SA-4 (8) Acquisition Process | Continuous Monitoring Plan (M) (H)

NIST SP 800-53 (r4) Control:

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: (M) at least the minimum requirement as defined in control CA-7; (H) at least the minimum requirement as defined in control CA-7].

NIST 800-53 (r4) Supplemental Guidance:

The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7.

NIST 800-53 (r5) Discussion:

The objective of continuous monitoring plans is to determine if the planned, required, and deployed controls within the system, system component, or system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into continuous monitoring programs implemented by organizations. Continuous monitoring plans can include the types of control assessment and monitoring activities planned, frequency of control monitoring, and actions to be taken when controls fail or become ineffective.

38North Guidance:

Meets Minimum Requirement:

• • CSP must develop and document a continuous monitoring plan that is consistent with the requirements listed in CA-7. CSP must use the same security standards regardless of where the system component or information system service is acquired.

Best Practice:

• • Refer to CA-7, Continuous Monitoring.

Unofficial FedRAMP Guidance:

• • Refer to CA-7, Continuous Monitoring.

Assessment Evidence:

• • Continuous Monitoring Plan for the IT products/goods acquired.

  • Samples of acquisition contracts or documented evidence to show:

    • Security requirements are addressed

    • A description of the product is provided

    • The security controls employed by the product

    • A plan for continuous monitoring is produced

    • The functions, ports, protocols, and services required to operation are defined

    • Testing performed on acquired product prior to implementation

CSP Implementation Tips:

• • None.