The concept of continuous monitoring has always existed. Everything that requires a periodic assessment by default requires continuous monitoring. The concept of continuous monitoring is a proactive measure that should be taken by every organization regardless of size to ensure information system (IS) configurations meet requirements and perform effectively and efficiently.
PURPOSE OF CONTINUOUS COMPLIANCE MONITORING
There are some important compliance requirements that call out continuous monitoring.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800 137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, defines Information Security Continuous Monitoring (ISCM) as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
DFARS: DFARS 252.204-7019 (NIST SP 800-171) and 252.204-7021 (CMMC) Requirement:
NIST SP 800-171 -3.12.3: SECURITY CONTROL MONITORING: "Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls."
It specifically requires that security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. Unfortunately, the concept of continuous monitoring has been implemented in many organizations as a reactive measure, which contradicts the purpose of continuous monitoring.
HOW TO BE PROACTIVE
How can we change it from reactive to proactive? The answer to this question might seem easy to many policymakers. However, the answer is not as simple for the organizations that must comply with those policies. A proactive approach might seem impossible because it increases the resources required to maintain the IS while budgets are constrained.
Despite the answers from policymakers and stakeholders, the reality is that it is time to take a proactive approach and face the challenges that come with developing a realistic continuous monitoring strategy. A continuous monitoring strategy considers the frequency of ongoing assessments and resources required to maintain compliance. Furthermore, a strategy can be implemented into a Continuous Monitoring Plan and reduce the cost of reauthorization.
An effective Continuous Monitoring Plan will include a schedule of controls review. This will vary based on component monitoring infrastructure, the specific technologies used by the system, and the application of the system. The schedule can be phased, much like vehicle maintenance, with varying basis depending on the components and specific technologies of the vehicle. For example, some vehicles require engine oil and filter change every 6 months or 5,000 miles, while others require the same service every 12 months or 10,000 miles. The same concept of vehicle maintenance intervals applies to the concept of continuous monitoring.
At SecureStrux, we incorporate the concept of a car maintenance schedule to assist companies with meeting the continuous monitoring requirements. Please visit our website for more information on our Advisory Services and Continuous Compliance Monitoring services.
Ignoring key strategies for a Continuous Monitoring Plan is a poor decision that will increase the overall cost,
but most importantly, it will fail to deliver resilient capabilities to the warfighter.
Security+, Cybersecurity Analyst
Advisory Services for Continuous Compliance Monitoring, NIST RMF, and CMM