NIST 800-53 (RMF) defines security controls for information systems and how to implement them.  NIST SP 800-137 defines the Risk Management Framework’s sixth step, Continuous Monitoring, as an ongoing awareness of information security, vulnerabilities, and threats in order to facilitate risk-based decision-making. Continuous monitoring involves regularly assessing and evaluating the security posture of information systems to identify vulnerabilities, detect and respond to threats, and ensure that security controls are effective and operating as intended.  In short, continuous monitoring is how you check your work. 

An organization’s continuous monitoring program can be as complex or simple as the information system.  It is important that the continuous monitoring program is robust enough to address potential vulnerabilities and threats.  However, it should not be so complex that the organization cannot effectively monitor the security controls.  Critical security controls may require more frequent monitoring and testing, while the controls with the least impact may not require frequent testing. 

The continuous monitoring program is an excellent way to provide feedback to leadership on the security posture of the information system.  Providing recurring updates to leadership makes it easier to explain how changes and updates to the information system impact the security posture. Implementing and testing security controls to achieve an Authorization to Operate (ATO) is very important, but continuously assessing and managing your risk is even more important. It helps ensure the confidentiality, integrity, and availability of the information system, and maintains the authorized security posture.