Link Search Menu Expand Document
NIST SP 800-37

ONGOING ASSESSMENTS

TASK M-2

Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy.
Potential Inputs: Organizational continuous monitoring strategy and system level continuous monitoring strategy (if applicable); security and privacy plans; security and privacy assessment plans; security and privacy assessment reports; plans of action and milestones; information from automated and manual monitoring tools; organization- and system-level risk assessment results; external assessment or audit results (if applicable).
Expected Outputs: Updated security and privacy assessment reports. Primary Responsibility: Control Assessor.
Supporting Roles: Authorizing Official or Authorizing Official Designated Representative; System Owner or Common Control Provider; Information Owner or Steward; System Security Officer; System Privacy Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy.
System Development Life Cycle Phase: New – Operations/Maintenance. Existing – Operations/Maintenance.
Discussion: After an initial system or common control authorization, the organization assesses all controls on an ongoing basis. Ongoing assessment of the control effectiveness is part of the continuous monitoring activities of the organization. The monitoring frequency for each control is based on the organizational continuous monitoring strategy (see Task P-7) and can be supplemented by the system-level continuous monitoring strategy (see Task S-5). Adherence to the terms and conditions specified by the authorizing official as part of the authorization decision are also monitored (see Task M-1). Ongoing control assessment continues as the information generated as part of continuous monitoring is correlated, analyzed, and reported to senior leaders.

For ongoing control assessments, assessors have the required degree of independence as determined by the authorizing official.107 Assessor independence during continuous monitoring introduces efficiencies into the process and may allow for reuse of assessment results in support of ongoing authorization and when reauthorization is required.

To satisfy the annual FISMA security assessment requirement, organizations can use assessment results from control assessments that occurred during authorization, ongoing authorization, or reauthorization; during continuous monitoring; or the during testing and evaluation of systems as part of the SDLC or an audit (provided the assessment results are current, relevant to the determination of control effectiveness, and obtained by assessors with the required degree of independence). Existing assessment results are reused consistent with the reuse policy established by the organization and are supplemented with additional assessments as needed. The reuse of assessment results is helpful in achieving a cost-effective, security program capable of producing the evidence necessary to determine the security posture of information systems and the organization. Finally, the use of automation to support control assessments facilitates a greater frequency, volume, and coverage of assessments.

References: [SP 800-53A]; [SP 800-137]; [SP 800-160 v1] (Verification, Validation, Operation, and Maintenance Processes); [IR 8011 v1].

107 In accordance with [OMB A-130], an independent evaluation of privacy programs and practices is not required. However, an organization may choose to employ independent privacy assessments at the organization’s discretion.