Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: CA-FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION

CA-7 CONTINUOUS MONITORING

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

ca-7	continuous monitoring
	assessment objective: Determine if the organization:
	ca-7(a)	ca-7(a)[1]	develops a continuous monitoring strategy that defines metrics to be monitored;
		ca-7(a)[2]	develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;
		ca-7(a)[3]	implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
	ca-7(b)	ca-7(b)[1]	develops a continuous monitoring strategy that defines frequencies for monitoring;
		ca-7(b)[2]	defines frequencies for assessments supporting monitoring;
		ca-7(b)[3]	develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;
		ca-7(b)[4]	implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;
	ca-7(c)	ca-7(c)[1]	develops a continuous monitoring strategy that includes ongoing security control assessments;
	ca-7(c)	ca-7(c)[2]	implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
	ca-7(d)	ca-7(d)[1]	develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;
	ca-7(d)	ca-7(d)[2]	implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
	ca-7(e)	ca-7(e)[1]	develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;
	ca-7(e)	ca-7(e)[2]	implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;
	ca-7(f)	ca-7(f)[1]	develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;
	ca-7(f)	ca-7(f)[2]	implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;
	ca-7(g)	ca-7(g)[1]	develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;
		ca-7(g)[2]	develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;
		ca-7(g)[3]	develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and
		ca-7(g)[4]	implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy.
	potential assessment methods and objects: Examine: [select from: Security assessment and authorization policy; procedures addressing continuous monitoring of information system security controls; procedures addressing configuration management; security plan; security assessment report; plan of action and milestones; information system monitoring records; configuration management records, security impact analyses; status reports; other relevant documents or records]. Interview: [select from: Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [select from: Mechanisms implementing continuous monitoring].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056