CONTINUOUS MONITORING STRATEGY—SYSTEM
TASK S-5
Develop and implement a system-level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy.
Potential Inputs: Organizational risk management strategy; organizational continuous monitoring strategy; organization- and system-level risk assessment results; security and privacy plans; organizational security and privacy policies.
Expected Outputs: Continuous monitoring strategy for the system including time-based trigger for ongoing authorization.
Primary Responsibility: System Owner; Common Control Provider.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Authorizing Official or Authorizing Official Designated Representative; Information Owner or Steward; Security Architect; Privacy Architect; Systems Security Engineer; Privacy Engineer; System Security Officer; System Privacy Officer.
System Development Life Cycle Phase: New – Development/Acquisition. Existing – Operations/Maintenance.
Discussion: An important aspect of risk management is the ongoing monitoring of controls implemented within or inherited by an information system. An effective continuous monitoring strategy at the system level is developed and implemented in coordination with the organizational continuous monitoring strategy early in the SDLC (i.e., during initial system design or procurement decision). The system-level continuous monitoring strategy is consistent with and supplements the continuous monitoring strategy for the organization. The system-level strategy addresses monitoring those controls for which monitoring is not provided as part of the continuous monitoring strategy and implementation for the organization. The system-level strategy identifies the frequency of monitoring for controls not addressed by the organization-level strategy and defines the approach to be used for assessing those controls. The system- level continuous monitoring strategy, consistent with the organizational monitoring strategy, defines how changes to the system and the environment of operation81 are to be monitored; how risk assessments are to be conducted; and the security and privacy posture reporting requirements including recipients of the reports. The system-level continuous monitoring strategy can be included in security and privacy plans.82
For controls that are not addressed by the organizational continuous monitoring strategy, the system- level continuous monitoring strategy identifies the criteria for determining the frequency with which controls are monitored post-implementation and the plan for the ongoing assessment of those controls. The criteria are established by the system owner or common control provider in collaboration with other organizational officials (e.g., the authorizing official or designated representative; senior accountable official for risk management or risk executive [function]; senior agency information security officer; senior agency official for privacy; and chief information officer). The frequency criteria at the system level reflect organizational priorities and the importance of the system to the organization’s operations and assets, individuals, other organizations, and the Nation. Controls that are volatile (i.e., where the control or the control implementation is most likely to change over time),83 critical to certain aspects of the protection needs for the organization, or identified in plans of action and milestones, may require more frequent assessment. The approach to control assessments during continuous monitoring may include reuse of assessment procedures and results that supported the initial authorization decision; detection of the status of system elements; and analysis of historical and operational data.
The authorizing official or designated representative approves the continuous monitoring strategy and the minimum frequency with which each control is to be monitored. The approval of the strategy can be obtained in conjunction with the security and privacy plan approval. The monitoring of controls begins at the start of the operational phase of the SDLC and continues through the disposal phase.
References: [SP 800-30]; [SP 800-39] (Organization, Mission or Business Process, System Levels); [SP 800- 53]; [SP 800-53A]; [SP 800-137]; [SP 800-161]; [IR 8011 v1]; [CNSSI 1253]; [NIST CSF] (Core [Detect Function]).
81 Changes to the operating environment (including the supply chain) may create vulnerabilities (e.g., availability of software patches, changes in supplier ownership providing services, maintenance, repair parts or other support).
82 The Privacy Continuous Monitoring (PCM) strategy includes all of the available privacy controls implemented throughout the organization at all risk management levels (i.e., organization, mission/business process, and system). The strategy ensures that the controls are monitored on an ongoing basis by assigning an organization-defined assessment frequency to each control that is sufficient to ensure compliance with applicable privacy requirements and to manage privacy risks. If, during the development of a new system, there is a need to create or use a privacy control not included in the PCM strategy, the senior agency official for privacy is consulted to determine whether it is appropriate for the proposed use case. If there is a decision to implement a new privacy control, the organization’s PCM strategy is updated to include the new control with an organization-defined monitoring frequency.
83 Volatility is most prevalent in those controls implemented in the hardware, software and firmware elements of the system. For example, replacing or upgrading an operating system, a database system, application, or a network router may change the security controls provided by the vendor or original equipment manufacturer. Configuration settings may also require adjustments as organizational missions, business functions, threats, risks, and risk tolerance change.