Basic Security Requirements:

12.1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.

12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.

12.3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Derived Security Requirements: None.