CCI-004493

Implementation Guidance

Determine if: - continuous monitoring programs are implemented that include reporting the security status of Organizational systems to [PM-31_ODP[04]; the personnel or roles for reporting the security status of Organizational systems to is/are defined] [PM-31_ODP[06]; the frequency at which to report the security status of Organizational systems is defined]. - continuous monitoring programs are implemented that include reporting the privacy status of Organizational systems to [PM-31_ODP[05]; the personnel or roles for reporting the privacy status of Organizational systems to is/are defined] [PM-31_ODP[07]; the frequency at which to report the privacy status of Organizational systems is defined].

Validation Procedures

Examine: [SELECT FROM: Information security program plan; privacy program plan; supply chain risk management plan; continuous monitoring strategy; risk management strategy; information security continuous monitoring program documentation, reporting, metrics, and artifacts; information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts; assessment and authorization policy; procedures addressing the continuous monitoring of controls; privacy program continuous monitoring documentation, reporting, metrics, and artifacts; continuous monitoring program records, security, and privacy impact analyses; status reports; risk response documentation; other relevant documents or records.]. Interview: [SELECT FROM: Senior Accountable Official for Risk Management; chief information officer; senior agency information security officer; senior agency official for privacy; organizational personnel with information security, privacy, and supply chain risk management program responsibilities]. Test: [SELECT FROM: Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring].