Understanding NIST 800 137: A comprehensive guide to Information Security Continuous Monitoring (ISCM)

Payal Wadhwa

Payal Wadhwa

Aug 20, 2024

Understanding NIST 800 137: A Comprehensive Guide to Information Security Continuous Monitoring (ISCM)

The National Institute of Standards and Technology (NIST) has long been a pivotal force in shaping global standards and guiding cybersecurity professionals. NIST has developed essential frameworks and guidelines that enhance the capabilities of both industry and government in identifying and responding to cyber threats.

One such critical publication is NIST SP 800 137 which outlines the Information Security Continuous Monitoring (ISCM) process. This guide provides organizations with a structured approach to leverage continuous monitoring and enables them to gain better visibility into their security posture and safeguard their information systems.

In this blog, we delve into NIST SP 800 137 (ISCM) key concepts and the implementation process, offering insights on how to build a resilient organization.

TL,DR
NIST 800 137 provides guidance on information security continuous monitoring for federal agencies and integrates it with the broader Risk management framework
The fundamentals of ISCM talk about key concepts and approaches such as ISCM implementation tiers, system authorization, automation, and ISCM roles and responsibilities.
The ISCM implementation process has 6 steps—creation of ISCM strategy, formulation of the ISCM program, implementation, analysis of findings, and updating strategy.

What is NIST 800 137?

NIST 800 137 is a part of the NIST Special Publication 800 series, first published in 2011 and titled Information Security Continuous Monitoring for Federal Information Systems and Organizations. It outlines the strategies, processes, and best practices for implementing continuous monitoring of information systems in federal agencies. 

Continuous monitoring is a component of the broader Risk Management framework. ISCM ensures that the security controls are working as intended and the security posture of systems aligns with the organization’s risk tolerance levels. It establishes an understanding of threats and threat activities and prepares the organization for proactive risk management.

What is the scope of NIST 800 137?

The scope of NIST SP 800 137 is focused on providing detailed guidance on implementing continuous monitoring for federal information systems. It also aims to integrate ongoing monitoring into the broader risk management activities of the federal sector. However, the principles and guidelines are applicable and beneficial for adoption by organizations and industries across all sectors, reflecting the growing necessity of continuous monitoring in today’s digital landscape.

What are the fundamentals of NIST 800 137?

Chapter 2 of the publication outlines the fundamentals of NIST 800 137. It highlights key concepts, practices, and approaches for implementing the ISCM program. It begins by explaining how ISCM enables well-informed decisions for risk management and supports the Plan of Action and milestones, resource prioritization, and risk response.

It also explains four key concepts that are useful while drafting the ISCM strategy. Let’s have a look at these concepts in more detail:

1. Organization-wide view of ISCM

The org-wide view of ISCM states that continuous monitoring enables risk management activities across different organizational tiers or levels:

Tier 1 (Governance or Organizational level)

At this level, the ISCM strategy, policies, metrics, and other governance-related decisions are established. It helps define the goals and objectives to assess, address, and monitor org-wide risks and aligns them to overall business functions and mission. 

Tier 2 (Mission/ Business process level)

Tier 2 focuses on risk management at the business process level. The organization oversees the risk management activities of their respective business functions. The information security program is managed by deploying a range of controls such as those from the project management family (eg. NIST 800-53 control family). These controls support all information systems and are regularly tracked to gather metrics. The information collected is then used to support governance decisions at Tier 1.

Tier 3 (Information systems level)

At the tier 3 level, risk management is focused on the information system level. It ensures that the technical, operational, and management controls are working effectively. The security status of hybrid and common controls is regularly assessed and monitored to gather reports on incidents, alerts, and information on any identified threats. This information supports both tier 1 and tier 2 activities.

Additionally, tier 3 ISCM activities are closely aligned to Risk Management Framework step 6—monitor activities and help maintain a strong security posture for the organization.

2. Ongoing system authorization

Ongoing system authorization ensures that the information systems remain secure in the face of changing operating environments and evolving threats. It takes a dynamic approach to risk management and evaluates information on new threats and vulnerabilities as it becomes available. This data is used to make the necessary security adjustments to address new risks.

The RMF helps integrate information system security activities into the System Development Life Cycle (SDLC). This dynamic approach transforms traditional static system authorizations into a continuous process and helps support timely and effective risk responses.

3. Role of automation

This section of NIST SP 800 137 explains that automation helps manage security more effectively while reducing costs and enhancing the reliability of monitoring data. 

Automation can handle repetitive and redundant manual tasks, analyze large sets of complex data, and provide accurate information that human analysts might miss. However, humans must intervene where necessary, and properly designed procedures are not a substitute. 

This section also goes into some key considerations while selecting the ISCM tools such as the ability to gather information from multiple sources, integrate with other management and response systems, offer customizable reporting, support compliance with federal and other laws, and consolidate data into comprehensive dashboards.

Check out this video to learn how Sprinto enables ongoing monitoring:

4. ISCM roles and responsibilities

The last section of fundamentals talks about the key roles and responsibilities in the ISCM program. While the titles can vary as per organization, the key roles and responsibilities include:

Head of agency

  • Engages in high-level activities through the risk management function

Risk Executive (Function)

  • Oversees the ISCM strategy and program
  • Reviews status reports to enable any risk tolerance decisions
  • Promotes collaboration across departments to enable security information sharing
  • Ensures risk information is utilized org-wide for any continuous monitoring decisions

Chief Information Officer (CIO)

  • Leads the ISCM program by establishing expectations and ensuring implementation
  • Collaborates with authorizing parties to ensure optimum resources for ISCM
  • Maintains communication with other organizational entities

Senior Information Security Officer (SISO)

  • Develops and maintains the ISCM program, including policies and procedures for continuous program
  • Guides configuration management activities
  • Analyzes any security weaknesses
  • Trains personnel to implement ISCM processes

Authorizing Official (AO)

  • Ensures system-wide application of the ISCM program
  • Evaluates security status reports to determine risk tolerance levels
  • Initiates reauthorization decisions in case of significant system changes

Information System Owner (ISO) / Information Owner / Steward

  • Develops and document ISCM strategy for their specific systems
  • Maintains inventory of systems and components
  • Assesses security controls and verifies the adequacy of information systems
  • Conducts remediation activities to maintain system authorization

Common Control Provider

  • Documents and manages ongoing monitoring of common controls
  • Participates in configuration management
  • Conducts security impact analysis and remediation activities for common controls

Information System Security Officer (ISSO)

  • Assists ISO with ISCM responsibilities

Security Control Assessor (SCO)

  • Provides inputs on any security-related information in the ISCM program
  • Establishes and submits a security assessment plan
  • Conducts security control assessments and updates assessment reports

Ensure ongoing compliance with NIST CSF

How to implement the ISCM process?

The process of implementing the ISCM strategy is outlined in chapter 3 of the publication. It involves creating a plan of action followed by the implementation of the ISCM program and reviewing and updating it as required. 

The ISCM implementation process has six steps:

1. Define the ISCM strategy

Establishing the ISCM strategy is critical to creating and implementing the ISCM program. It must encompass all organization tiers—governance, business process, and information systems—to aid well-informed decisions at each level. Standardized policies and procedures are developed at higher tiers, and org-wide implementation is carried out. Each tier must assess the security control effectiveness and monitor the security metrics.

The roles and responsibilities are clearly defined to support the ISCM strategy. The strategy is regularly reviewed to align with risk tolerance and security status.

2. Establish the ISCM program

The ISCM program supports the ISCM strategy by ensuring risk-based decisions and maintaining risk tolerance levels. The program’s goals include detecting and analyzing anomalies, threats, and vulnerabilities to gain better visibility into assets and ensure security and compliance. 


At this step, metrics are defined and monitored at set frequencies to monitor performance and manage risks continuously. The ISCM architecture is also developed to support information collection, analysis, and reporting.

3. Implement the ISCM program

The implementation phase involves collecting security information and analyzing critical criteria and metrics. It includes conducting control assessments for all types of controls—management, operational, and technical, and reporting the findings in a manner as prescribed by the policies. 


Data gathered from various sources such as people, processes, technology, and existing reports also informs other processes, such as patch management. Automation tools are used wherever possible to streamline this process and minimize the need for human intervention.

Streamline NIST CSF implementation with Sprinto

4. Analyze and report findings

At this stage, organizations develop processes to analyze security-related information and results from continuous monitoring. This includes defining the reporting content, format, and frequency. 


The reporting channels are also defined, and the reports are submitted to management personnel such as the CIOs, and security officers to enable them to make informed, data-based decisions. This analysis is also used to update security plans and meet compliance requirements.

5. Respond to findings

Once the security information from monitoring is analyzed, organizations select risk response strategies and choose to accept, transfer, avoid or mitigate risks. Each tier coordinates its responses and security management activities. 


At tier 1, the response usually involves a change/update in security policies, while at tier 2, the officials may demand additional data or make changes to metrics or processes. At tier 3, risk responses can involve the implementation of additional controls or changing monitoring frequencies.

All these response strategies are documented in the Plan of Action and Milestones (POA&M), and the strategy is updated accordingly.

6. Review and updates 

Organizations review and update the ISCM strategy so that it remains relevant to the current environment and the risk tolerance levels. These updates may be initiated due to changes in the threat landscape, new laws, modified business processes or new security trends. 


The review process involves reassessing metrics, monitoring frequencies, and security information relevancy to ensure that the ISCM program continues to support risk management decisions effectively.

How does Sprinto support continuous monitoring at a granular level?

Information Security Continuous monitoring not only helps you maintain a proactive security posture but also ensures resilience against evolving threats and maintains ongoing compliance. But like the publication mentioned, you must automate whatever you can to enhance reliability of the information gathered and enable efficiency. Enter Sprinto.

GRC tools like Sprinto can help you enhance information security and compliance with continuous control monitoring. The platform supports over 20 frameworks including NIST and integrates with cloud applications, infrastructure, code repos, and people seamlessly to maximize security and compliance coverage. It provides you with a centralized view of assets and risks. 

Granular checks and notifications create action-oriented alerts when security or compliance controls are about to fail, allowing you to trigger remediations with ease. You can also monitor the health of these controls on a centralized dashboard. 

Sprinto also automates evidence collection to prepare you for external compliance audits in record time—now what should, in reality take months, gets done in weeks.  

Take a platform tour to learn more and talk to a compliance expert to stay ahead of the curve 24/7.

FAQs

How does ISCM differ from traditional security monitoring?

Traditional security monitoring involves periodic assessments and manual checks while ISCM is an ongoing and dynamic process. It provides real-time data and insights by continuously monitoring threats and security status. ISCM also automates processes wherever possible to minimize the need for human intervention and enhance the quality and reliability of security information.

What role does ISCM play in regulatory compliance?

ISCM helps ensure compliance with laws that require continuous evidence collection to prove security control effectiveness. It also helps maintain up-to-date documentation, facilitate internal assessments, and enable audits.

What challenges organizations might face when implementing ISCM?

Common challenges that organizations face when implementing ISCM include managing large volumes of data, understanding data that overlaps or conflicts, integrating various data sources and minimizing false positives.

Payal Wadhwa

Payal Wadhwa

Payal is your friendly neighborhood compliance whiz! She turns perplexing compliance lingo into actionable advice about keeping your digital business safe and savvy. When she isn’t saving virtual worlds, she’s penning down poetic musings or lighting up local open mics. Cyber savvy by day, poet by night!

How useful was this post?

5/5 - (1 votes)