Continuous monitoring

Configuration management and control processes for information systems; Security impact analyses on proposed or actual changes to information systems and environments of operation; Assessment of selected security controls (including system-specific, hybrid, and common controls) based on the defined continuous monitoring strategy; Security status reporting to appropriate officials; and Active involvement by authorizing officials in the ongoing management of information system-related security risks. Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Security
A critical aspect of managing risk to information from the operation and use of information systems involves the continuous monitoring of the security controls employed within or inherited by the system. Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence.

An effective organizational information security program also includes a rigorous continuous monitoring program integrated into the System Development Life Cycle (SDLC). The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur.

Continuous monitoring is a proven technique to address the security impacts on an information system resulting from changes to the hardware, software, firmware, or operational environment. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation of the information system. Continuous monitoring programs provide organizations with an effective mechanism to update security plans, security assessment reports, and plans of action and milestones (POA&Ms).

An effective continuous monitoring program includes: