Continuous Monitoring & Security Controls

Cybersecurity is one of the highest national priorities in the US. In order to preserve cybersecurity, legislation such as the FISMA (Federal Information Security Management Act) has been substantially updated to improve capacity for preventing, detecting and responding to threats. Ongoing updates to legislation seem to suggest a shift from simply demanding compliance to adoption of a continuous monitoring model.

What is Continuous Monitoring?

In contrast to traditional monitoring processes, which use only a small sample of events, continuous monitoring audits the system during or immediately after they occur.

What is being monitored?

1.   Primary Monitoring – this involves security controls. The primary focus [...]



In October 2009, the US federal Office of Management and Budget (OMB) released CyberScope, a reporting tool for federal agencies. Under the FISMA (the Federal Information Security Management Act of 2002), agencies are obliged to report on their information security statuses. The introduction of CyberScope aimed to correct any weaknesses and streamline the IT security reporting process. This article takes a look at how CyberScope has improved upon the FISMA reporting approach.


The FISMA, enacted in 2002 under the E-Government Act of 2002, required regular reporting from federal agencies regarding their information security practices. These reports were to be submitted on [...]


Recommended Security Controls for Federal Information Systems

The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines for information security for all civilian federal agencies. It produces security controls for information systems, which are the safeguards necessary to protect the confidentiality, integrity and availability of the data. The NIST SP (Special Publication) 800-53: Recommended Security Controls for Federal Information Systems defines security controls for executive agencies of the US federal government. This article introduces the publication and some of its key concepts.

Purpose of NIST SP 800-53

The FISMA (Federal Information Security Management Act) mandates that information system must adequately protect government data. Under [...]



SCAP is a means of applying standards to ensure management and measurement of vulnerabilities. The objective of SCAP is to facilitate evaluation and policy compliance by integrating the goals of IT with those of IT security.

What is SCAP?

SCAP (Security Content Automation Protocol) enables maintenance and assessment of enterprise systems security to be conducted in a standardized manner. SCAP is made up of several open standards that are used to identify and describe flaws and other security issues. SCAP standards may be able to carry out any of the following tasks:

-       Automatically verify patches

-       Check system security [...]


OMB Memorandum 07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information

Executive Order 13402 commanded the creation of a Presidential Identity Theft Task Force to examine how the Federal Government could better respond to and protect against data breaches resulting in identity theft. Under Federal regulations, such as the Privacy Act of 1974 and the Federal Information Security Management Act, individuals are guaranteed the security of their data, making adequate protection of data a matter of [...]