Sign up to receive SCM email updates (restricted to .mil email addresses)
CONTINUOUS MONITORING OF ASSETS
The Secure Configuration Management (SCM) program manages security features and assurances through control of changes made to the hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.
SCM relies upon performance, functional, and physical attributes of IT platforms and products and their environments to determine the appropriate security features and assurances that are used to measure a system configuration state.
SCM was established as part of the larger Enterprise Security Management (ESM) initiative. The roles and responsibilities for the SCM Program Management Office (PMO) were defined, such that, the National Security Agency (NSA) has primary responsibility for advanced technology R&D efforts and DISA PEO-MA has systems engineering and Operations and Maintenance (O&M). Since the establishment of the SCM program, many operational requirements have been directed and defined to automate enterprise vulnerability and configuration management assessment and reporting activities.
DoD Continuous Monitoring Definition
- The term Continuous Monitoring (ConMon) for the Department of Defense (DoD) is defined as the on–going observation, assessment, analysis, and diagnosis of an organization’s cybersecurity posture, hygiene, and operational readiness.
- ConMon synergistically integrates core components and capabilities across multiple security–domains and organizational levels to provide global situational awareness and visibility in support of areas of operations that has a direct impact on or can potentially interact with mission operations.
- From a strategic perspective, ConMon provisions for a classification/computing environment agnostic framework and promotes a steady–state risk posture that incorporates a DoD–wide ‘collect–once, reuse–many’ structure such that each domain fits into a scheme to delineate a comprehensive ‘snapshot in time’ that explains the environment from multiple mission areas of operations.
More information on Risk Management, Network Operations, and Cyber Defense applicability.
GAP ANALYSIS
Goals and Benefits | Processes to Improve | SCM Initiatives |
Interoperability Leverage DoD Investment |
ASSET TRACKING Manual, inconsistent, labor intensive
ASSET SCANNING SCCVI FSO Developed Scripts |
Management of Assets & Inventory |
Alleviate Operator Pain |
POA&M Manual, labor intensive, questionable
REPORTING TO VMS Manual, difficult to use, questionable |
Compliance Checking & Reporting of Assets |
Manpower Savings |
CYBER COMMAND READINESS INSPECTION (CCRI) Manual, partial check, labor intensive
CERTIFICATION AND ACCREDITATION (C&A) Manual, duplicative, labor intensive |
Continuous Monitoring of Assets |
Improve Security Posture |
INFORMATION ASSURANCE VULNERABILITY MANAGEMENT - IAVM Manual, inconsistent, unknown
PATCHING Manual, labor intensive, inconsistent |
Patch the GIG |