Continuous Monitoring

The Challenge

Continuous monitoring is a critical activity in assessing an organization’s information security posture. Its importance has recently been highlighted by the fact that NIST Special Publication 800‐37, Revision 1specifies continuous monitoringas one of the six steps in the Risk Management Framework (RMF). Authorizing Officials (AOs), Designated Approving Authorities (DAAs) and other cybersecurity professionals are looking to better understand how to apply the guidance in their respective organizations.  They are grappling with how to implement a continuous monitoring program that improves their information security posture and ensures compliance with NIST and other relevant guidance.Cybersecurity professionals also realize an effective continuous monitoring program must adapt to the ever changing technology and cybersecurity threat landscape.

The Solution

SecureInfo’s Continuous Monitoring solution enables you to sustain your security posture through continuous monitoring as specified by NIST 800-37, NIST 800-137, FedRAMP and other pertinent standards and guidance.  We will first assess the current elements of your information security program that are part of an effective continuous monitoring program.  This will allow us to establish a baseline from which to make meaningful recommendations.  Once this is complete and documented, we will address in detail other elements of your program, including assessing and updating your plan and controls strategy, meeting and extending your reporting requirements, training your personnel, and conducting the necessary tests to ensure compliance with continuous monitoring best practices and guidance. We perform the following services*:

• Monthly scan reports of all systems within the boundary for vulnerability (patch) management
• Quarterly scans for verification of FDCC compliance (USGCB, CIS).
• Annually Incident Response Plans updates
• Quarterly POA&M Remediation
• Annual Change Control Process updates
• Annual Penetration testing
• Semi-Annual IV&V of controls
• Quarterly scans to verify that boundary has not changed (also that no rogue systems are added after ATO)
• Quarterly system configuration management software updates
• Quarterly FISMA reporting data updates
• Annual documentation updates
• Annual Contingency Plan and Test Report testing
• Annual Separation of Duties Matrix

*Specified service and frequency of service can be adjusted based on your requirements and/or the demands of your specific environment.

SecureInfo combines deep domain expertise on relevant standards and guidance (e.g., NIST, DIACAP) with practical, hands-on experience when applying this knowledge to the most complex computing environments in the world. We work closely with government agencies and other customers when interpreting and incorporating regulations, standards and guidance to ensure cybersecurity risk is identified, documented and managed up front and on an ongoing basis.  Our sole focus is on cybersecurity risk management, giving you the confidence you need to implement an effective, compliant, and adaptive continuous monitoring program.  Most importantly, through the practical application of our experience and expertise, you will maintain an improved security posture.

Benefits

• Improve security posture and meet regulatory requirements by implementing a sustainable and affordable continuous monitoring program
• Reduce costs of re-authorizing and/or reassessing information assets
• Ensure cybersecurity professionals are well informed regarding the latest regulations, standards and guidance
• Undertake continuous monitoring initiative with confidence

Click here to access a Continuous Monitoring webinar featuring Dr. Ron Ross, Sr. Computer Scientist from NIST.

---