CA-07-727 Continuous Monitoring

Continuous Monitoring

Control ID

CA-07-727

Control Name

Continuous Monitoring

Control Category

Security Assessment and Authorization

Functional Areas

Identify

Sub-Areas

Control Oversight and Safeguard Assurance, Security Compliance and Regulatory Requirements

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

August 24, 2016

Agency Implementation

The agency shall provide a continuous monitoring capability for all Agency-owned information resources that provides an assesment of each resource's security control compliance and network activity on at least a weekly basis. The chief information security officer shall review the assessments and communicate areas of concern to the appropriate information resource owner for remediation.

Risk Statement

Known violations of security policy are not properly mitigated due to ineffective compliance and/or self-assessment activities.

Control Description

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Control Example

A continuous monitoring strategy such as automated and other periodic manual checkpoints is defined.

State Implementation

The state organization monitors the security controls in the information system on an ongoing basis.

Testing Procedures

Obtain certification and accreditation policy; procedures addressing continuous monitoring of information system security controls; NIST Special Publications 800-37 and 800-53A; security plan; security assessment report; plan of action and milestones; information system monitoring records; security impact analyses; status reports; security plan; other relevant documents or records and ascertain if: (I)the organization monitors the security controls in the information system on an ongoing basis. (ii)the organization employs a security control monitoring process consistent with NIST Special Publications 800-37 and 800-53A. (iii)the organization conducts security impact analyses on changes to the information system. (iv)the organization documents and reports changes to or deficiencies in the security controls employed in the information system.