Continuous Monitoring Phase involves the following steps:
- Information system environment Changes: Monitor change and maintain an accurate system inventory. Use asset management tool. This step is handled by the System Owner, and ISSO)
- Ongoing Security Control Assessments: Assess 1/3 of the NIST controls annually, Scan the system for weaknesses, implement vulnerability & parch management tools. This step is handled by the system Owner, ISSO and C&A analyst)
- Ongoing Remediation Actions: Take steps to remediate POA&M items. This step is handled by the system Owner, ISSO and C&A analyst)
- Key Updates: Update SSP, POA&M and SAR. This step is handled by the System Owner, ISSO and C&A analyst)
- Security Status Reporting: Submit SSP, SAR and POA&M to AO for review and direction. This step is handled by the System Owner, and ISSO.
- Ongoing Risk Determination and Acceptance: AO reviews SSP, SAR, POA&M and gives direction to ISSO and System Owner. This step is handled by the AO. AO issues Annual Assessment letter.
- Information System Removal and Decommission: Follow policy and procedures for decommissioning system. Update system inventory and organization inventory accordingly. This step is handled by the system Owner, and ISSO)
- NIST Publication
- SP 800-137
- SP 800-53,
- SP 800-53A
- SP-800-30