Continuous Monitoring Phase 6 Q3

  • Continuous Monitoring Phase involves the following steps:
    • Information System Environment Changes
    • Ongoing Security Control Assessment
    • Key Updates
    • Ongoing Remediation Action
    • Security Status Reporting
    • Ongoing Risk Determination and Acceptance
    • Information System Removal and Decommission
  • NIST Publication
    • SP 800-137
    • SP 800-53,
    • SP 800-53A
    • SP 800-30
  • Information System Environment Changes:
    • Any change to the system my follows a Change Control Process
    • System Inventory/Component needs to be current, accurate and updated regularly
  • Develop a Configuration Management Plan and Procedure
  • Implement an Asset Management tool-Dell Asset Manager, SAM
  • This step is handled by the system owner and ISSO
  • Ongoing Security Control Assessment
  • Test one third of the NIST recommended control on annual basis
  • Monitor SANS Top 20 critical control on an ongoing basis
  • Scan system for weaknesses frequently at least monthly or whenever there is a major change to the system
  • Implement automated tools such as
    • Vulnerability Management Tools-Tenable security
    • Patch Management tools-IBM Tivoli Endpoint Manager
  • This step is handled by the system Owner, ISSO and C&A analyst
  • Ongoing Remediation Action:
    • Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones
    • This step is handled by the system Owner, ISSO and C&A analyst
    • Key Updates
    • Update the following documentation on regular basis in line with the ongoing security assessment results
      • System Security Plan (SSP)
      • Security Assessment Report (SAR)
      • Plan of Action and Milestone (POA&M)
    • This step is handled by the system Owner, ISSO and C&A analyst

Security Status Reporting

Report the security status of the information system to the authorizing official and on an ongoing basis in accordance with the monitoring strategy by submitting the following:

  • System security Plan (SSP)
  • Security Assessment Report (SAR)
  • Plan of Action and Milestone (POA&M)

This step is handled by the system Owner, ISSO and C&A analyst

  • Ongoing Risk Determination and Acceptance
    • The authorizing official reviews the reported security status (SSP, POAM and SAR) of the information system on an ongoing basis (usually annually assessment and every 3 years for recertification), to determine the current risk to organizational operations and assets, individuals, other organizations, or the Nation.
    • The authorizing official determines, whether the current risk is acceptable and forwards appropriate direction to the information system owner
    • ISSO issues Annual Assessment Letter showing system went through the annual NIST security control assessment
  • New directive Ongoing Authorization Event and time driven (More frequent). More dynamic not static
  • Information System Removal and Decommission
  • Implement an information system decommissioning strategy (Policy and procedures for decommissioning system) required actions when a system is removed from service
  • Update system inventory and organization inventory accordingly
error: Content is protected !!