Overview:
Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Action Items:
3.12.3[a]
Determine if: security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: Security planning policy; organizational procedures addressing system security plan development and implementation; procedures addressing system security plan reviews and updates; enterprise architecture documentation; system security plan; records of system security plan reviews and updates; other relevant documents or records].
2
Interview: Personnel with security planning and system security plan implementation responsibilities; personnel with information security responsibilities].
3
Test: Organizational processes for system security plan development, review, update, and approval; mechanisms supporting the system security plan].
Related Documents (document name and content will vary by organization):
1) Security planning policy
2) organizational procedures addressing system security plan development and implementation
3) procedures addressing system security plan reviews and updates
4) enterprise architecture documentation
5) system security plan
6) records of system security plan reviews and updates
7) other relevant documents or records
Additional Guidance:
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information securityrelated risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make more effective and timely risk management decisions.
Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely.
Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. NIST Special Publication 800-137 provides guidance on continuous monitoring.
Article ID: 191
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-continuous-monitoring-3-12-3-191.html