Requirement text: CA.3.161: Monitor security controls on an ongoing basis to ensure the continued
effectiveness of the controls.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities,
and information security to support organizational risk management decisions. The terms
continuous and ongoing imply that organizations assess and analyze security controls and
information security-related risks at a frequency sufficient to support risk-based decisions.
The results of continuous monitoring programs generate appropriate risk response actions
by organizations. Providing access to security information on a continuing basis through
reports or dashboards gives organizational officials the capability to make effective and
timely risk management decisions. Automation supports more frequent updates to
hardware, software, firmware inventories, and other system information. Effectiveness is
further enhanced when continuous monitoring outputs are formatted to provide
information that is specific, measurable, actionable, relevant, and timely. Monitoring
requirements, including the need for specific monitoring, may also be referenced in other
requirements.
CMMC CLARIFICATION
You should provide a plan for monitoring and assessing the state of security controls on a
recurring basis that occurs more frequently than the periodic assessments discussed in
CA.2.158. This process provides a mechanism to assess the overall security posture of your
organization. As a result the process not only maintains awareness of vulnerabilities and
threats, but also informs management of the effectiveness of the security controls in
determining if security controls are current and for management to make an acceptable risk
decision.
Example
As the lead for cybersecurity at your organization your boss has asked you to ensure that
any requirements for cybersecurity are met. Since the organization supports Department of
Defense (DoD) contracts you are aware that contractors must meet specific compliance
requirements. You review those requirements and the associated preventative, detective, or
responsive security controls you’ve implemented to identify any gaps. With your list of
compliance requirements and actual security controls in place you create a plan of action to
evaluate each control regularly over the next year. You mark several controls to be evaluated
by a third party security assessor. After reviewing the list with several colleagues in IT you
assign them responsibility to evaluate controls within their area of responsibility. The
remaining controls are assigned to members of the IT cybersecurity team. To ensure
progress you establish recurring meetings with the accountable IT staff to assess continuous
monitoring progress, review security information, evaluate risks from gaps in continuous
monitoring, and produce reports for your executives.
References
• NIST SP 800-171 Rev 1 3.12.3
• NIST CSF v1.1 PR.IP-7, DE.DP-5
• CERT RMM v1.2 MON:SG1.SP1
• NIST SP 800-53 Rev 4 CA-7