Information Assurance Metric for Assessing NIST's Monitoring Step in the Risk Management Framework

Abstract

ABSTRACT This paper proposes an information assurance (IA) metric that can be used to measure the security posture of an enterprise system in the “monitoring” step (Step 6) of the risk management framework (RMF), as required in the new certification and accreditation (C&A) process described in NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This metric was developed by adopting the Object Measurement (OM®1) approach, created to evaluate system development life cycle (SDLC) processes, for use as an IA metric. This metric supports organizational management's decision-making processes by enabling an organization to determine how well a system is complying with its monitoring plan. The values obtained through use of this metric can be abstracted to roll up values from multiple systems, creating an aggregate measure usable by organizational management to assess the security posture of all, or a subset, of their accredited systems undergoing monitoring.