CCI-004481

Defines the frequencies for developing and implementing continuous monitoring programs for assessment of control effectiveness.

Implementation Guidance

Determine if: - continuous monitoring programs are implemented that establish [PM-31_ODP[02]; the frequencies for monitoring are defined] for monitoring. - continuous monitoring programs are implemented that establish [PM-31_ODP[03]; the frequencies for assessing control effectiveness are defined] for assessment of control effectiveness.

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; supply chain risk management plan; continuous monitoring strategy; risk management strategy; information security continuous monitoring program documentation, reporting, metrics, and artifacts; information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts; assessment and authorization policy; procedures addressing the continuous monitoring of controls; privacy program continuous monitoring documentation, reporting, metrics, and artifacts; continuous monitoring program records, security, and privacy impact analyses; status reports; risk response documentation; other relevant documents or records.]. Interview: [SELECT FROM: Senior Accountable Official for Risk Management; chief information officer; senior agency information security officer; senior agency official for privacy; organizational personnel with information security, privacy, and supply chain risk management program responsibilities]. Test: [SELECT FROM: Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring].

The controls below (if any) were marked by NIST as being related to CCI-004481.