feat: add NIST SP 800-137 Information Security Continuous Monitoring skill#40
Open
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Open
feat: add NIST SP 800-137 Information Security Continuous Monitoring skill#40sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Conversation
…skill PLUGIN: nist-sp-800-137 VERSION: 1.0.0 SOURCE: NIST Special Publication 800-137, September 2011 TITLE: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations CSRC: https://csrc.nist.gov/publications/detail/sp/800-137/final PLUGIN STRUCTURE: plugins/nist-sp-800-137/.claude-plugin/plugin.json plugins/nist-sp-800-137/skills/nist-sp-800-137/SKILL.md plugins/nist-sp-800-137/skills/nist-sp-800-137/references/iscm-process.md plugins/nist-sp-800-137/skills/nist-sp-800-137/references/monitoring-strategy.md plugins/nist-sp-800-137/skills/nist-sp-800-137/references/metrics-reporting.md FRAMEWORK COVERAGE: 1. ISCM definition: maintaining ongoing awareness of information security, vulnerabilities, and threats to support organisational risk management decisions 2. Three-tier ISCM architecture: Tier 1 (Organisation), Tier 2 (Mission/Business Process), Tier 3 (Information System) with information flows between tiers 3. Six-step ISCM process: Define strategy, Establish programme, Implement programme, Analyse and report findings, Respond to findings, Review and update strategy 4. Monitoring frequency criteria: information volatility, adversary speed, CIA impact, automation feasibility 5. Monitoring frequencies: continuous/automated, daily, weekly, monthly, quarterly, annual with use case guidance 6. Security metrics: implementation status metrics, operational effectiveness metrics, risk management metrics 7. ISCM metrics catalogue: 15 defined metrics covering SI-2/SI-3/SI-4/CM-6/CM-7/AC-2/IA-2/AT-2/AT-3/AU-2/RA-5/CA-5/CA-6 with thresholds and collection sources 8. Automation: SCAP ecosystem mapping (CVE, CCE, CPE, CVSS, OVAL, XCCDF), ARF reporting format, SCAP-validated tool requirements 9. Control tiering by automation amenability: Tier A (continuous/daily automation), Tier B (semi-automated periodic), Tier C (manual periodic) 10. Roles and responsibilities: CIO, SAISO, Risk Executive Function, AO, ISO, ISSO, Common Control Provider 11. Integration with RMF Step 6 (Monitor): mapping of all RMF Step 6 tasks to ISCM process steps 12. Ongoing authorisation: AO threshold-based decision framework using ISCM data 13. Significant change triggers for re-evaluation and re-authorisation 14. DHS CDM programme integration: capability layers and feed into agency ISCM infrastructure 15. ISCM programme maturity levels: Ad hoc through Optimised (5-level scale) 16. FISMA compliance: ISCM as fulfilment of FISMA continuous monitoring requirement REFERENCE FILES: iscm-process.md: - Six-step ISCM process with per-step inputs, tasks, and outputs - Task-level detail for all 24 ISCM tasks across six steps - Step 4 Analyse/Report: Tier 3, Tier 2, Tier 1, and AO reporting tasks - Step 5 Respond: remediation timeframe table (Critical 15 days through Low 180 days) - Step 6 Review: periodic and event-driven triggers for ISCM strategy updates - Complete ISCM programme checklist covering all six steps monitoring-strategy.md: - ISCM strategy document structure: 10 required sections - Monitoring frequency assignment table template with SP 800-53 control mapping - Control selection tiers (A/B/C) by automation amenability with example controls - ISCM programme establishment procedure: tool selection criteria, baseline setup, data repository architecture - ISCM programme maturity model (Levels 1-5: Ad hoc to Optimised) - CDM programme integration: four capability layers mapped to ISCM tiers metrics-reporting.md: - Metric attribute set: 11-field standard format for every ISCM metric - Full ISCM metrics catalogue with 15 defined metrics, measurements, frequencies, and thresholds - Tier 3 system-level security status report template (complete with all sections) - Tier 2 mission/business process aggregated report template - Tier 1 organisation-level dashboard summary template - AO threshold-exceeded notification template - POA&M format table with all required fields INTEGRATION POINTS: - SP 800-37 Rev 2 RMF Step 6: ISCM implements all seven Step 6 monitoring tasks - SP 800-53 Rev 5: ISCM metrics map to SP 800-53 control families - SP 800-53A Rev 5: ongoing assessments supplement ISCM automated monitoring - SP 800-30 Rev 1: risk determination scales used for finding severity classification - SP 800-39: three-tier risk management hierarchy is the ISCM architecture structure - FISMA: ISCM is the primary mechanism for FISMA continuous monitoring compliance - DHS CDM: agency CDM deployments provide the tooling for Tier A ISCM controls TESTS: test_plugin_json_exists[nist-sp-800-137] PASSED test_plugin_json_is_valid[nist-sp-800-137] PASSED test_plugin_json_required_fields[nist-sp-800-137] PASSED test_plugin_version_semver[nist-sp-800-137] PASSED test_skills_directory_exists[nist-sp-800-137] PASSED test_skills_directory_has_one_skill_folder[nist-sp-800-137] PASSED test_skill_md_exists[nist-sp-800-137] PASSED test_skill_md_not_empty[nist-sp-800-137] PASSED test_no_files_outside_skill_folder[nist-sp-800-137] PASSED test_references_are_markdown[nist-sp-800-137] PASSED 10 passed, 95 deselected
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NIST SP 800-137 — Information Security Continuous Monitoring (ISCM)
Source Publication: NIST Special Publication 800-137, September 2011
CSRC URL: https://csrc.nist.gov/publications/detail/sp/800-137/final
This pull request adds a complete Claude skill plugin for NIST SP 800-137, supporting ISSOs, ISOs, CIOs, SAISOs, and Authorizing Officials designing, implementing, and managing Information Security Continuous Monitoring programmes for federal information systems and organisations.
Files Added
Framework Coverage
ISCM Definition: Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organisational risk management decisions. Three requirements: situational awareness, visibility, and traceability.
Three-Tier Architecture: Tier 1 (Organisation — strategy, risk tolerance, CIO/SAISO), Tier 2 (Mission/Business Process — common controls, mission alignment), Tier 3 (Information System — ISO/ISSO, system-specific monitoring). Information flows upward; risk guidance flows downward.
Six-Step ISCM Process: Define ISCM strategy, Establish programme, Implement programme, Analyse and report findings, Respond to findings, Review and update strategy. Each step includes inputs, tasks, and outputs.
Monitoring Frequencies: Continuous/automated, daily, weekly, monthly, quarterly, annual. Frequency selection criteria: information volatility, adversary speed of exploitation, CIA impact, automation feasibility.
Security Metrics Catalogue: 15 defined metrics with full attribute sets covering patch compliance (critical and high), AV currency, configuration compliance, unauthorised software detection, inactive accounts, MFA coverage, audit log coverage, vulnerability scan coverage, ATO status, POA&M health. Each metric includes measurement formula, data source, threshold, and escalation rules.
Control Automation Tiers: Controls classified as Tier A (highly amenable to continuous/daily automation — SI-2, SI-3, CM-6, CM-7, etc.), Tier B (semi-automated periodic — AC-2, RA-5, SC-28, etc.), Tier C (primarily manual — AT-2, CA-2, CP-4, etc.).
SCAP Integration: CVE, CCE, CPE, CVSS, OVAL, XCCDF components explained. ARF (Asset Reporting Format) for aggregation. SCAP-validated tool requirements. Automation capability levels (fully automated, semi-automated, fully manual).
Roles and Responsibilities: CIO, SAISO, Risk Executive Function, Authorizing Official, Information System Owner, ISSO, Common Control Provider — with specific ISCM responsibilities per role.
RMF Integration: All seven RMF Step 6 Monitor tasks mapped to ISCM process steps. Ongoing authorisation model explained with AO threshold-based decision framework.
DHS CDM Programme: Four CDM capability layers mapped to ISCM tiers. Agency and Federal Dashboard feeds.
ISCM Programme Maturity: Five-level scale from Ad hoc through Optimised.
Reference Files
references/iscm-process.md— Six-step ISCM process with per-step inputs, tasks, and outputs. All 24 ISCM tasks with step-by-step detail. Tier 3/2/1 and AO reporting task breakdown. Remediation timeframe table (Critical 15 days through Low 180 days). Event-driven and periodic triggers for Step 6 review. Complete ISCM programme checklist covering all six steps.references/monitoring-strategy.md— ISCM strategy document structure with 10 required sections. Monitoring frequency assignment table template with SP 800-53 control examples. Control automation tiers (A/B/C) with representative controls per tier. Programme establishment procedures: tool selection criteria, baseline procedures (configuration/software/patch), data repository architecture. ISCM maturity model (Levels 1-5). CDM programme layer mapping.references/metrics-reporting.md— Metric attribute set (11-field standard format). Full 15-metric ISCM catalogue with measurements, frequencies, thresholds, and escalation rules. Complete Tier 3 system-level report template with all sections. Tier 2 mission/business process aggregated report template. Tier 1 organisation-level dashboard template. AO threshold-exceeded notification template. POA&M format with all required fields.Integration Points
Tests