The concept of continuous monitoring has always existed.

Everything that requires a periodic assessment by default requires continuous monitoring. The concept of continuous monitoring is a proactive measure that should be taken by every organization regardless of size to ensure information system (IS) configurations meet requirements and perform effectively and efficiently.

The Purpose of Continuous Compliance Monitoring

There are some important compliance requirements that call out continuous monitoring.

How NIST Defines ISCM

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800 137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, defines Information Security Continuous Monitoring (ISCM) as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”

DFARS: DFARS 252.204-7019 (NIST SP 800-171) And 252.204-7021 (CMMC) Requirements:

NIST SP 800-171 -3.12.3: SECURITY CONTROL MONITORING: “Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.”

It specifically requires that security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. Unfortunately, the concept of continuous monitoring has been implemented in many organizations as a reactive measure, which contradicts the purpose of continuous monitoring.

Continuous Monitoring: How to Be Proactive

How can we change it from reactive to proactive? The answer to this question might seem easy to many policymakers. However, the answer is not as simple for the organizations that must comply with those policies. A proactive approach might seem impossible because it increases the resources required to maintain the IS while budgets are constrained.

Despite the answers from policymakers and stakeholders, the reality is that it is time to take a proactive approach and face the challenges that come with developing a realistic continuous monitoring strategy.

A continuous monitoring strategy considers the frequency of ongoing assessments and resources required to maintain compliance. Furthermore, a strategy can be implemented into a Continuous Monitoring Plan and reduce the cost of reauthorization.

Develop a Continuous Monitoring Plan

An effective Continuous Monitoring Plan will include a schedule of controls review. This will vary based on component monitoring infrastructure, the specific technologies used by the system, and the application of the system. The schedule can be phased, much like vehicle maintenance, with varying basis depending on the components and specific technologies of the vehicle. For example, some vehicles require engine oil and filter change every 6 months or 5,000 miles, while others require the same service every 12 months or 10,000 miles. The same concept of vehicle maintenance intervals applies to the concept of continuous monitoring.

At SecureStrux, we incorporate the concept of a car maintenance schedule to assist companies with meeting the continuous monitoring requirements.

Get Inspection-Ready With SecureStrux

Ignoring key strategies for a continuous monitoring plan is a poor decision that will increase the overall cost, but most importantly, it will fail to deliver resilient capabilities to the warfighter.

Let SecureStrux help your organization plan your continuous monitoring efforts, implement them in your infrastructure, and adapt them to changing regulations and security threats. Schedule a meeting today!

Tony Buenger

Tony Buenger

Director, Governance, Risk, and Compliance

Tony Buenger is skilled and dedicated security and governance professional with decades of experience in the Department of Defense (DoD) cybersecurity consulting, planning and implementation. Tony is a retired Lieutenant Colonel with the U.S. Air Force with 22 years of service and spent 15 of those years working in the Pentagon and other DoD agencies to help modernize security infrastructure and systems. This work includes converting the USAF from DIACAP compliance to a more modern risk-based approach based on NIST and the Risk Management Framework (RMF).

The latest in Cybersecurity

Enter your email to get the latest news, updates,
and content on cybersecurity.

"*" indicates required fields