CA.L2-3.12.3 Security Control Monitoring

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Source: NIST SP 800-171 Rev 2 3.12.3

Discussion: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. [SP 800-137] provides guidance on continuous monitoring.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Security planning policy; organizational procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan; records of security plan reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Personnel with security planning and plan implementation responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval; mechanisms supporting the security plan].

SPRS Score: 5

POA&M Allowed: No