:59 UTC
Return-Path: <blueroofmusic@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 384FF3A0F88 for <sacm@ietfa.amsl.com>; Wed, 7 Oct 2020 10:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISJV5kFO2zam for <sacm@ietfa.amsl.com>; Wed, 7 Oct 2020 10:59:38 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2CFA3A0F80 for <sacm@ietf.org>; Wed, 7 Oct 2020 10:59:37 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id x26so1031197uan.11 for <sacm@ietf.org>; Wed, 07 Oct 2020 10:59:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=FvUI5WpXGQi+7wLpCAdwi5QBF66sa6efuyCzBLM/pIE=; b=MNsy4AgHM5dbvE6Ar37XZEFJ0TNm9eAvTCTKjqC/LgeVh7ojkuam2D31NnIMUGeqdS PmFRnPkjl5La2floVE4oZGso2TPh8EIx9jfnZ6Z4tzc1Mq0l28i4TpkDW4yBuS0m1aMf yBluO5j0rbMBs46ATGtPqPlE26X0jlLDCMh+0fs7F1Uib3na/VyWu7U7/KSdqLfAbIjP AIA81irtXLrEMBcPdT4HDShZpQp4GMjtFNtOVB0Zz11NqejyJJRyU1s+SnrE1UeYp02R kax3f0/hUzyveOxWJ36e/IXk4FNFsRusmYCpPX8QwBOwIhs4Q7ld+0Mz2XWkM1nZ+5uS NlkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=FvUI5WpXGQi+7wLpCAdwi5QBF66sa6efuyCzBLM/pIE=; b=UO9uxuNf5begqw3skZQT/dFAgVwjnZAP6DAJm2qK8zCOc08oW3w9+RJQMNZRkCPI56 PioZa06nThWXR63lKNrzZwkMMc7Y9e8T5SluXPP22NzJ+US0XAtxPR6OodVof5zPOuk+ 0NNJNzddfn9AzlYBDyocaGTjdF3awDRCdFNZg81XyZLrBhfRlowiBwZiiQ0JJXh/yjMI UTGWI40yT6qm8Fu/pspGc1LXlJs/Kdb2apIYIDYw+eUh4v7iRbb1ZCmGuSJvVpROryR1 A66doJCkKdciCikQJ85sI0J2Lq8Eu0mV/avRZGanPQLqFDcqKBv4XS87QUs6Y8PxioZt eTIQ==
X-Gm-Message-State: AOAM531w6D+Ki3/HbI4PK06LCWTzEhkRRU35ogg/dU45oeEgKgbogJp6 FG2bxPy7wiiPGpR+r/elnK1e4HMqJ21FdpCykxIStwNM
X-Google-Smtp-Source: ABdhPJyvqnk6TO0zjxjiQFsKCQ+qs8gmJlzQIcbymIRXTohHXuRlpfVhV9AkclhZ0VnoqC32S9rMiW7ELHVv1Y8LU3Y=
X-Received: by 2002:ab0:4d42:: with SMTP id k2mr2645910uag.10.1602093576566; Wed, 07 Oct 2020 10:59:36 -0700 (PDT)
MIME-Version: 1.0
References: <05BBA2CC-613D-4634-91E6-7E7431F56AA3@nist.gov>
In-Reply-To: <05BBA2CC-613D-4634-91E6-7E7431F56AA3@nist.gov>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Wed, 07 Oct 2020 13:59:18 -0400
Message-ID: <CAN40gStbJfj1oYiZy700xQBR42akggZJ70Lwkub8RQVTOP1FbA@mail.gmail.com>
To: sacm <sacm@ietf.org>, Ira McDonald <blueroofmusic@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000873de505b1187ac6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/F-i_RkK8qpzpfbRyACLw-MqDJ1g>
Subject: [sacm] Fwd: [sw.assurance] ISCMA: An Information Security Continuous Monitoring Program Assessment -- Draft NISTIR 8212 Available for Comment
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2020 17:59:42 -0000
---------- Forwarded message --------- From: 'Pillitteri, Victoria Yan (Fed)' via sw.assurance < sw.assurance@list.nist.gov> Date: Wed, Oct 7, 2020 at 10:32 AM Subject: [sw.assurance] ISCMA: An Information Security Continuous Monitoring Program Assessment -- Draft NISTIR 8212 Available for Comment To: sec-cert <sec-cert@nist.gov> Draft NIST Interagency Report (NISTIR) 8212, *ISCMA: An Information Security Continuous Monitoring Program Assessment <https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDIsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9uaXN0aXIvODIxMi9kcmFmdCJ9.G2gw4qUn8Ju043R_tDcaYHld1VfOCcEs_Hqfy8X7owo/s/134140706/br/86276861934-l>*, provides an operational approach to the assessment of an organization's information security continuous monitoring (ISCM) program. The ISCM assessment (ISCMA) approach is consistent with the ISCM Program Assessment, as described in NIST SP 800-137A, *Assessing ISCM Programs: Developing an ISCM Program Assessment*. The ISCMA process proceeds according to the following five steps: 1. Plan the approach 2. Evaluate the elements 3. Score the judgments 4. Analyze the results 5. Formulate actions Included with the ISCMA approach in this report is ISCMAx, a free, publicly-available working implementation of ISCMA that can be tailored to fit the needs of the implementing organization. ISCMAx produces a detailed scorecard with associated graphical output and identifies conditions that may warrant further analysis. The ISCMAx tool is a Microsoft Excel application and can be used in the Windows operating system; it does not run on the Macintosh operating system. NISTIR 8212 provides complete instructions for both using ISCMAx as provided, and for tailoring ISCMAx, if desired. For instructions on using the ISCMAx tool, refer to Sec. 3, 4, and 5 of Draft NISTIR 8212. *A public comment period for this document is open through November 13, 2020.* See the publication details <https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDMsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9uaXN0aXIvODIxMi9kcmFmdCJ9.hlO6TaHJmyf3xdk4tsGGBax5axnS4tuIjol8Jc2ABbI/s/134140706/br/86276861934-l> for a copy of the draft publication, ISCMAx tool (Recommended Judgment and Alternate Judgment, macro-enabled spreadsheet), and instructions for submitting comments—preferably using the comment template provided. For any questions, please contact sec- <sec-cert@nist.gov>cert@nist.gov. *NOTE: A call for patent claims is included on page vi of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications <https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDQsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL3d3dy5uaXN0Lmdvdi9pdGwvaW5mb3JtYXRpb24tdGVjaG5vbG9neS1sYWJvcmF0b3J5LWl0bC1wYXRlbnQtcG9saWN5LWluY2x1c2lvbi1wYXRlbnRzLWl0bC1wdWJsaWNhdGlvbnMifQ.M2JmaalJk2iJ_ryyvdqPXrsdjv9HEDrm0E7MOVBZdhM/s/134140706/br/86276861934-l>.* Publication details: https://csrc.nist.gov/publications/detail/nistir/8212/draft <https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDUsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL2NzcmMubmlzdC5nb3YvcHVibGljYXRpb25zL2RldGFpbC9uaXN0aXIvODIxMi9kcmFmdCJ9.yM4-8QcLZHqTLsstelCVZutlEWVpuDPF_Gr7Jdheu3c/s/134140706/br/86276861934-l> ITL Patent Policy: https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications <https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDYsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMDEwMDEuMjgwNjQxOTEiLCJ1cmwiOiJodHRwczovL3d3dy5uaXN0Lmdvdi9pdGwvaW5mb3JtYXRpb24tdGVjaG5vbG9neS1sYWJvcmF0b3J5LWl0bC1wYXRlbnQtcG9saWN5LWluY2x1c2lvbi1wYXRlbnRzLWl0bC1wdWJsaWNhdGlvbnMifQ.T5vFUg6Xa4qV7pLBq-KHZh0OZPYWr3YeUOYhbe_wM5c/s/134140706/br/86276861934-l> -- Victoria Yan Pillitteri National Institute of Standards and Technology victoria.yan@nist.gov -- To unsubscribe from this group, send email to sw.assurance+unsubscribe@list.nist.gov View this message at https://list.nist.gov/sw.assurance --- To unsubscribe from this group and stop receiving emails from it, send an email to sw.assurance+unsubscribe@list.nist.gov.
- [sacm] Fwd: [sw.assurance] ISCMA: An Information … Ira McDonald