Doc:NIST SP 800-53r3 Appendix F/CA-7
CA-7 CONTINUOUS MONITORING
- Control: The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:
- a. A configuration management process for the information system and its constituent components;
- b. A determination of the security impact of changes to the information system and environment of operation;
- c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and
- d. Reporting the security state of the information system to appropriate organizational officials [Assignment: organization-defined frequency].
- Supplemental Guidance: A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management and promotes organizational situational awareness with regard to the security state of the information system. The implementation of a continuous monitoring program results in ongoing updates to the security plan, the security assessment report, and the plan of action and milestones, the three principal documents in the security authorization package. A rigorous and well executed continuous monitoring program significantly reduces the level of effort required for the reauthorization of the information system. Continuous monitoring activities are scaled in accordance with the security categorization of the information system. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4.
- Control Enhancements: