« CA Security Assessment and Authorization

CA-7 Continuous Monitoring^◊

[The Facility] implements an Information System Continuous Monitoring (ISCM) program developed at the Tier 3, information system level, by incorporating System-Level Continuous Monitoring (SLCM) step tasks outlined in the DAAPM.¹

The ISSM/ISSO with assistance from the ISO, FSO, and system stakeholders are responsible for the following monitoring tasks denoted by an M designator:

• M-1 – The cyber integration team described in CA-1 (a.1), monitors all technical, management, and operational security controls employed within and inherited by the information system;

• M-2 – An ongoing assessment of control effectiveness is conducted utilizing the assessment methods outlined in the below section (d).

• M-3 – Assessed output data are analyzed and appropriately responded to which includes one or more of the following tasks;

• M-4 – Ensure the system security documentation (RAR, SSP, POA&M) are updated.

• M-5 – ISSM reports results to the ISSP/SCA.

• M-6 – Proper decommission (disposal) plans are implemented and.

• M-7 – Make live updates within eMASS or Security Control Traceability Matrix (SCTM).²

The continuous monitoring program includes: CCI-000274

a. The establishment of security control numbers as the metrics to be monitored; CCI-002087

b. The established DCSA monitoring frequencies as defined in DAAPM Appendix A for each security control; CCI-002088, CCI-002089

c. Ongoing security control assessments in accordance with CA-2, and continuous monitoring strategy (M-1), as well as using independent assessors in CA-7(1); CCI-000279

d. Ongoing security status monitoring of metrics defined in CA-7.a utilizing the below assessment methods: CCI-002090

ASSESS:TEST

Technical and Physical controls (e.g.; access, alarms, IS Configuration settings, Group/Local Policies) are assessed, and/or tested for compliance.

AUDIT:ANALYZE

Records, Logs (e.g.; training records, maintenance records, visitor logs, and audit logs) are audited and analyzed for completeness with no gaps or missing entries for compliance.

EXAMINE:REVIEW

Documents and Documentation (e.g.; Policy, MOU/MOA, Inventories, Baselines, Scans and STIG results) are examined and reviewed for relevance and accuracy.

INTERVIEW:OBSERVE

Processes and Procedures (e.g.; Media Protection, Escorting, Couriers, Opening/Closing, etc.) are observed with selected individuals interviewed.

e. Correlation and analysis of security-related information generated by assessments and monitoring task M-3 are reported to the ISSM utilizing an information system continuous monitoring checklist;³ CCI-002091

f. Response actions to address the results of the analyzed security-related information requires security documentation is updated and maintained in accordance with task M-4, and security status reports are provided on the security posture to the appropriate officials in accordance with one or more of the following tasks M-5, M-6, M-7 via eMASS; email and/or telephone for information systems outside eMASS; and CCI-002092

g. The security status of specific program and the information system are reported to the ISSP/SCA, KMPs and appropriate Cyber Integration Team members immediately for any anomalies or issues (e.g., security control deviations, threat environment changes, incidents impacting system risk level, security relevant changes, etc.). CCI-000280, CCI-000281, CCI-001581

1. DAAPM paragraph 7.7.1 Monitor Step Tasks are inherited as a common control supporting the continuous monitoring program. ↩

2. Systems not recorded in eMASS, updates are made to system documentation which are maintained by the ISSM/ISSO. ↩

3. The checklist contains the continuous monitoring checks derived for the information system which may be in a XML (i.e., .ckl) or spreadsheet format. ↩