Continuous Monitoring Program

Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

NIST SP 800-37 identifies the following as elements essential to a successful organization-wide continuous monitoring program:

  • Configuration management and change control – develop processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes;
  • Security impact analyses – develop security impact analysis and and conduct analyses to monitor for changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions which said systems support;
  • (Ongoing) assessment of system security controls – assessment frequencies based on an organization-wide continuous monitoring strategy and individual system authorization strategies;
  • Security status monitoring and reporting – communicate accurate and up-to-date security-related information to support ongoing management of information security risks and to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies; and
  • Active involvement of organizational officials.



A comprehensive ISCM strategy encompassing technology, processes, procedures, operating environments, and people. This strategy includes:

  • Understanding of risk tolerance
  • Metrics that provide meaningful indications of security status at all organizational tiers
  • Continued effectiveness of all security controls
  • Verification of compliance with information security requirements
  • IT asset management
  • Knowledge and control of changes
  • Awareness of threats and vulnerabilities

An ISCM program is established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls.

CSP should take the following steps to establish, implement, and maintain ISCM:

Organization-wide Focused Monitoring

The involvement of the entire organization (senior leaders providing governance and strategic vision at Tier 1 to individuals developing, implementing, and operating individual systems in support of the organization’s core missions and business processes) is required for maintaining an up-to-date view of information security and risks across an organization.

Organization/Governance  (Tier 1)

Tier 1 risk management activities address high-level information security governance policy as it relates to risk to the organization as a whole, to its core missions, and to its business functions.

The criteria for ISCM are defined by the organization’s risk management strategy, including:

  • how the organization plans to assess, respond to, and monitor risk, and
  • the oversight required to ensure that the risk management strategy is effective.

Mission/Business Processes (Tier 2)

Organizational officials that are accountable for one or more missions or business processes are also responsible for overseeing the associated risk management activities for those processes.

The Tier 2 criteria for continuous monitoring of information security are defined by:

  • how core mission/business processes are prioritized with respect to the overall goals and objectives of the organization,
  • the types of information needed to successfully execute the stated mission/business processes, and
  • the organization-wide information security program strategy.

The Program Management (PM) controls are a special type of common controls that are implemented at Tier 2. The PM controls are uniquely important to a continuous monitoring strategy.  The associated metrics provide insight into the ongoing effectiveness of the security program, thus supporting risk management decisions. Consequently, Tier 1 has a role in determining these controls.

Control NumberControl NameLow BaselineModerate Baseline
PM-1Information Security Program Plan PM-1PM-1
PM-2Senior Information Security Officer PM-2PM-2
PM-3Information Security Resources PM-3PM-3
PM-4Plan of Action and Milestones Process PM-4PM-4
PM-5Information System Inventory PM-5PM-5
PM-6Information Security Measures of Performance PM-6PM-6
PM-7Enterprise Architecture PM-7PM-7
PM-8Critical Infrastructure Plan PM-8PM-8
PM-9Risk Management Strategy PM-9PM-9
PM-10Security Authorization Process PM-10PM-10
PM-11Mission/business Process Definition PM-11PM-11

Organizations monitor, assess, evaluate, and respond to risk with varying degrees of autonomy below Tier 2. Diverse risk assessment methods may be used across an organization. Metrics and dashboards can be useful at Tier 2 in assessing, normalizing, and correlating monitoring activities below the mission/business level in a meaningful manner.

Information Systems (Tier 3)

ISCM activities at Tier 3 address risk management from an information system perspective.  These activities include ensuring that all system-level security controls (technical, operational, and management controls) are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time.   The ongoing monitoring activities implemented at the information systems tier provide security-related information to authorizing officials (AOs) in support of ongoing system authorization decisions and to the risk executive (function) in support of ongoing organizational risk management.

NOTE: At Tier 3, RMF Step 6 (Monitor Security Controls) activities and ISCM activities are closely aligned. The assessment methods relevant for implemented security controls are the same whether the assessments are being done solely in support of system authorization or in support of a broader, more comprehensive continuous monitoring effort.

Continuous Monitoring Strategy

The effectiveness of the continuous monitoring program is based in part on the continuous monitoring requirements and the role/responsibilities defined for executing specific continuous monitoring tasks within each of the tiers within the organizational structure.  Each tier has a unique role in monitoring and assessing security controls for effectiveness specific to the types and frequencies of controls deemed applicable to the organizational level and the necessary decision-making that must occur to determine if the risks exceed the defined tolerance.

The continuous monitoring strategy is not static and should be adjusted to meet the organizational risk tolerance.  Specific criteria should be developed to ensure a known frequency and/or condition is defined for letting the organization know when to review, update and communicate the continuous monitoring strategy implemented across the organization.  When a continuous monitoring strategy is updated, the continuous monitoring program may also need to be updated to reflect the change in the continuous monitoring strategy.



  • NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations