What is "Continuous Monitoring" (ConMon)?

The Risk Management Framework (RMF) requires "Continuous Monitoring" as the last step (6) in the assessment and authorization process. The Information System Owner (ISO) or Program Manager (PM) is responsible for developing a continuous monitoring plan during the RMF process initiation phase/Step 0 (Prepare) and implementing the plan in Step 6 (Monitor). What is continuous monitoring and what should the plan look like?

NIST SP 800-37 Rev 2, RMF Task P-7 Continuous Monitoring Strategy - Organization (see Section 3.1, Prepare, Table 1:  Prepare Tasks and Outcomes - Organization Level),  requires "An organization-side strategy for monitoring control effectiveness is developed and implemented [Cybersecurity Framework:  DE.CM; ID.SC-4]." The particular requirements for Continuous Monitoring are defined in NIST SP 800-53 Rev 4 Security Control CA-7:

“The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].”

NIST SP 800-137, "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations," defines continuous monitoring as:

"Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to suport organizational risk management decisions."

The following is an outline of continuous monitoring activities which should be covered by an organization supporting the DoD:

• Maintain an awareness of our authorization status (e.g. ATO, IATT) including the expiration date, milestones associated with POA&M items, and plan for extension or renewal.
• Maintain an accurate inventory of hardware (physical and virtual) and software used within the environment/accreditation boundary (SANS #1 and #2 Basic CIS Control)
• ​Generate periodic hardware and report. Investigate deviations baseline that have not been approved/documented through the change management process.
• Personnel deemed part of the Information Assurance\Cybersecurity workforce are DoDD 8140/8570.01-M compliant and maintain their status through ongoing training and (re)certification. This includes determination of Cybersecurity Workforce role such as IAT, IAM, CND, baseline IA certification, identification of appropriate computing environment (CE) training or certification, registration in AT&CTS and Skillport, and writing appointment orders that align with the duties to be performed. Maintain record of contractor Cybersecurity Workforce (CSWF) Report in format in accordance with DID DI-MGMT-82160.
• Management and Technical personnel should subscribe to vendor mailing lists and be aware of organizational policy.
• Monitor the DISA IASE web site for updates to STIGs and SRGs, and perform re-assessments of assets (SANS #5 Basic CIS Control).
• Control changes in the environment. Implement the change and release management process as defined by the Configuration Control Board (CCB) and/or Change Management (CM) documents included in the accreditation package, assess the security impact of proposed or actual changes to the information system and its environment of operation. Implement changes through a Change and Release Management process.
• Continue to perform IAVM compliance assessments using ACAS and remediate findings (SANS #3 Basic CIS Control).
• Evaluate Lifecycle Management (LCM) data such as lifecycle replacement dates, end of life, end of support dates for hardware and software used within the environment.
• Review stale and expired accounts, audit privileged role assignments. Review rights and permissions associated with privileged roles (SANS #4 Basic CIS Control).
• Warn users of stale accounts (preferably using automated method)
• Delete expired accounts. Review group membership(s) prdiior to expiration to ensure there is at least one other user in the group. Replace the removed user with another staff member.
• Are privileged roles defined such as to implement least privilege?
• Review training and certification requirements for privileged users.
• Review compliance with training and certification requirements for privileged users.
• Maintain, monitor, and analyze audit logs (SANS #6 Basic CIS Control).
• Review and update policy documents (policies should be assigned a review and update interval at the time they are published). Maintain a body of evidence (BoE) for RMF packages in accordance with Data Item Description (DID) DI-MGMT-82001, "DoD Risk Management Framework (RMF) Package Deliverables.
• Monitor the appropriate web sites and mailing lists for applicable EXORD, OPORD,  TASKORD, ALARACT.
• Monitor PKI certificates for expiration and acquire and apply new certificates.
• Perform annual testing as required by FISMA (security control review, security control testing, and contingency testing).

Other considerations, for Army information systems (IS):

• Per ARCYBER OPORD 2016-129, "Information Assurance Vulnerability (IAVM) Program Implementation," 17 June 2016, Alerts as well as Bulletins must be closed within 21 days. Previous guidance (ARCYBER 2015-363 allowed Bulletins to remain open up to to 45 days).

• Submit a POA&M for overdue IAVMs, including an Operational Impact Statement (OIS), which is routed through the ARCYBER Quarantine Review Board (QRB) (see ARCYBER OPORD 2016-086).

• Critical and High IAVAs are not normally covered by a POA&M and must be mitigated or reported with an OIS through the AO to NETCOM.

• Medium and Low IAVAs require an AO approved POA&M for up to 60 days beyond the original suspense date.

References:

• Qualys Continuous Monitoring A New Approach to Proactively Protecting Your Global Perimeter. 
• NIST SP 800-37, Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, December 20, 2018​
• NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011
• NIST SP 800-137A, Information Security Continuous Monitoring (ISCM) Programs:  Developing an ISCM Program Assessment, 5/21/2020
• NIST Continuous Monitoring FAQ
• SANS SEC511: Continuous Monitoring and Security Operations
• FedRAMP Continuous Monitoring Performance Management Guide Version 2.0
• FedRAMP Continuous Monitoring Strategy Guide Version 3.2. April 4, 2018
• cloud.gov Continuous Monitoring Strategy
• Center for Internet Security (CIS) Controls​
• ARCYBER OPORD 2016-129, "Information Assurance Vulnerability (IAVM) Program Implementation," 17 JUN 2016.
• AR 25-1
• ARM 25-2
• CJCSI 6510.01
• DoD 8531.01
• DoDM 5200.01
• DoDI 8500.01
• NETCOM Regulation 380-5
• DA PAM 25-1-1
• Army NETOPS Operational Order 05-01