3.12.3

Requirement

Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring and security assessments.

Discussion

Continuous monitoring at the system level facilitates ongoing awareness of the system security posture to support risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk-based decisions. Different types of security requirements may require different monitoring frequencies.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: security assessment and monitoring policy and procedures; organizational continuous monitoring strategy; system-level continuous monitoring strategy; procedures for continuous monitoring of the system; procedures for configuration management; security assessment report; plan of action and milestones; system monitoring records; configuration management records; impact analyses; status reports; system security plan; other relevant documents or records]
Interview

[SELECT FROM: mechanisms for implementing continuous monitoring; mechanisms for supporting response actions for assessment and monitoring results; mechanisms for supporting security status reporting]
Test

[SELECT FROM: personnel with continuous monitoring responsibilities; personnel with information security responsibilities; system administrators]

ID	Assessment Objectives
A.03.12.03[01]	a system-level continuous monitoring strategy is developed.
A.03.12.03[02]	a system-level continuous monitoring strategy is implemented.
A.03.12.03[03]	ongoing monitoring is included in the continuous monitoring strategy.
A.03.12.03[04]	security assessments are included in the continuous monitoring strategy.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!