CMMC Practice CA.L2-3.12.3

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Bold Coast Security Guidance

For Level 3 compliance, an organization must have a formal management plan to describe how it achieves policy requirements it created to meet Level 2 compliance. Monitoring the environment includes both continuous technical monitoring, e.g., anti-malware and other protective controls, as well as regular review of controls in place to ensure only authorized personnel and activities are permitted, e.g., account review and activity reviews.

Discussion From Source

DRAFT NIST SP 800-171 R2 Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements.