CA.L2-3.12.3  

Reference: CMMC v2.13

Family: CA

Level Introduced: 2

Title: Security Control Monitoring

Practice:
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Further Discussion:
Provide a plan for monitoring the state of security controls on a recurring basis that occurs more frequently than the periodic assessments discussed in CA.L2-3.12.1. This process provides a mechanism to assess the overall security posture of your organization, which directly relates to activities discussed in CA.L2-3.12.4. As a result, the process not only maintains awareness of vulnerabilities and threats, but it also informs management of the effectiveness of the security controls in determining if security controls are current and for management to make an acceptable risk decision.

Example
You are responsible for ensuring your company fulfills all cybersecurity requirements for its DoD contracts. You review those requirements and the security controls your company has put in place to meet them. You then create a plan to evaluate each control regularly over the next year. You mark several controls to be evaluated by a third-party security assessor. You assign other IT resources in the organization to evaluate controls within their area of responsibility. To ensure progress you establish recurring meetings with the accountable IT staff to assess continuous monitoring progress, review security information, evaluate risks from gaps in continuous monitoring, and produce reports for your management [a].

Potential Assessment Considerations
• Are the security controls that need to be continuously monitored identified [a]?
• Is the timeframe for continuous monitoring activities to support risk-based decision making defined [a]?
• Is the output of continuous monitoring activities provided to stakeholders [a]?

Source: CMMC v2.13