PM-31—Continuous Monitoring Strategy

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies.

The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions.

To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, AC-02g, AC-02(07), AC-02(12)(a), AC-02(07)(b), AC-02(07)(c), AC-17(01), AT-04a, AU-13, AU-13(01), AU-13(02), CA-07, CM-03f, CM-06d, CM-11c, IR-05, MA-02b, MA-03a, MA-04a, PE-03d, PE-06, PE-14b, PE-16, PE-20, PM-06, PM-23, PS-07e, SA-09c, SC-05(03)(b), SC-07a, SC-07(24)(b), SC-18b, SC-43b, SI-04.