• Request Info

NIST SP 800-137

Addressing NIST SP 800-137: “Information Security Continuous Monitoring” with CORE INSIGHT Enterprise

NIST SP 800-137 is designed to assist organizations in developing a continuous monitoring strategy and implementing a related program. It cites the following processes as “essential to organization-wide continuous monitoring:”

  • Ongoing assessment of security controls (including system-specific, hybrid, common controls and PM controls) with assessment frequencies based on an organization-wide continuous monitoring strategy. (NIST Special Publication 800-137, page 10)
  • Configuration management and change control processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes. (NIST Special Publication 800-137, page 10)
  • Security impact analyses (SIA) on changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions which said systems support. (NIST Special Publication 800-137, page 10)
  • Security status reporting to organizational officials designed to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies. Considerations include organization relevant threat data. (NIST Special Publication 800-137, page 10)

Optimizing security metrics is deemed essential in NIST SP 800-137. “Metrics are measures that have been organized into meaningful information to support decision making. Metrics are developed for system-level data to make it meaningful in the context of mission/business or organizational risk management.” Therefore, it is critical to collect data in a way that most accurately pinpoints and validates actual risk with an IT environment. 

How CORE INSIGHT Helps

CORE INSIGHT Enterprise offers a security testing and measurement solution that enables you to continuously and proactively asses the security of your critical information assets – directly mapping to the guidance in NIST SP 800-137. By traversing exploitable web application, network and client-side weaknesses throughout your environment, INSIGHT reveals exposed paths to systems, databases and data types. It delivers clear, definitive metrics for efficiently validating security controls and addressing data breach threats.

CORE INSIGHT addresses critical processes noted by SP 800-137 in the following ways:

Ongoing assessment of security controls

  • Assesses IPS/IDS, firewalls and other defenses against real-world attack techniques
  • Automated attack path planning, combined with real-world exploit-based testing, dynamically reveals paths that attackers and malicious insiders would use to access sensitive assets
  • Proactively identifies weaknesses posing imminent risks

Configuration management and change control

  • Able to run continuously to assess changing infrastructure against the latest threats
  • Ensures that defensive technologies can protect against current threats
  • Integrates with ticketing and change management systems for seamless vulnerability management
  • Dynamically tests custom and COTS applications using the same techniques as attackers
  • Can easily scale to repeatedly test environments with large numbers of targets
  • Ensures that development resources can focus on addressing proven security issues

Security impact analyses

  • Able to test (and retest) continuously to assess changing infrastructure against the latest threats
  • Automated attack path planning, combined with real-world exploit-based testing, dynamically reveals paths that attackers and malicious insiders could use to access sensitive assets
  • Assesses systems designated as critical and delivers proactive alerts regarding the latest threats and impacts to those systems

Security status reporting

  • Conducts proactive, real-time assessments of assets identified as critical to the agency
  • Assimilates data from multiple sources to validate potential threats as real
  • Delivers data using terminology specific to your locations, mandates, data types, etc.
  • Benchmarks security posture; tracks and demonstrates security standing over time

Learn how Core Security addresses other NIST guidelines:

Next Steps

Request Info

SHARE