>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.12.3Security Assessment - Basic

Basic Requirement

>Control Description

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

>Discussion

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations.

Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely.

Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. [SP 800-137] provides guidance on continuous monitoring.

>Cross-Framework Mappings

CMMC

CA.L2-3.12.3
Compare

SCF

CPL-02
Compare
THR-01
Compare
THR-03
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern monitoring security controls on an ongoing basis?
  • What procedures define continuous monitoring activities?
  • Who is responsible for ongoing security control monitoring?
  • How often are monitoring results reviewed?
  • What governance ensures continuous monitoring effectiveness?

Technical Implementation:

  • What continuous monitoring tools are deployed?
  • How do you automate security control status tracking?
  • What SIEM or log aggregation supports monitoring?
  • What dashboards provide real-time security posture visibility?
  • What alerting notifies of control failures or anomalies?

Evidence & Documentation:

  • Can you demonstrate continuous monitoring implementation?
  • What reports show ongoing security control status?
  • Can you provide dashboards or monitoring outputs?
  • What evidence shows monitoring data informs security decisions?
  • What audit findings verify continuous monitoring compliance?

Ask AI

Configure your API key to use AI features.