NIST Interag e (Second Draf t Jointl y devel o Department o ency Report 7 7 ) oped with the of Homeland S 56 Securit y 7 t CAAESASARSS Fraaworkk mew Exxtennsionn: Ann Enteerprrise Coontinnuouus Moonitooringg Teechnnical Ref eerennce MModeel (SSecoo )) nd DDraft Petter Mell, David WWalterm iire, Larr yy Feldmman, e ng, Zac nd, and Harrold Bo ooth, Alfr ed Ouya hh Raglaa Timmothy M ccBride Reports on Computer Systems Technology NIST Interagency Report 7756 (Second Draft) CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model (Second Draft) Peter Mell, David Waltermire, Larry Feldman, Harold Booth, Zach Ragland, Alfred Ouyang, and Timothy McBride C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 January 2012 U.S. Department of Commerce Secretary John E. Bryson National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary for Standards and Technology and Director NISTIR 7756, Second Draft – January 2012 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at th e National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL devel ops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guide lines for the cost-effective security and privacy of sensitive unclassified information in Federal comput er systems. This Interagency Report discusses ITL’s research, guidance, and outreach efforts in computer security and its collaborativ e activities with industry, government, and academic organizations. National Institute of Standards and Technology Interagency Report 7756 35 pages (Jan. 2012) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. 2 NISTIR 7756, Second Draft – January 2012 Acknowledgments The authors would like to thank the original research team that developed the Department of Homeland Security (DHS) Federal Network Security’s seminal work on continuous monitoring architectures. The Continuous Asset Evaluation, Situational Aware ness, and Risk Scoring (CAESARS) architecture1, created with MITRE support, formed the foundation of this work. Also, we would like to recognize the following indi viduals for their participation on the continuous monitoring research team, insightful ideas, and review of this work: Stephen Yo rk, Peter Sell, and David Minge from the National Security Agency; Adam Halbardier, Adam Humenansky, Joe Debra, and Amit Mannan from Booz Allen Hamilton; and Mark Crouter from MITRE. Finally, we would like to thank the United St ates Chief Information Officer Council’s Information Security and Identity Management Subcommittee (I SIMC) on Continuous Security Monitoring for its leadership and direction as we created this publication. In particular we would like to thank the former and current co-chairs2: Colonel Michael Jones from the US Ar my, John Streufert from Department of State (DOS), Kevin Dulany from the O