Applying the Continuous
Monitoring Technical
Reference Model to the
Asset, Configuration, and
Vulnerability Management
Domains (DRAFT )
David Waltermire , Adam Halbardier, Adam Humenansky ,
and Peter Mell NIST Interagency Report 7800
(Draft)
Applying the Continuous Monitoring
Technical Reference Model to the Asset,
Configuration, and Vulnerability
Management Domains (DRAFT)
David Waltermire, Adam Halbardier,
Adam Humenansky, and Peter Mell
C O M P U T E R S E C U R I T Y
Computer Security Division
Information Technology Labor atory
National Institute of Standards and Technology
Gaithersburg, MD 20899 -8930
January 2012
U.S. Department of Commerce
Secretary John E. Bryson
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary for Standards
and Technology and Director
NIST Interagency Report 7800
(Draft)
APPLYING THE CONTINUOUS MONITORING TECHNICAL REFERENCE MODEL TO THE ASSET, CONFIGURATION , AND VULNERABILITY MANAGEMENT DOMAINS
ii
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy a nd public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analysis to advance the
development and product ive use of information technology. ITL’s responsibilities include the
development of technical, physical, administrative, and management standards and guidelines for
the cost -effective security and privacy of sensitive unclassified information in Federal c omputer
systems. This Interagency Report discusses ITL’s research, guidance, and outreach efforts in
computer security and its collaborative activities with industry, government, and academic
organizations.
Certain commercial entities, equipment, or materials may be identified in this
document in order to describe an experimental procedure or concept adequately.
Such identification is not intended to imply recommendation or endorsement by the
National Institute of Standards and Technology, nor is it intended to imply that the
entities, materials, or equipment are necessarily the best available for the purpose. National Institute of Standards and Technology Interagency Report 7800
29 pages (Jan. 2012)
APPLYING THE CONTINUOUS MONITORING TECHNICAL REFERENCE MODEL TO THE ASSET, CONFIGURATION , AND VULNERABILITY MANAGEMENT DOMAINS
iii Acknowledg ments
The authors would like to recognize the following individuals for their participation on the
continuous monitoring (CM1) research team, insightful ideas, and review of this work: Stephen
York and Peter Sell from the National Security Agency , as well as Larry Feldman and Zach
Ragland from Booz Allen Hamilton.
The authors would also like to thank the United States Chief Information Officer Council’s
Information Security and Identity Management Subcommittee (ISIMC) on Continuous Security
Monitoring for its leadership and direction as we created this publication. In particular , we would
like to thank the current co -chairs:2 John Streufert from the Department of State, Kevin Dulany
from the Office of the Secretary of Defense, and Timothy McBride from the D epartment of
Homeland Security.
Trademark Information
OVAL and CVE are registere d trademarks, and CCE and CPE are trademarks, of The MITRE
Corporation.
All other registered trademarks or trademarks belong to their respective organizations.
Abstract
This publication binds together the CM workflows and capabilities described in NIST IR 7799 to
specific data domains. It focuses on the Asset Management, Configuration , and Vulnerability
data domains. It leverages the Security Content Automation Protoc
Draft-NISTIR-7800
安全标准 >
NIST >
文档预览
中文文档
29 页
50 下载
1000 浏览
0 评论
0 收藏
3.0分
温馨提示:本文档共29页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 思安 于 2022-12-05 09:16:54上传分享