Continuous Monitoring—It’s Not (Just) About The Tools

by Annette Leonard
BAI Consulting

Continuous Monitoring has long been recognized as a critical element in maintaining a strong security posture for any IT system.  In spite of this, the risk management processes used in most federal agencies have traditionally been centered around mountains of paperwork, along with “point-in-time” assessments and approvals.  With the ascension of RMF, continuous monitoring is finally getting the “emphasis” it deserves.

NIST Security Control Act CA-7 lays down the fundamental requirement for all information systems to be covered by a continous monitoring program:

“The organization establishes a continuous monitoring strategy and implements a program that includes:

  • A configuration management process for the information system and its constituent components
  • A determination of the security impact of changes to the information system and its environment
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy
  • Reporting the security state of the information system to appropriate organizational officials [at an organization-defined frequency]”

While automated tools are necessary to the organization’s continuous monitoring program, they are not sufficient. Automation will only provide meaningful, actionable results when it is employed in the context of a comprehensive strategy and well though out implementation program. NIST Special Publication 800-137 is an excellent resource for further information.

ITdojo provides an Information Security Continuous Monitoring training program that thoroughly covers the theory and practice of continuous monitoring.  This training program is both on-site and online (instructor-led) and is available for registration now!

Relevant to this, we also offer two Risk Management Framework  courses.  They are:

If you would like more information about these courses, please contact today!