Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [FedRAMP Assignment: (L)(M)(H) to meet Federal and FedRAMP requirements].
CA-7 Additional FedRAMP Requirements and Guidance: Operating System Scans: at least monthly. Database and Web Application Scans: at least monthly. All scans performed by Independent Assessor: at least annually
CA-7 Additional FedRAMP Requirements and Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
CA-7 Additional FedRAMP Requirements and Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide
https://www.FedRAMP.gov/documents/
NIST 800-53 (r4) Supplemental Guidance:
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.
References: OMB Memorandum 11-33; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137; US-CERT Technical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts.
NIST 800-53 (r5) Discussion:
Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.
Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b, and SI-4.
38North Guidance:
Meets Minimum Requirement:
Develop and document a continuous monitoring strategy and program that includes establishing organizational metrics, requirements and security controls to be monitored, frequencies at which the metrics, requirements and controls will be assessed (on-going, annually, etc.), processes and automated tools that support the process, data and information that is analyzed and correlated as part of review results, and reports that are developed as a result of continuous monitoring activities.
Reporting security status of organization and the information system to [FedRAMP Assignment: (L)(M)(H) to meet Federal and FedRAMP requirements] (e.g., OMB Circular A-130, etc.).
Best Practice:
Establish reoccurring meetings to discuss the continuous monitoring strategy, program and metrics.
Program management personnel should manage the tasks and activities associated with corrective actions as part of continuous monitoring activities.
Operations and security must coordinate monitoring activities to accurately reflect the capabilities of the organization and the technology implemented within the environment.
Unofficial FedRAMP Guidance:
Ensure the following scans are performed
Operating System Scans: at least monthly.
Database and Web Application Scans: at least monthly.
All scans performed by Independent Assessor: at least annually.
CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.
See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Continuous Monitoring Strategy Guide (https://www.FedRAMP.gov/documents/).
Assessment Evidence:
Completed Continuous Monitoring Template (if applicable).
Copy of Continuous Monitoring Plan.
Copy of Continuous Monitoring Reports from the previous year.
Copies of the last three months, Operating System Scans, Database scans and Web Application Scans.
Sample of continuous monitoring status reports.
CSP Implementation Tips:
None.
Page updated
Report abuse