Level 5 CMMC - CMMC Practices

CA.3.161  

Reference: CMMC 1.02

Family: CA

Level Introduced: 3

Practice:
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

CMMC Clarification:
You should provide a plan for monitoring and assessing the state of security controls on a recurring basis that occurs more frequently than the periodic assessments discussed in CA.2.158. This process provides a mechanism to assess the overall security posture of your organization. As a result the process not only maintains awareness of vulnerabilities and threats, but also informs management of the effectiveness of the security controls in determining if security controls are current and for management to make an acceptable risk decision.

Example
As the lead for cybersecurity at your organization your boss has asked you to ensure that any requirements for cybersecurity are met. Since the organization supports Department of Defense (DoD) contracts you are aware that contractors must meet specific compliance requirements. You review those requirements and the associated preventative, detective, or responsive security controls you’ve implemented to identify any gaps. With your list of compliance requirements and actual security controls in place you create a plan of action to evaluate each control regularly over the next year. You mark several controls to be evaluated by a third party security assessor. After reviewing the list with several colleagues in IT you assign them responsibility to evaluate controls within their area of responsibility. The remaining controls are assigned to members of the IT cybersecurity team. To ensure progress you establish recurring meetings with the accountable IT staff to assess continuous monitoring progress, review security information, evaluate risks from gaps in continuous monitoring, and produce reports for your executives.

3.12.3

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Discussion:
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions.

Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements.

[SP 800-137] provides guidance on continuous monitoring.

Source: NIST Special Publication 800-171 Rev. 2

CA-7

CONTINUOUS MONITORING

Description:
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
    a. Establishment of [Assignment: organization-defined metrics] to be monitored;
    b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
    c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
    d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
    e. Correlation and analysis of security-related information generated by assessments and monitoring;
    f. Response actions to address results of the analysis of security-related information; and
    g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Supplemental Guidance:
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02