ABSTRACT
Yet, it is up to each agency, based on its particular mission needs, to establish a realistic plan for continuously monitoring controls to ensure their continued eœectiveness. e truth is, every control must be monitored, yet every control is not subject to the same degree of change and need for monitoring. e approach the agency takes to addressing its controls monitoring needs will range between static monitoring on a periodic basis at one end of the spectrum to fully automated, real-time monitoring at the other. e balance achieved will result in a costeœective, risk-based approach that is tuned to the needs for protecting the system and the data it processes in the context of the protective
needs of the enterprise itself. Monitoring eœorts must support external requirements such as OMB’s FISMA reporting guidelines as well as internal monitoring requirements that address agency-speci˜c risks. e approach to achieving this should be to review internal and external requirements for monitoring the eœectiveness, adequacy, and viability of security controls in order to determine the most eœective strategy for monitoring at the level required.
