ABSTRACT
Introduction Given the media coverage of the U.S. government’s information technology (IT) continuous monitoring requirements over the last 12 months, it is understandable how some individuals may have been led to believe that continuous monitoring is something new. Œe requirement to perform continuous monitoring has been around even before the Federal Information Security Management Act (FISMA) of 2002 was enacted. For example, the Department of Defense (DoD) Information Technology Security Certi‚cation and Accreditation Process (DITSCAP) Application Manual (2000, 113) stated, “e‰ective management of the risk continuously evaluates the threats that the system is exposed to, evaluates the capabilities of the system and environment to minimize the risk, and balances the security measures against cost and system performance.” Furthermore, the document stated that the Designated Approving Authority, users, security practitioners, etc., continuously perform evaluations as a method to ensure secure system management (DoD, 2000). It is safe to say that the Oªce of Management and Budget’s (OMB) Circular A-130 Appendix III intended the requirement for continuous monitoring (NIST, 2010a, 2010b).
