CCI-004473

Develop an organization-wide continuous monitoring strategy establishing organization-defined metrics to be monitored.

Implementation Guidance

Determine if continuous monitoring programs are implemented that include establishing [PM-31_ODP[01]; the metrics for organization-wide continuous monitoring are defined] to be monitored.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; supply chain risk management plan; continuous monitoring strategy; risk management strategy; information security continuous monitoring program documentation, reporting, metrics, and artifacts; information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts; assessment and authorization policy; procedures addressing the continuous monitoring of controls; privacy program continuous monitoring documentation, reporting, metrics, and artifacts; continuous monitoring program records, security, and privacy impact analyses; status reports; risk response documentation; other relevant documents or records.]. Interview: [SELECT FROM: Senior Accountable Official for Risk Management; chief information officer; senior agency information security officer; senior agency official for privacy; organizational personnel with information security, privacy, and supply chain risk management program responsibilities]. Test: [SELECT FROM: Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring].

The controls below (if any) were marked by NIST as being related to CCI-004473.