CA-7(4)
-
Requirement
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
- Effectiveness monitoring;
- Compliance monitoring; and
- Change monitoring.
-
Discussion
Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.
NIST 800-53A Assessment Guidance
CMMC Training
Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!