FISMA & NIST RMF

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

Continuous Monitoring (NIST)

Information Security Continuous Monitoring as defined in NIST SP 800-137, the process of maintaining ongoing awareness of information security, vulnerabilities, and threats to support agency risk management decisions. ISCM is broader than the monthly evidence cadence used in FedRAMP; it specifies a tiered governance structure (organization, mission, system) and requires the agency to define its own metrics, frequencies, and reporting channels.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.