Control: The organisation develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
E. Correlation and analysis of security-related information generated by assessments and monitoring;
G. Reporting the security status of organisation and the information system to `{`Assignment: organisation-defined personnel or roles`}` `{`Assignment: organisation-defined frequency`}`.
Supplemental Guidance: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organisational risk management decisions. The terms continuous and ongoing imply that organisations assess/analyse security controls and information security-related risks at a frequency sufficient to support organisational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organisations. Continuous monitoring programs also allow organisations to maintain the security authorisations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organisational officials the capability to make more effective and timely risk management decisions, including ongoing security authorisation decisions. Automation supports more frequent updates to security authorisation packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.
Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.
Continuous Monitoring Control Enhancements:
CA-7 (1) Continuous Monitoring - Independent Assessment
The organisation employs assessors or assessment teams with [Assignment: organisation-defined level of independence] to monitor the security controls in the information system on an ongoing basis.
Supplemental Guidance: Organisations can maximise the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organisations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organisations they are serving; or (iv) place themselves in advocacy positions for the organisations acquiring their services.
CA-7 (2) Continuous Monitoring - Types of Assessments
[Withdrawn: Incorporated into CA-2].
CA-7 (3) Continuous Monitoring - Trend Analyses
The organisation employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.
Supplemental Guidance: Trend analyses can include, for example, examining recent threat information regarding the types of threat events that have occurred within the organisation or across the federal government, success rates of certain types of cyber attacks, emerging vulnerabilities in information technologies, evolving social engineering techniques, results from multiple security control assessments, the effectiveness of configuration settings, and findings from Inspectors General or auditors.