PM-31 Continuous Monitoring Strategy
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:
a. Establishing the following organization-wide metrics to be monitored: pm-31_odp.01;
b. Establishing pm-31_odp.02 and pm-31_odp.03 for control effectiveness;
c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
d. Correlation and analysis of information generated by control assessments and monitoring;
e. Response actions to address results of the analysis of control assessment and monitoring information; and
f. Reporting the security and privacy status of organizational systems to pm-31_prm_4 pm-31_prm_5.
| Parameter ID | Definition |
|---|---|
| pm-31_prm_4 | organization-defined personnel or roles |
| pm-31_prm_5 | organization-defined frequency |
| pm-31_odp.01 | metrics |
| pm-31_odp.02 | monitoring frequencies |
| pm-31_odp.03 | assessment frequencies |
| pm-31_odp.04 | personnel or roles |
| pm-31_odp.05 | personnel or roles |
| pm-31_odp.06 | frequency |
| pm-31_odp.07 | frequency |
Baselines
- L
- M
- H
- P
Guidance
Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, [AC-2g](#ac-2_smt.g), AC-2(7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), AC-17(1), [AT-4a](#at-4_smt.a), AU-13, AU-13(1), AU-13(2), CA-7, [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), IR-5, [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), PE-6, [PE-14b](#pe-14_smt.b), PE-16, PE-20, PM-6, PM-23, [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b), SI-4.
References 4
- SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
- SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
- SP 800-137 Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137.
- SP 800-137A Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A.
Related controls 50
- AC-02 Account Management L M H P
- AC-06 Least Privilege L M H P
- AC-17 Remote Access L M H P
- AT-04 Training Records L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- AU-13 Monitoring for Information Disclosure L M H P
- CA-02 Control Assessments L M H P
- CA-05 Plan of Action and Milestones L M H P
- CA-06 Authorization L M H P
- CA-07 Continuous Monitoring L M H P
- CM-03 Configuration Change Control L M H P
- CM-04 Impact Analyses L M H P
- CM-06 Configuration Settings L M H P
- CM-11 User-installed Software L M H P
- IA-05 Authenticator Management L M H P
- IR-05 Incident Monitoring L M H P
- MA-02 Controlled Maintenance L M H P
- MA-03 Maintenance Tools L M H P
- MA-04 Nonlocal Maintenance L M H P
- PE-03 Physical Access Control L M H P
- PE-06 Monitoring Physical Access L M H P
- PE-14 Environmental Controls L M H P
- PE-16 Delivery and Removal L M H P
- PE-20 Asset Monitoring and Tracking L M H P
- PL-02 System Security and Privacy Plans L M H P
- PM-04 Plan of Action and Milestones Process L M H P
- PM-06 Measures of Performance L M H P
- PM-09 Risk Management Strategy L M H P
- PM-10 Authorization Process L M H P
- PM-12 Insider Threat Program L M H P
- PM-14 Testing, Training, and Monitoring L M H P
- PM-23 Data Governance Body L M H P
- PM-28 Risk Framing L M H P
- PS-07 External Personnel Security L M H P
- PT-07 Specific Categories of Personally Identifiable Information L M H P
- RA-03 Risk Assessment L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- RA-07 Risk Response L M H P
- SA-09 External System Services L M H P
- SA-11 Developer Testing and Evaluation L M H P
- SC-05 Denial-of-service Protection L M H P
- SC-07 Boundary Protection L M H P
- SC-18 Mobile Code L M H P
- SC-38 Operations Security L M H P
- SC-43 Usage Restrictions L M H P
- SI-03 Malicious Code Protection L M H P
- SI-04 System Monitoring L M H P
- SI-12 Information Management and Retention L M H P
- SR-02 Supply Chain Risk Management Plan L M H P
- SR-04 Provenance L M H P