CONTINUOUS MONITORING STRATEGY—ORGANIZATION
Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.
Potential Inputs: Risk management strategy; organization- and system-level risk assessment results; organizational security and privacy policies.
Expected Outputs: An implemented organizational continuous monitoring strategy.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive (Function).
Supporting Roles: Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Mission or Business Owner; System Owner; Authorizing Official or Authorizing Official Designated Representative.
Discussion: An important aspect of risk management is the ability to monitor the security and privacy posture across the organization and the effectiveness of controls implemented within or inherited by organizational systems on an ongoing basis.64 An effective organization-wide continuous monitoring strategy is essential to efficiently and cost-effectively carry out such monitoring. Continuous monitoring strategies can also include supply chain risk considerations, for example, regularly reviewing supplier foreign ownership, control, or influence (FOCI), monitoring inventory forecasts, or requiring on-going audits of suppliers. The implementation of a robust and comprehensive continuous monitoring program helps an organization understand the security and privacy posture of its information systems. It also facilitates ongoing authorization after the initial system or common control authorizations. This includes the potential for changing missions or business functions, stakeholders, technologies, vulnerabilities, threats, risks, and suppliers of systems, components, or services.
The organizational continuous monitoring strategy addresses monitoring requirements at the organization, mission/business process, and information system levels. The continuous monitoring strategy identifies the minimum monitoring frequency for implemented controls across the organization; defines the ongoing control assessment approach; and describes how ongoing assessments are to be conducted (e.g., addressing the use and management of automated tools, and instructions for ongoing assessment of controls for which monitoring cannot be automated). The continuous monitoring strategy may also define security and privacy reporting requirements including recipients of the reports. The criteria for determining the minimum frequency for control monitoring is established in collaboration with organizational officials (e.g., senior accountable official for risk management or risk executive [function)]; senior agency information security officer; senior agency official for privacy; chief information officer; system owners; common control providers; and authorizing officials or their designated representatives). An organizational risk assessment can be used to guide and inform the frequency of monitoring.
The use of automation facilitates a greater frequency and volume of control assessments as part of the monitoring process. The ongoing monitoring of controls using automated tools and supporting databases facilitates near real-time risk management for information systems and supports ongoing authorization and efficient use of resources. The senior accountable official for risk management or the risk executive (function) approves the continuous monitoring strategy including the minimum frequency with which controls are to be monitored.
References: [SP 800-30]; [SP 800-39] (Organization, Mission or Business Process, System Levels); [SP 800- 53]; [SP 800-53A]; [SP 800-137]; [SP 800-161]; [IR 8011 v1]; [IR 8062]; [NIST CSF] (Core [Identify, Detect Functions]); [CNSSI 1253].
MISSION/BUSINESS PROCESS (LEVEL 2) CONSIDERATIONS
Mission/business process considerations are addressed in the RMF Prepare-Organization Level step and the RMF Prepare-System Level step by specifying mission/business process concerns; by identifying the mission or business owners in primary or supporting roles; and by identifying the mission or business objectives. Task P-8 and Task P-9 from the RMF Prepare-System Level step are mission/business process level tasks conducted with a system-level specific focus.
64 Monitoring for control effectiveness is a form of control assessment. [SP 800-53A], [SP 800-137], and [IR 8011 v1] provide additional information on monitoring, conducting control effectiveness assessments, and automating control effectiveness assessments respectively.