Information Security Continuous Monitoring (ISCM)


Posted: January 26, 2017 | By: Akhilomen Oniha, Greg Weaver, Curtis Arnold, Thomas Schreck

Future Direction

ISCM is not only a technical problem, it also requires policy actions in order to achieve and sustain its goals. The ISCM program at ARL will continue to be incrementally improved with the appropriate rigor and assessment frequencies to support the mission/business requirements, risk tolerance, and security categorization. By leveraging an integrated operational and technical ISCM portal, the Cyber Security Service Provider (CSSP) operations process and knowledge management capabilities ensure sustained and continuous assessments can be synchronized across the Army. To support ongoing risk determinations and future risk acceptance decisions by senior leaders, policies supporting the following six steps are necessary for achieving and sustaining an effective ISCM:

  • Define an ISCM policy, strategy, and supporting doctrine based on risk tolerance that promotes clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.
  • Ensure its ISCM program determines metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.
  • Automate collection, analysis, and reporting of data where possible. Collect the security-related information required for metrics, assessments, and reporting.
  • Analyze the data collected and report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data.
  • Respond to findings with technical, management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.
  • Review and update the monitoring program, adjusting the ISCM strategy and maturing measurement capabilities to increase visibility into organizational assets and awareness of vulnerabilities, further enable data–driven control of the security of an organization’s information infrastructure, and increase organizational resilience.

In 2017, ARL will release an ISCM Widget to support continuing re-authorization capabilities. This capability facilitates the NIST SP 800-137 requirement “that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions…”

In 2017, ARL will propose a widget(s) that could support Mission Assurance Continuous Monitoring (MACM), an integrated observation of mission-aligned ISCM with operational and technical information network operations capabilities to create and preserve information assurance on the DoD information networks and increase organizational resilience.

In 2018, ARL will propose a widget(s) that could support Cyber Defense Continuous Monitoring (CDCM), an integrated global observation of mission-aligned partners through passive and active cyberspace operations intended to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and other war fighting and support enabling systems.

ARL will continue to develop ISCM and ensure that its requirements are well informed and reflect the best practices, lessons learned, and efficiencies developed across the Army.


  1. Burwell, S. M. (2013, November 18). “Enhancing the Security of Federal Information and Information Systems” [Memorandum]. Washington, DC: Office of Management and Budget. Retrieved from
  2. “Implementing Continuous Risk Monitoring at the Department of State” (2010, May). Retrieved from
  3. Splunk.
  4. PostgreSQL.
  5. Python.
  6. Apache Hadoop.
  7. Richardson, R. D. (n.d.). “INSCOM – Big Data”. Retrieved from
  8. Bart, D. V. (2016, April 22). “Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC)”. Retrieved from
  9. “DISA’s Big Data Platform and Analytics Capabilities” (2016, May 16). Retrieved from
  10. Apache Storm.
  11. Apache Accumulo.
  13. ANTI-VIRUS/ANTI-SPYWARE SOLUTIONS. Retrieved July 20, 2016 from
  14. Long, K. S. (2004, December). “CATCHING THE CYBER SPY: ARL’S INTERROGATOR”. Retrieved from
  15. National Vulnerability Database.
  16. Apache Spark.
  17. Hadoop MapReduce.
  18. Elasticsearch.
  19. Term Frequency-Inverse Document Frequency (n.d.) Retrieved from
  20. Lippmann, R.P, Riordan J.F, Yu T.H, and Watson K.K. (2012, May 22). “Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics,” [Whitepaper]. MIT-Lincoln Labs. Retrieved from
  21. Watkins, L.A., Hurley, J.S. “Cyber Maturity as Measured by Scientific Risk-Based Metrics” Journal of Information Warfare (2015) 14.3: 60-69. Retrieved from

Want to find out more about this topic?

Request a FREE Technical Inquiry!