home || catalog: SP800-53rev3 / class: Management / family: (CA) Security Assessment and Authorization ||
search controls:
search nistpubs:

AC
AT
AU
CA

CA-01
CA-02
CA-03
CA-04
CA-05
CA-06
CA-07 *

CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CA-07: Continuous Monitoring  

base control objective:
The organization monitors the security controls in the information system on an ongoing basis.

supplemental objective information:
A continuous monitoring program allows an organization to maintain the security authorization of an information system over time in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and missions/business processes. Continuous monitoring of security controls using automated support tools facilitates near real-time risk management for information systems. An effective continuous monitoring program includes: (i) configuration management and control of information system components; (ii) security impact analyses of changes to the system or its environment of operation; (iii) ongoing assessment of security controls; and (iv) status reporting.
This control is closely related to and mutually supportive of the activities required in monitoring configuration changes to the information system. An effective continuous monitoring program results in ongoing updates to the security plan, the security assessment report, and the plan of action and milestones—the three principle documents in the security authorization package. A rigorous and well executed continuous monitoring program significantly reduces the level of effort required for the reauthorization of the information system.

enhancements to the base objective:

(1) The organization employs an independent assessor or assessment team to monitor the security controls in the information system on an ongoing basis.
Enhancement Supplemental Guidance: The organization can extend and maximize the value of the ongoing assessment of security controls during the continuous monitoring process by requiring an independent assessor or team to assess all of the security controls during the information system’s three-year authorization cycle. See supplemental guidance for CA-2, enhancement (1) for further information on assessor independence.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

CA-02   Security Assessments
CA-05   Plan of Action and Milestones
CA-06   Security Authorization
CM-03   Configuration Change Control
CM-04   Security Impact Analysis

documents referenced in SP800-53rev3 for CA-07:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-115 September, 2008 current   Technical Guide to Information Security Testing and Assessment
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-53a July, 2010 current   Guide for Assessing the Security Controls in Federal Information Systems and Organizations
NIST SP800-55 July, 2008 current   Security Metrics Guide for Information Technology Systems
NIST SP800-79 June, 2008 current   Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations
NIST SP800-85A March, 2009 current   PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance)
NIST SP800-85B July, 2006 current   PIV Data Model Test Guidelines

Search SP800-53rev3 catalog: