This categorization can, in turn, identify the security controls that, if compromised, would result in the most harm to the agency. The security controls selected for monitoring and the frequency of monitoring should be subject to the approval of the information system owner and authorizing officer. The continuous monitoring results should also be considered. This task is concerned with documenting any proposed or actual changes to the agency information system and identifying the impact of those changes on the security of the affected information system and on its accreditation. The configuration management and control task is the responsibility of the information system owner.

• Continuous monitoring is aimed at determining whether any changes have occurred to the information system security posture following the initial system certification.
• The plan of action and milestones should include the handling of vulnerabilities identified by the security impact analysis and the status of outstanding issues listed in the plan.
• An important part of continuous monitoring is documenting the status of the information system and reporting this information to the authorizing official and agency information security officer.
• The system security plan and the plan of action and milestones are the documents that may have to be updated.

Relative to answers b and c, these types of events are taken into account during impact analysis and risk analysis. Answer d is incorrect because risk can never be completely eliminated. FIPS 199 security categories can be used to identify elements that are most critical to the organization and the corresponding security controls that, if compromised, would result in the most damage to the system. Structural testing (gray-box, white-box testing) – Assumes explicit knowledge of the internal structure of the item under assessment (e.g., low-level design, source code implementation representation). The system security plan and the plan of action and milestones are the documents that may have to be updated.

Configuration Management And Control

The correct answer is c, examination, by definition. The correct answer is a, the information system owner.

This updating of the security plan and plan of action is critical because the information system owner, certification agent, authorizing official, and senior agency information security officer base subsequent security certification and accreditation activities on these plans. Reaccreditation is required when changes to the information system negatively impact the security of the system or when a period of time has elapsed as specified by agency or federal policy. The objective of these tasks is to continuously observe and evaluate the information system security controls during the system life cycle to determine whether changes have occurred that will negatively impact the system security. This information is, then, reported to the authorizing official and the agency senior security officer. If necessary, reaccreditation is performed to ensure that the information system meets the requirements of the system security plan.

Reporting A Problem

If the assessment reveals that the security controls are not meeting the expected assurance requirements, the system security plan and plan of action have to be updated to indicate corrective actions required. The plan of action and milestones are used by the senior agency information system security officer and the authorizing official to determine whether a security reaccreditation is required. If the decision is that reaccreditation is necessary, the authorizing official will inform the information system owner of the decision. Security control monitoring requires choosing the security controls to be monitored and assessing these controls according to methods determined by the owner of the information system. The selection of controls to be monitored can be supported by using FIPS 199 to determine the security categories of the information and information systems and identify the elements that are most critical to the organization.

An important part of continuous monitoring is documenting the status of the information system and reporting this information to the authorizing official and agency information security officer. Documentation includes making any changes to the system security plan that delineate any changes made or proposed to be made to the information system and updating the plan of action and milestones. These reports are used to meet the FISMA reporting requirements and determining whether recertification is necessary. If specific threats are applicable to a particular agency, then these threats should be used in the determination of security controls for the agency information systems. FIPS 199 security categories are useful in determining the impact level of a particular threat on the agency systems.

Continuous Monitoring Process

It is usually not feasible or possible to continuously monitor the entirety of security controls in an information system. FIPS 199 security categorizations are useful in determining the importance of different types of information to an agency. The documentation report should be sent to the authorizing official and senior agency information security officer on a regular basis. Documentation includes both making changes to the security plan that address any changes or proposed changes to the information system and updating the plan of action and milestones.

A specified time period has elapsed, requiring the information system to be reauthorized in accordance with federal or agency policy . The information system owner is responsible for updating the system security plan, which should include all changes made to the information system. This updating should be done at reasonable intervals to ensure that significant information system changes are reported. The risk to agency operations, agency assets, or individuals has been increased. Penetration testing – A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under no constraints, attempt to circumvent the security features of an information system.

Continuous Monitoring

This activity typically includes checking for weakening of existing controls, exposing new vulnerabilities, or identifying areas where additional security controls are required. If the impact analysis indicates that the security and accreditation posture of the information is or will be compromised by the information system changes, compensating controls should be initiated and the plan of action should be updated. Any changes should be coordinated with users and other relevant agency personnel.

The agency should apply standard configuration management methods and tools to track proposed or actual changes to the information system, including operating system patches, software upgrades, hardware and firmware changes, and other modifications to the computing environment. How continuous monitoring helps enterprises Configuration management methods are discussed in detail in Chapters 6 and 7 of this text. Functional testing (black-box testing) – Assumes knowledge of the functional specifications, high-level design, and operating specifications of the item under assessment.

Documentation And Reporting

All these personnel will be involved in planning future assessment activities. Continuous monitoring is aimed at determining whether any changes have occurred to the information system security posture following the initial system certification. Operation/maintenance is a component of the system development life cycle and is not one of the elements of continuous monitoring. Answers a and b are incorrect because, at this stage, it has not yet been determined whether new vulnerabilities have been exposed. The information system should be reaccredited because new vulnerabilities have been found that are not adequately protected by existing security control mechanisms.

Continuous Monitoring

Based on the changes to the information system described in the system security plan, the information system owner is also responsible for updating the plan of action and milestones document. The plan of action and milestones should include the handling of vulnerabilities identified by the security impact analysis and the status of outstanding issues listed in the plan. The authorizing official, senior agency information security officer, information system owner, and security assessor will be using the updated plans to guide future security assessment activities. Once the proposed or actual changes to information system are identified and placed under configuration management, the next step is to determine the impact of those changes on the security of the information system.

Continuous Monitoring Process

Modifications to the information system have negatively impacted the system security controls. Figure 15-1, from NIST SP A, summarizes the attributes of assessment methods based on the information system impact level. In the other answers, evaluation and validation types are made-up distracters. Black-box testing is another word for functional testing. Answer a, examination, is another SP A assessment method, and answers c and d are made-up distracters.

Continuous monitoring takes place after the initial system security accreditation and involves tracking changes to the information system that occur during its lifetime and determining the impact of those changes on system security. During the lifetime of an information system, necessary changes in hardware, software, and firmware will be implemented. https://globalcloudteam.com/ Then, if necessary, appropriate upgrades are made to the security controls, the changes are documented, and the results are reported to the agency authorizing official and senior agency information security personnel. These documents can also be used to meet FISMA requirements for reporting modifications made to address security issues.