Maintaining an up-to-date view of information security risks across an organization is a complex, multifaceted undertaking. It requires the involvement of the entire organization, from senior leadership providing governance and strategic vision, to individuals developing, implementing, and operating individual information systems in support of the organization’s core missions and business functions. Now more than ever, organizations need to engage in continuous monitoring activities.

Additionally, an effective ConMon program requires not only full support from leadership within an organization, it also requires the development and implementation of a wide-range of information security and operational policies, procedures, and processes. The ability to effectively monitor internal controls relating to information security is not a start-and-stop process, rather, a process that’s dynamic, evolving, always striving to meet an organization’s needs for effective oversight of key IT and operational areas.

Your systems are dynamic, undergoing constant changes – this measure alone requires organizations to implement robust ConMon programs. From a scope perspective, ConMon should include, at a minimum, System Level Continuous Monitoring (SLCM) measures, and others, as needed.

And lastly, per the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM), “...The implementation of a robust continuous monitoring strategy allows an organization to understand the security state of the system over time and maintain the initial security authorization in a highly dynamic environment of operation with changing threats, vulnerabilities, technologies, and missions/business functions. Ongoing monitoring of the security controls is a critical part of risk management.”