Assessing Information Security Continuous Monitoring in the Federal Government


  • Tina AlSadhan Syracuse University
  • Joon Park Syracuse University



To confront the relentless and increasingly sophisticated cyber assaults from cybercriminals, nation-state actors, and other adversaries, the U.S. Federal Government must have mechanisms to reduce or eliminate compromise and debilitating consequences. Information Security Continuous Monitoring (ISCM) leverages technology to rapidly detect, analyze, and prioritize vulnerabilities and threats and deliver a data-driven, risk-based approach to cybersecurity.  Although monitoring information system security became a requirement for government agencies over 20 years ago and billions of dollars are being spent annually for cybersecurity, ISCM remains at a low maturity level across the Federal Government.  This research framework presented is part of ongoing doctoral research.  The research seeks to identify the challenges achieving an effective ISCM program and inform measures needed to optimize ISCM.   The research involves conducting an ISCM Program Assessment in a Department of Defense (DoD) organization using the recently published National Institute of Standards and Technology (NIST) ISCM Assessment (ISCMA) methodology and the companion assessment tool ISCMAx.  An ISCM doctrine placement is presented, derived from the NIST ISCM assessment elements, to more clearly articulate and visualize the doctrine of a well-designed and well-implemented ISCM program.  This research will also contribute to the knowledge base for assessing ISCM in the Federal government and the functionality of the ISCMAx tool.  

Author Biographies

Tina AlSadhan, Syracuse University

Ms. Tina AlSadhan has over 25 years of experience working in Information Technology and Cyber Security within the United States Department of Defense. She holds the following professional certifications: CISSP, CISA, and CISM. She is presently working towards a doctorate degree with her research focused on Cyber Security, specifically, Information Security Continuous Monitoring, in the United States Federal government.

Joon Park, Syracuse University

Dr. Joon S. Park is a Professor at the School of Information Studies (iSchool), Syracuse University, Syracuse, New York, USA. Over the past decades Prof. Park has been involved with theoretical/practical research, education, and services in information and systems security. He is Syracuse University’s Point of Contact (POC) for the Center of Academic Excellence (CAE) in Information Assurance/Cyber Defense programs, which are designated by the National Security Agency (NSA) and the Department of Homeland Security (DHS).