CMMC Practice CA.L2-3.12.3 – Security Control Monitoring: Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. The document provides guidelines regarding planning and conducting penetration testing and analyzing and reporting on the findings. This is a methodology to test the operational security of physical locations, human interactions, and all forms of communications such as wireless, wired, analog, and digital. This article describes the steps involved with planning a security test of your network. This guidance helps with understanding the proper commissioning and use of penetration tests. This NIST Special Publication is a guide to the basic technical aspects of conducting information security assessments. OWASP's mission is to help the world improve the security of its software. This link provides information about one methodology for web application penetration testing This link from OWASP provides a list of web security testing tools. The OWASP Top 10 is an awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This guidance is intended for entities that are required to conduct a penetration test. This is a link to avaliable SANS penetration testing courses. This whitepaper discusses how to properly define, verify, and control the scope of your security assessment. The penetration testing execution standard covers all aspects of conducting a penetration test.
Discussion [NIST SP 800-171 R2]
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements.
NIST SP 800-137 provides guidance on continuous monitoring.
Further Discussion
Provide a plan for monitoring the state of security controls on a recurring basis that occurs more frequently than the periodic assessments discussed in CA.L2-3.12.1. This process provides a mechanism to assess the overall security posture of your organization, which directly relates to activities discussed in CA.L2-3.12.4. As a result, the process not only maintains awareness of vulnerabilities and threats, but it also informs management of the effectiveness of the security controls in determining if security controls are current and for management to make an acceptable risk decision.