In This Article

• Capability and budgets are not able to increase at the same rate as the complexity of the Risk Management Framework (RMF) and Continuous Monitoring.
• In 2019, Defense Counterintelligence Security Agency’s (DCSA) RMF process transitioned from The Office of the Designated Approving Authority’s (ODAA) Business Management System (OBMS) to the Enterprise Mission Assurance Support Service (eMASS), vastly increasing levels of effort for organizations trying to renew their Authorization to Operate (ATO).
• Use our questions and action items to help your compliance team move forward with an RMF Continuous Monitoring program or ATO renewal.

What Continuous Monitoring Is & Why We Do It.

NIST SP 800-137 defines the Risk Management Framework’s sixth step, Continuous Monitoring, as an ongoing awareness of information security, vulnerabilities, and threats in order to facilitate risk-based decision making.