Continuous Monitoring

Student Guide

May 2024

Center for Development of Security Excellence

Con�nuous Monitoring Student Guide

Lesson 1: Course Introduction

Introduction
Welcome
Ensuring security requirements are implemented on classified contracts is essen�al to protect
classified informa�on and na�onal security. However, without con�nuous monitoring how can you
be sure that your informa�on systems are effec�vely detec�ng, deterring, and mi�ga�ng risks from
insider threats, adversarial exploita�on, compromise, or other unauthorized disclosures? The
con�nuous monitoring process includes a formal change control methodology of all security relevant
aspects of the informa�on system to protect classified and unclassified informa�on.

Adversaries atack the weakest link … where is yours? Have you reported ac�vi�es discovered
through con�nuous monitoring and audits of your informa�on systems? Welcome to the Con�nuous
Monitoring course.

Objectives
This course provides awareness training on the role of con�nuous monitoring of informa�on systems
in risk management. It explores con�nuous monitoring strategy and tasks and the roles and
responsibili�es for con�nuous monitoring to iden�fy and mi�gate vulnerabili�es and threats to
government informa�on systems, contractor systems processing government informa�on, and
technology infrastructure.

Here are the course objec�ves.

• Iden�fy the role of con�nuous monitoring through risk management

• Examine how Informa�on Security Con�nuous Monitoring (ISCM) supports the three-�ered
approach to risk management
• Describe how configura�on management controls enable con�nuous monitoring
• Examine audit log support to con�nuous monitoring
• Understand counterintelligence and cybersecurity personnel support to con�nuous
monitoring

May 2024 Center for Development of Security Excellence Page 1

Con�nuous Monitoring Student Guide

Lesson 2: Risk Management

Introduction
Objectives
The United States’ digital infrastructure is a strategic na�onal asset. Protec�ng the networks and
computers that deliver essen�al services such as our oil and gas, power, and water is a na�onal
security priority. The private sector owns and operates more than 90% of U.S. cri�cal assets. These
are systems and assets so vital to the United States that the incapacity or destruc�on of such
systems and assets would have a debilita�ng impact on security, na�onal economic security, na�onal
public health or safety, or any combina�on of those maters. These risks mean that informa�on
security solu�ons must be broad-based, consensus-driven, and address the ongoing needs of and
risks to the government and industry.

Here are the lesson objec�ves.

• Iden�fy the role of con�nuous monitoring through risk management

o Recognize the Risk Management Framework (RMF) and the role of con�nuous
monitoring
o Iden�fy the important role of the Na�onal Industrial Security Program (NISP) in
con�nuous monitoring
o Recognize security policy and guidance that supports con�nuous monitoring of
informa�on systems
o Dis�nguish the roles and responsibili�es for con�nuous monitoring
o Iden�fy how the RMF supports risk management

NISP Overview
National Industrial Security Program
While U.S. industry develops and produces the majority of our na�on's technology, much of it is
classified by the U.S. government.

The Na�onal Industrial Security Program (NISP) was established by Execu�ve Order 12829 to ensure
that cleared U.S. defense industry safeguards classified informa�on in their possession while
performing work on contracts, programs, bids, or research and development efforts. The NISP is a
partnership between the federal government and private industry to safeguard classified
informa�on. It applies to all Execu�ve Branch Departments and Agencies and contractors within the
U.S. and its territories.

The 32 Code of Federal Regula�ons Part 117, Na�onal Industrial Security Program Opera�ng Manual
(NISPOM) rule, defines the requirements, restric�ons, and safeguards that industry must follow.

May 2024 Center for Development of Security Excellence Page 2

Con�nuous Monitoring Student Guide

These protec�ons are in place before any classified work may begin. As cri�cal assets are
increasingly vulnerable to atack from an array of cyber threats, Government agencies have the
responsibility to ensure contractor systems compliance with security requirements and con�nuous
monitoring.

Government and Industry Roles

Regardless of where the classified work takes place, at a minimum, the facility must adhere to the
NISP and the prescribed requirements, restric�ons, and other safeguards defined in the NISPOM rule
to prevent unauthorized disclosure of classified informa�on. It is the Government’s role to establish
requirements, advise and assist, and provide oversight in the NISP. Industry’s role is to implement
security requirements defined in the NISPOM rule and the contract.

Security Policy and Guidance for Continuous Monitoring

Con�nuous monitoring of informa�on systems is a requirement and a necessity to prevent loss of
classified informa�on, proprietary industry technology and innova�on as well as personal data.
Con�nuous monitoring of informa�on systems requirement applies to industry, federal agencies, and
DOD enterprise security personnel.

NISPOM Rule
The NISPOM rule (32 CFR Part 117) prescribes the requirements, restric�ons, and other
safeguards to prevent unauthorized disclosure of classified informa�on. The rule implements
policy, assigns responsibili�es, establishes requirements, and provides procedures consistent
with:

• Execu�ve Order 12829, “Na�onal Industrial Security Program”

• Execu�ve Order 10865, “Safeguarding Classified Informa�on within Industry”
• 32 Code of Regula�on Part 2004,“ Na�onal Industrial Security Program”
That guidance outlines the protec�on of classified informa�on that is disclosed to, or developed
by, contractors of the U.S. Government.

The NISPOM rule provides detailed industrial security policy and opera�ng instruc�ons for
contractors. 32 CFR Part 117.18, Informa�on System Security, delineates the responsibili�es,
common requirements, protec�on measures and requirements for classified systems.

• 117.18(a)(1) Contractor informa�on systems that are used to capture, create, store,
process, or distribute classified informa�on must be properly managed to protect
against unauthorized disclosure of classified informa�on. The contractor will implement
protec�ve measures using a risk-based approach that incorporates minimum standards
for their insider threat program in accordance with CSA-provided guidance.
• 117.18(b)(6) Change control processes to accommodate configura�on management and
to iden�fy security relevant changes that may require re-authoriza�on of the
informa�on system.
• 117.18(c)(2) Contractors that are or will be processing classified informa�on on an
informa�on system will appoint an employee ISSM.
• 117.18(c)(3) The ISSM may assign an ISSO.

May 2024 Center for Development of Security Excellence Page 3

Con�nuous Monitoring Student Guide

• 117.18(c)(4) All informa�on system users will be accountable for their ac�ons.
• 117.18(d)(e) Keeping contractor management informed to facilitate risk management
decisions.
You will learn more about audit capability in con�nuous monitoring in Lesson 5.

NIST
The Na�onal Ins�tute of Standards and Technology (NIST) provides valuable guidance for
protec�on of informa�on systems, published in the following NIST Special Publica�ons:

• NIST SP 800-37, Revision 2, Risk Management Framework for Informa�on Systems and
Organiza�ons: A System Life Cycle Approach for Security and Privacy
• NIST SP 800-137, Informa�on Security Con�nuous Monitoring (ISCM) for Federal
Informa�on Systems and Organiza�ons
• NIST SP 800-128, Guide for Security-Focused Configura�on Management of Informa�on
Systems
• NIST SP 800-53, Revision 5, Security and Privacy Controls for Informa�on Systems and
Organiza�ons

These NIST SPs were published in accordance with the provisions of the Federal Informa�on
Security Moderniza�on Act (FISMA). These standards, as well as DOD Policy and Guidance, also
support the Na�onal Insider Threat Policy and Minimum Standards for Execu�ve Branch Insider
Threat Programs. This policy and guidance supports the Presiden�al Memorandum of November
21, 2012 that mandates monitoring of classified informa�on systems.

May 2024 Center for Development of Security Excellence Page 4

Con�nuous Monitoring Student Guide

NIST Special Publica�on (SP) Descrip�on

NIST SP 800-37, revision 2 • Provides guidelines for applying the Risk Management
Risk Management Framework for Framework (RMF)
Informa�on Systems and • Promotes the concept of near real-�me risk
Organiza�ons: A System Life Cycle management and ongoing informa�on system
Approach for Security and Privacy authoriza�on through the implementa�on of robust
con�nuous monitoring processes

NIST SP 800-137 • Provides guidance on the development and

Informa�on Security Con�nuous implementa�on of an ISCM program that:
Monitoring (ISCM) for Federal o Supports threat/vulnerability awareness
Informa�on Systems and o Provides visibility into organiza�onal assets
Organiza�ons o Provides effec�ve, measurable security controls

NIST SP 800-128 • Addresses how informa�on system components are

Guide for Security-Focused networked, configured, and managed to provide
Configura�on Management of adequate informa�on security and support an
Informa�on Systems organiza�on’s risk management process.

NIST SP 800-53, revision 5 • Provides guidance on security and privacy controls for
Security and Privacy Controls for federal informa�on systems, including selec�on and
Informa�on Systems and customiza�on
Organiza�ons

May 2024 Center for Development of Security Excellence Page 5

Con�nuous Monitoring Student Guide

DOD Policy and Guidance

As cybersecurity issues con�nue to arise and evolve into deeper and more complex threats and
vulnerabili�es, it is important to recognize the key guidance for maintaining secure informa�on
systems.

DOD Policy/Guidance Descrip�on

DODD 5205.16 • Calls for “an integrated capability to monitor and audit
The DOD Insider Threat Program informa�on for insider threat detec�on and
mi�ga�on.”

DODD 5240.06 • Provides guidance on reportable foreign intelligence

Counterintelligence Awareness and contracts, ac�vi�es, indicators, and behaviors related
Repor�ng (CIAR) to the requirement for con�nuous monitoring.

DODI 8500.01 • Calls for the implementa�on of “a mul�-�ered

Cybersecurity cybersecurity risk management process to protect U.S.
interests, DOD opera�onal capabili�es, and DOD
individuals, organiza�ons, and assets.”
• Requires “opera�onal resilience using automa�on in
support of cybersecurity objec�ves including
…con�nuous monitoring …”

DODI 8510.01 • Calls for “cybersecurity requirements for DOD

Risk Management Framework informa�on technologies will be managed through the
(RMF) RMF consistent with the principals established in
Na�onal Ins�tute of Standards and Technology (NIST)
Special Publica�on (SP) 800-37, Rev 2.”
• Defines con�nuous monitoring in the RMF

CNSSI 1253 • Provides guidance on control selec�on within the RMF

Categoriza�on and Control
Selec�on for Na�onal Security
Systems

May 2024 Center for Development of Security Excellence Page 6

Con�nuous Monitoring Student Guide

Review Activities
Review Activity 1
Which of the following are important roles of the NISP in con�nuous monitoring?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 To establish organiza�onal business processes

 To ensure that cleared industry safeguards classified informa�on and informa�on systems
 To protect cri�cal assets
 To thwart foreign adversaries and insider threats to informa�on systems

Review Activity 2
Indicate the policy guidance to which the description applies. For each statement, select the best
response. Check your answer in the Answer Key at the end of this Student Guide.

Statement 1 of 3. This implements policy, assigns responsibili�es, establishes requirements, and

provides procedures for the protec�on of classified informa�on that is disclosed to, or developed by,
contractors of the U.S. Government.

 Na�onal Industrial Security Program Opera�ng Manual (NISPOM) Rule

 Na�onal Ins�tute of Standards and Technology Special Publica�on (NIST SP)
 DOD Policy and Guidance

Statement 2 of 3. These policies and guidance establish the requirement for an integrated and
con�nuous capability to monitor and audit for threats and vulnerabili�es from internal and external
sources.

 NISPOM Rule
 NIST SP
 DOD Policy and Guidance

Statement 3 of 3. These publica�ons provide detailed guidance on the development and

implementa�on of an Informa�on System Con�nuous Monitoring (ISCM) program and security-
focused configura�on management.

 NISPOM Rule
 NIST SP
 DOD Policy and Guidance

May 2024 Center for Development of Security Excellence Page 7

Con�nuous Monitoring Student Guide

Risk Management Framework (RMF) Overview

Risk and Risk Assessment
Is a “threat” the same as a “vulnerability” to an informa�on system? A threat may be defined as a
poten�al for the accidental or deliberate compromise of security. A weakness or lack of controls that
could facilitate, or allow, a compromise is considered a vulnerability. Risk is the possibility that a
threat will adversely impact an informa�on system by exploi�ng a vulnerability. These threats and
vulnerabili�es are mi�gated through the risk assessment process. Risk assessment is the process of
analyzing threats and vulnerabili�es of an informa�on system and the poten�al impact resul�ng
from the loss of informa�on or capabili�es of a system. This analysis is used as a basis for iden�fying
appropriate and cost-effec�ve security countermeasures.

RMF Purpose and Benefits

Cybersecurity requirements for DOD informa�on technologies are managed through the RMF
consistent with the principals established in the NIST SP 800-37 Revision 2, 800-53, 800-53A, and
Commitee on Na�onal Security Systems Instruc�on (CNSSI) 1253. There are four overarching
purposes of the RMF process. The RMF process informs acquisi�on processes for all DOD systems,
including requirements development, procurement, and both developmental test and evalua�on
T&E (DT&E), opera�onal T&E (OT&E), and sustainment; but does not replace these processes. The
process also implements cybersecurity through the use of security controls and emphasizes
con�nuous monitoring and �mely correc�on of deficiencies. The RMF process adopts reciprocity and
codifies reciprocity tenets with procedural guidance.

Term Defini�on

Reciprocity Tenets Reciprocal acceptance of authoriza�on decisions and ar�facts within DOD,
and between DOD and other federal agencies, for the authoriza�on and
connec�on of informa�on systems (ISs).

RMF Benefits
There are significant benefits that result from enterprise risk management. Integrated risk
management ensures traceability and transparency of risk-based decisions. Enterprise risk
management ensures organiza�on-wide risk awareness and opera�onal resilience—informa�on
resources are trustworthy, missions are ready for informa�on resources degrada�on or loss, and
network opera�ons have the means to prevail in the face of adverse events. Another benefit of
enterprise risk management is to ensure opera�onal integra�on. Cybersecurity is fully integrated
into system life cycles and is a visible element of organiza�onal por�olios. Finally, it ensures
interoperability through adherence to DOD architecture principles, use of a risk-based approach, and
management of the risk inherent in interconnec�ng systems.

May 2024 Center for Development of Security Excellence Page 8

Con�nuous Monitoring Student Guide

RMF 3-Tiered Approach

The RMF presents a 3-�ered approach to risk management.

Tier 1 is the Organiza�on level. Risk management at Tier 1 addresses risk across the en�re
organiza�on and informs Tiers 2 and 3 of risk context and risk decisions made at Tier 1.

Tier 2 is the mission and business process level. Tier 2 addresses risk from a mission/business
process perspec�ve and is informed by risk context, risk decisions, and risk ac�vi�es at Tier 1.

Tier 3, the Informa�on System level, addresses risk from an informa�on system and pla�orm
informa�on technology system perspec�ve and is guided by the risk context, decisions, and ac�vi�es
at Tiers 1 and 2.

Security-related informa�on is obtained and acted on at Tier 3 and is communicated to Tiers 1 and 2
to be incorporated into organiza�on-wide and mission/business process risk determina�ons. The
ISCM program assessment verifies the flow of informa�on between Tiers. It ensures traceability and
transparency of risk-based decisions as well as organiza�on-wide risk awareness.

RMF 7-Step Process

There are seven steps in the RMF process:

• Prepare
• Categorize System
• Select Security Controls
• Implement Security Controls
• Assess Security Controls
• Authorize System
• Monitor Security Controls

Review Activity
Review Activity 3
Which of the following iden�fy how the RMF supports risk management?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 The RMF process ensures that business process decisions can override user informa�on
system concerns.
 The RMF process provides a flexible approach with decision-making at Tier 3.
 The RMF process ensures traceability and transparency across all levels of the organiza�on.
 The RMF process emphasizes con�nuous monitoring and �mely correc�on of deficiencies.

May 2024 Center for Development of Security Excellence Page 9

Con�nuous Monitoring Student Guide

Risk Management Roles and Responsibilities

Roles and Responsibilities Overview
Risk Management implementa�on requires the effort of key professionals at all levels.

CIO

The chief informa�on officer is an organiza�onal official responsible for designa�ng a senior
agency informa�on security officer; developing and maintaining security policies, procedures,
and control techniques to address security requirements; overseeing personnel with significant
responsibili�es for security and ensuring that the personnel are adequately trained; assis�ng
senior organiza�onal officials concerning their security responsibili�es; and repor�ng to the
head of the agency on the effec�veness of the organiza�on’s security program, including
progress of remedial ac�ons. The chief informa�on officer, with the support of the senior
accountable official for risk management, the risk execu�ve (func�on), and the senior agency
informa�on security officer, works closely with authorizing officials and their designated
representa�ves to help ensure that:

• An organiza�on-wide security program is effec�vely implemented resul�ng in adequate

security for all organiza�onal systems and environments of opera�on.
• Security and privacy (including supply chain) risk management considera�ons are integrated
into programming/planning/budge�ng cycles, enterprise architectures, the SDLC, and
acquisi�ons.
• Organiza�onal systems and common controls are covered by approved system security plans
and possess current authoriza�ons.
• Security ac�vi�es required across the organiza�on are accomplished in an efficient, cost
effec�ve, and �mely manner.
• There is centralized repor�ng of security ac�vi�es.

Senior Agency Information Security Officer

The senior agency informa�on security officer is an organiza�onal official responsible for
carrying out the chief informa�on officer security responsibili�es under FISMA and serving as
the primary liaison for the chief informa�on officer to the organiza�on’s authorizing officials,
system owners, common control providers, and system security officers. The senior agency
informa�on security officer is also responsible for coordina�ng with the senior agency official for
privacy to ensure coordina�on between privacy and informa�on security programs. The senior
agency informa�on security officer possesses the professional qualifica�ons, including training
and experience, required to administer security program func�ons; maintains security du�es as
a primary responsibility; and heads an office with the specific mission and resources to assist the
organiza�on in achieving trustworthy, secure informa�on and systems in accordance with the
requirements in FISMA. The senior agency informa�on security officer may serve as authorizing
official designated representa�ve or as a security control assessor. The role of senior agency
informa�on security officer is an inherent U.S. Government func�on and is therefore assigned to

May 2024 Center for Development of Security Excellence Page 10

Con�nuous Monitoring Student Guide

government personnel only. Organiza�ons may also refer to the senior agency informa�on
security officer as the senior informa�on security officer or chief informa�on security officer.

Risk Executive (Function)

The risk execu�ve (func�on) is an individual or group within an organiza�on that provides a
comprehensive, organiza�on-wide approach to risk management.

The risk execu�ve (func�on) ensures that risk considera�ons for systems (including authoriza�on
decisions for those systems and the common controls inherited by those systems), are viewed
from an organiza�on-wide perspec�ve regarding the organiza�on’s strategic goals and objec�ves
in carrying out its core missions and business func�ons. The risk execu�ve (func�on) ensures
that managing risk is consistent throughout the organiza�on, reflects organiza�onal risk
tolerance, and is considered along with other types of risk to ensure mission/business success.

Principal Authorizing Officials (PAOs)

• Appointed for each DOD mission area and represent the mission area interests
• As required, issue authoriza�on guidance specific to the MA, consistent with DOD
Instruc�on 8510.01
• Resolve authoriza�on issues within the mission area and work with other PAOs to
resolve issues among mission areas
• Designate AOs for mission area IS and Pla�orm Informa�on Technology (PIT)i systems
• Designate informa�on security architects or IS security engineers for MA segments or
systems of systems, as needed

DOD Component Chief Information Officer (CIO)

• Responsible for administra�on of the RMF within the DOD Component cybersecurity
program
• Par�cipates in the RMF Technical Advisory Group (TAG)
• Shares the RMF status of assigned ISs and PIT systems
• Enforces training requirements for persons par�cipa�ng in the RMF

May 2024 Center for Development of Security Excellence Page 11

Con�nuous Monitoring Student Guide

DOD Component Senior Information Security Officer SISO

• Has authority and responsibility for security controls assessment
• Establishes and manages a coordinated security assessment process for informa�on
technologies governed by the DOD Component cybersecurity program
• Advises AOs

AO
Authorizing Official

• Ensures all appropriate RMF tasks are ini�ated and completed, with appropriate
documenta�on, for assigned systems
• Monitors and tracks overall execu�on of system-level Plan of Ac�on and Milestones
POA&Ms
• Reviews and approves the security categoriza�ons of informa�on systems
• Reviews and approves system security plans
• Reviews security status reports from con�nuous monitoring opera�ons; ini�ates
reaccredita�on ac�ons
• Promotes reciprocity to the maximum extent possible
• Does NOT delegate authorization decisions
• Has the authority to formally assume responsibility and accountability for opera�ng a
system
• Provides common controls inherited by organiza�onal systems
• Has a level of authority commensurate with understanding and accep�ng such security
and privacy risks
• Approves plans, memorandums of agreement or understanding, plans of ac�on and
milestones, and determines whether significant changes in the informa�on systems or
environments of opera�on require reauthoriza�on

Note: Has inherent U.S. Government authority and is assigned to Government personnel only

AODR
Authorizing Official Designated Representa�ve

• Is designated by the AO

May 2024 Center for Development of Security Excellence Page 12

Con�nuous Monitoring Student Guide

• Empowered to act on behalf of the AO to coordinate and conduct the day-to-day

ac�vi�es associated with managing risk to informa�on systems and organiza�ons

The only ac�vity that cannot be delegated by the authorizing official to the designated
representa�ve is the authoriza�on decision and signing of the associated authoriza�on decision
document (i.e., the acceptance of risk).

ISO
Informa�on System Owner

• In coordina�on with the informa�on owner (IO), categorizes systems

• Prepares plan of ac�on and milestones to reduce or eliminate vulnerabili�es in the
informa�on system
• Appoints user representa�ve (UR) for assigned ISs and PIT systems
• Develops, maintains, and tracks security plans
• Conducts and par�cipates in risk assessments

System User
The system user is an individual or (system) process ac�ng on behalf of an individual that is
authorized to access informa�on and informa�on systems to perform assigned du�es. System
user responsibili�es include, but are not limited to, adhering to organiza�onal policies that
govern acceptable use of organiza�onal systems; using the organiza�on-provided informa�on
technology resources for defined purposes only; and repor�ng anomalous or suspicious system
behavior.

ISSM
Informa�on system security manager

• Develop and maintain an organiza�onal or system-level cybersecurity program that

includes cybersecurity architecture, requirements, objec�ves and policies, cybersecurity
personnel, and cybersecurity processes and procedures.
• Ensure that informa�on owners and stewards associated with DOD informa�on
received, processed, stored, displayed, or transmited on each DOD IS and PIT system
are iden�fied in order to establish accountability, access approvals, and special handling
requirements.
• Maintain a repository for all organiza�onal or system-level cybersecurity-related
documenta�on.

May 2024 Center for Development of Security Excellence Page 13

Con�nuous Monitoring Student Guide

• Ensure that Informa�on Systems Security Officers (ISSOs) are appointed in wri�ng and
provide oversight to ensure that they are following established cybersecurity policies
and procedures.
• Monitor compliance with cybersecurity policy, as appropriate, and review the results of
such monitoring.
• Ensure that cybersecurity inspec�ons, tests, and reviews are synchronized and
coordinated with affected par�es and organiza�ons.
• Ensure implementa�on of IS security measures and procedures.
• Ensure that the handling of possible or actual data spills of classified informa�on
resident in ISs, are conducted in accordance with policy.
• Act as the primary cybersecurity technical advisor to the AO for DOD IS and PIT systems
under their purview.
• Ensure that cybersecurity-related events or configura�on changes that may impact DOD
IS and PIT systems authoriza�on or security posture are formally reported to the AO and
other affected par�es.
• Ensure the secure configura�on and approval of IT below the system level in accordance
with applicable guidance prior to acceptance into or connec�on to a DOD IS or PIT
system.

ISSO
Informa�on system security officer

• Assist the ISSMs in mee�ng their du�es and responsibili�es.

• Implement and enforce all DOD IS and PIT system cybersecurity policies and procedures,
as defined by cybersecurity-related documenta�on.
• Ensure that all users have the requisite security clearances and access authoriza�on and
are aware of their cybersecurity responsibili�es for DOD IS and PIT systems under their
purview before being granted access to those systems.
• In coordina�on with the ISSM, ini�ate protec�ve or correc�ve measures when a
cybersecurity incident or vulnerability is discovered and ensure that a process is in place
for authorized users to report all cybersecurity-related events and poten�al threats and
vulnerabili�es to the ISSO.

May 2024 Center for Development of Security Excellence Page 14

Con�nuous Monitoring Student Guide

• Ensure that all DOD IS cybersecurity-related documenta�on is current and accessible to

properly authorized individuals.

Review Activity
Review Activity 4
Indicate the tier to which the activity description applies. For each statement, select the best
response. Check your answer in the Answer Key at the end of this Student Guide.

Statement 1 of 3. Informa�on System Owner (ISO) categorizes systems at this level.

 Tier 1: Organiza�on
 Tier 2: Mission/Business Process
 Tier 3: Informa�on Systems

Statement 2 of 3. The DOD Component SISO has authority and responsibility for security controls
assessment at this level.

 Tier 1: Organiza�on
 Tier 2: Mission/Business Process
 Tier 3: Informa�on Systems

Statement 3 of 3. Authorizing Officials (AOs) monitor and track overall execu�on of system-level
POA&Ms. AOs cannot delegate authoriza�on decisions.

 Tier 1: Organiza�on
 Tier 2: Mission/Business Process
 Tier 3: Informa�on Systems

May 2024 Center for Development of Security Excellence Page 15

Con�nuous Monitoring Student Guide

Lesson 3: Continuous Monitoring Strategy and Tasks

Introduction
Objectives
Cyber systems and networks are fundamental to all facets of daily life and work, whether you are
conduc�ng an ATM transac�on, making a flight reserva�on, or designing an engineering spec on a
computer. In this lesson, you will delve into the informa�on system con�nuous monitoring (ISCM)
process as described in the Na�onal Ins�tute of Standards and Technology (NIST) Special Publica�on
800-137. Then you will examine the ISCM tasks.

Here are the learning objec�ves for this lesson.

• Examine how ISCM supports the three-�ered approach to risk management

• Dis�nguish how the ISCM strategy supports the three-�ered approach to risk management
• Match the ISCM tasks to the ISCM process

Information System Continuous Monitoring Overview

What is ISCM?
ISCM is defined as maintaining ongoing awareness of informa�on security, vulnerabili�es, and
threats to support organiza�onal risk management decisions. ISCM is an organiza�on-wide risk
management first, and then a system-level responsibility. It also includes mission and business
processes. ISCM encompasses all of the people, policies, processes, technologies, and standards that
are used to perform the con�nuous monitoring func�on. It is an enabling process that supports or
provides organiza�onal sustainment in the face of cybersecurity threats and risks.

ISCM Strategy
ISCM metrics origina�ng at the informa�on systems �er can be used to assess, respond, and monitor
risk across the organiza�on. In order to effec�vely address ever-increasing security challenges, a
well-designed ISCM strategy addresses monitoring and assessment of security controls for
effec�veness, security status monitoring, and security status repor�ng.

Let’s examine the tasks associated with each facet of the strategy.

Configura�on management and security control monitoring and assessment tasks include
consolida�ng documenta�on and suppor�ng materials including methods and procedures. Tasks
also include conduc�ng the security assessment and security impact analysis on changes to the
system and submi�ng the security assessment report (SAR).

Security status monitoring tasks include selec�ng the security controls and assessment. The
assessment frequency is based on drivers from all three �ers.

May 2024 Center for Development of Security Excellence Page 16

Con�nuous Monitoring Student Guide

Security status repor�ng tasks include upda�ng the System Security Plan (SSP) and the POA&M. The
last part of this strategy leg is designed to report weaknesses. The status report describes threats,
vulnerabili�es, and security control effec�veness for the informa�on systems.

Term Defini�on
SSP System Security Plan - Formal document that provides an overview of the
security requirements for an informa�on system and describes the security
controls in place or planned for mee�ng those requirements.
POA&M Plan of Ac�on and Milestones - Reports progress on items in SSP, iden�fies
weaknesses, resources, milestones and comple�on dates, and evaluates
response and mi�ga�on ac�ons.

ISCM – Three-Tiered Approach

An organiza�on-wide approach to con�nuous monitoring of informa�on and informa�on system
security supports risk-related decision-making at the organiza�on level (Tier 1), the mission/business
processes level (Tier 2), and the informa�on systems level (Tier 3).

TIER 1 Organization
At the organiza�on level, risk management ac�vi�es address high-level informa�on security
governance policy as it relates to risk to the organiza�on as a whole, to its core missions, and to
its business func�ons.

While ISCM strategy, policy, and procedures may be developed at any �er, typically, the
organiza�on-wide ISCM strategy and associated policy are developed at the organiza�on �er
with general procedures for implementa�on developed at the mission/business processes �er.
Tier 1 addresses risk from an organiza�onal perspec�ve by establishing and implemen�ng
governance structures that are consistent with the strategic goals and objec�ves of organiza�ons
and the requirements defined by federal laws, direc�ves, policies, regula�ons, standards, and
missions/business func�ons. The criteria for ISCM are defined by the organiza�on’s risk
management strategy, including how the organiza�on plans to assess, respond to, and monitor
risk, and the oversight required to ensure that the risk management strategy is effec�ve. Security
controls, security status, and other metrics defined and monitored by officials at this �er are
designed to deliver informa�on necessary to make risk management decisions in support of
governance.

TIER 2 Mission/Business Processes

If the organiza�on-wide strategy is developed at the mission/business processes �er, Tier 1
officials review and approve the strategy to ensure that organiza�onal risk tolerance across all
missions and business processes has been appropriately considered. This informa�on is
communicated to staff at the mission/business processes and informa�on systems �ers. It is
reflected in Tier 2 and Tier 3’s strategy, policy, and procedures. Tier 2 addresses risk from a
mission/business process perspec�ve by designing, developing, and implemen�ng

May 2024 Center for Development of Security Excellence Page 17

Con�nuous Monitoring Student Guide

mission/business processes that support the missions/business func�ons defined at Tier 1. The
Tier 2 criteria for con�nuous monitoring of informa�on security are defined by:

• How core mission/business processes are priori�zed with respect to the overall goals
and objec�ves of the organiza�on
• Types of informa�on needed to execute the stated mission/business processes
successfully
• Organiza�on-wide informa�on security program strategy

Controls in the Program Management (PM) family are an example of Tier 2 security controls.
They address the establishment and management of the organiza�on’s informa�on security
program and establish the minimum frequency with which each security control or metric is to
be assessed or monitored.

TIER 3 Information Systems

ISCM ac�vi�es at Tier 3 address risk management from an informa�on system perspec�ve. The
risk management ac�vi�es at Tier 3 reflect the organiza�on’s risk management strategy and any
risk related to the cost, schedule, and performance requirements for individual systems
suppor�ng the mission/business func�ons of organiza�ons. These include:

• Ensuring that all system-level security controls (technical, opera�onal, and management
controls)
o Are implemented correctly
o Operate as intended
o Produce the desired outcome with respect to mee�ng the security requirements
for the system
o Con�nue to be effec�ve over �me.
• Assessing and monitoring hybrid and common controls implemented at the system level.
o Security status repor�ng at this �er o�en includes but is not limited to:
– Security alerts
– Security incidents
– Iden�fied threat ac�vi�es
• Ensuring that security-related informa�on supports the monitoring requirements of
other organiza�onal �ers.

May 2024 Center for Development of Security Excellence Page 18

Con�nuous Monitoring Student Guide

ISCM Processes
ISCM supports organiza�onal risk management decisions to include risk response decisions, ongoing
system authoriza�on decisions, and POA&M resource and priori�za�on decisions. ISCM incorporates
processes to assure that response ac�ons are taken in accordance with findings and organiza�onal
risk tolerances and have the intended effects.

The ISCM user data needs vary by �er. Careful design of ISCM capabili�es provides each user with
the data content in the format they need and with the frequency of data collec�on they require to
make effec�ve decisions. System administrators at Tier 3 may be interested in technical details to
support system-level ac�ons such as configura�on changes. Management officials at Tier 1 may be
more interested in aggregated data to enable organiza�on-wide decision making, such as changes in
security policies, an increase in resources for security awareness programs, or modifica�ons to the
security architecture.

Review Activity
Review Activity 1
Identify the tier that each ISCM strategy statement supports. Select the best response. Check your
answer in the Answer Key at the end of this Student Guide.

Statement 1 of 3. ISCM strategy at this level is focused on the controls that address the
establishment and management of the organiza�on’s informa�on security program, including
establishing the minimum frequency with which each security control or metric is to be assessed or
monitored.

 Tier 1
 Tier 2
 Tier 3

Statement 2 of 3. ISCM strategy at this level is focused on high-level informa�on security governance
policy as it relates to risk to the organiza�on as a whole, to its core missions, and to its business
func�ons.

 Tier 1
 Tier 2
 Tier 3

Statement 3 of 3. ISCM strategy at this level is focused on ensuring that all system-level security
controls are implemented correctly, operate as intended, produce the desired outcome with respect
to mee�ng the security requirements for the system, and con�nue to be effec�ve over �me.

 Tier 1
 Tier 2
 Tier 3

May 2024 Center for Development of Security Excellence Page 19

Con�nuous Monitoring Student Guide

Continuous Monitoring Process and Major Tasks

Continuous Monitoring Process Steps
The process for developing an ISCM strategy and implemen�ng the program is comprised of six steps
that map to risk tolerance, adapt to ongoing needs, and ac�vely involve management. Risk
tolerance, enterprise architecture, security architecture, security configura�ons, plans for changes to
the enterprise architecture, and available threat informa�on provide data that is fundamental to the
execu�on of these steps and to ongoing management of informa�on security-related risks. Security-
related informa�on is analyzed for its relevance to organiza�onal risk management at all three �ers.

Process Step Descrip�on

Define Define an ISCM strategy based on risk tolerance that maintains clear
visibility into assets, awareness of vulnerabili�es, up-to-date threat
informa�on, and mission/business impacts.

Establish Establish an ISCM program determining metrics, status monitoring

frequencies, control assessment frequencies, and an ISCM technical
architecture.

Implement Implement an ISCM program and collect the security-related informa�on

required for metrics, assessments, and repor�ng. Automate collec�on,
analysis, and repor�ng of data where possible.

Analyze/Report Analyze the data collected and Report findings, determining the
appropriate response. It may be necessary to collect addi�onal informa�on
to clarify or supplement exis�ng monitoring data.

Respond Respond to findings with technical, management, and opera�onal

mi�ga�ng ac�vi�es or acceptance, transference/sharing, or
avoidance/rejec�on.

Review and Update Review and update the monitoring program, adjus�ng the ISCM strategy
and maturing measurement capabili�es to increase visibility into assets and
awareness of vulnerabili�es, further enable data-driven control of the
security of an organiza�on’s informa�on infrastructure, and increase
organiza�onal resilience.

Risk Tolerance
At the Organiza�on level, the Risk Execu�ve Func�on determines the overall organiza�onal risk
tolerance and risk mi�ga�on strategy. Within the NISP, however, the organiza�onal structure is much
different than a government en�ty. Although these are contractor systems, it is the responsibility of
the government to accept the risk associated with their opera�on. This means the government will
be more responsible for the organiza�on. As Tiers 1 and/or 2 develop the policies, procedures, and
templates that facilitate organiza�on-wide, standardized processes in support of the ISCM strategy,
risk tolerance is part of the equa�on. Policies and procedures to mi�gate risk are fundamental to an
effec�ve ISCM strategy:

May 2024 Center for Development of Security Excellence Page 20

Con�nuous Monitoring Student Guide

• Key metrics
• Status monitoring and repor�ng
• Assessing risk and gaining threat informa�on
• Configura�on management and security impact analysis
• Implementa�on and use of tools
• Monitoring frequencies
• Sample sizes and popula�ons
• Security metrics and data sources

ISCM Strategy – Tier 1/Tier 2 Inputs and Outputs

The primary roles for defining the ISCM strategy are performed by the Risk Execu�ve Func�on, CIO,
Senior Agency Informa�on Security Officer, and AOs. The ISO performs a suppor�ng role.

Decisions and ac�vi�es by Tier 1 and 2 officials may be constrained by things such as
mission/business needs, limita�ons of the infrastructure (including the human components),
immutable governance policies, and external drivers. The expected input to the ISCM strategy
includes: Organiza�onal risk assessment and current risk tolerance, current threat informa�on,
organiza�onal expecta�ons and priori�es, available tools. Automated support tools include
vulnerability scanning tools and network scanning devices. The expected output is updated
informa�on on organiza�onal risk tolerance, organiza�on-wide ISCM strategy and associated policy,
procedures, templates, tools.

When implemen�ng policies, procedures, and templates developed at higher �ers, lower �ers fill in
any gaps related to their �er-specific processes.

Available Tools
Considera�on is given to ISCM tools that pull informa�on from a variety of sources. These
sources can include assessment objects such as number and types of tests conducted on source
code, number of so�ware modules reviewed, number of network nodes and mobile devices
scanned for vulnerabili�es, and number of individuals interviewed to check basic understanding
of con�ngency responsibili�es. Other considera�ons in selec�ng ISCM tools include:

• Use open specifica�ons such as the Security Content Automa�on Protocol (SCAP)
• Offer interoperability with other products such as help desk, inventory management,
configura�on management, and incident response solu�ons
• Support compliance with applicable federal laws, Execu�ve Orders, direc�ves, policies,
regula�ons, standards, and guidelines
• Provide repor�ng with the ability to tailor output and drill down from high-level,
aggregate metrics to system-level metrics. Metrics determined through ISCM provide

May 2024 Center for Development of Security Excellence Page 21

Con�nuous Monitoring Student Guide

important informa�on about the security posture across the organiza�on and rela�ve to
individual systems and inform the risk management process.
• Allow for data consolida�on into Security Informa�on and Event Management (SIEM)
tools and dashboard products

ISCM Strategy – Tier 3 Inputs and Outputs

Although the ISCM strategy is defined at Tiers 1 or 2, system-specific policy and procedures for
implementa�on are also developed at Tier 3. Primary Roles at this �er include the ISO and ISSO,
supported by the Senior Agency Informa�on Security Officer, AO, and Security Control Assessor.

Tier 3 strategy is based on Government provided guidance, such as NIST 800-137 and NISPOM.

Inputs to the Tier 3 ISCM strategy include informa�on from Tiers 1 and 2, such as organiza�onal risk
tolerance informa�on and organiza�onal ISCM strategy, policy, procedures, and templates. System-
specific threat informa�on and system informa�on such as the System Security Plan, Security
Assessment Report, Plan of Ac�on and Milestones, Security Assessment Plan, and System Risk
Assessment, are essen�al inputs as well. System owners establish a system-level strategy for ISCM by
considering factors such as the system’s architecture and opera�onal environment. ISOs also
consider organiza�onal and mission-level requirements as well as drivers from all three �ers to
determine assessment frequencies of security controls.

The expected output is a system-level ISCM strategy that complements the Tier 1 and 2 strategies
and the organiza�onal security program. This system-level strategy will also provide security status
informa�on for all �ers and real-�me updates for ongoing system authoriza�on decisions as directed
by the organiza�onal ISCM strategy.

ISCM Program Assessment

As you learned earlier in this course, the NIST SP 800-137 provides guidance on the development
and implementa�on of an ISCM program. To assess the effec�veness of an ISCM program, NIST
provides guidance in the NIST SP 800-137A, Assessing ISCM Programs: Developing an ISCM Program
Assessment. NIST SP 800-137A offers an overall process for ISCM program assessment, including the
use an organiza�on should get from conduc�ng an assessment, the steps involved, and the elements
of an assessment.

May 2024 Center for Development of Security Excellence Page 22

Con�nuous Monitoring Student Guide

Review Activity
Review Activity 2
Identify the step each statement describes. Select the best response. Check your answer in the
Answer Key at the end of this Student Guide.

Statement 1 of 4. Given the ISCM process, in this step security-related informa�on required for
metrics, assessments, and repor�ng is collected and, where possible the collec�on, analysis, and
repor�ng of data is automated.

 Step 1: Define an ISCM strategy

 Step 2: Establish an ISCM program
 Step 3: Implement an ISCM program
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program

Statement 2 of 4. Given the ISCM process, in this step adjus�ng the ISCM strategy and maturing
measurement capabili�es to increase visibility into assets and awareness of vulnerabili�es further
enable data-driven control of the security of an organiza�on’s informa�on infrastructure and
increase organiza�onal resilience.

 Step 1: Define an ISCM strategy

 Step 2: Establish an ISCM program
 Step 3: Implement an ISCM program
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program

Statement 3 of 4. Given the ISCM process, in this step the metrics, status monitoring frequencies,
control assessment frequencies, and an ISCM technical architecture are determined.

 Step 1: Define an ISCM strategy

 Step 2: Establish an ISCM program
 Step 3: Implement an ISCM program
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program

May 2024 Center for Development of Security Excellence Page 23

Con�nuous Monitoring Student Guide

Statement 4 of 4. Given the ISCM process, in this step the ISCM strategy is developed based on risk
tolerance that maintains clear visibility into assets, awareness of vulnerabili�es, up-to-date threat
informa�on, and mission/business impacts.

 Step 1: Define an ISCM strategy

 Step 2: Establish an ISCM program
 Step 3: Implement an ISCM program
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program

May 2024 Center for Development of Security Excellence Page 24

Con�nuous Monitoring Student Guide

Lesson 4: Security Configuration Management

Introduction
Objectives
Changes to an informa�on system’s configura�on are o�en needed to stay up to date with changing
business func�ons and services, and informa�on security needs. These changes can adversely
impact the previously established security posture. That’s why effec�ve configura�on management
is vital to the establishment and maintenance of security for informa�on and informa�on systems.

In this lesson, you will examine how configura�on management controls enable con�nuous
monitoring of informa�on systems.

Here are the lesson objec�ves.

• Describe how configura�on management controls enable con�nuous monitoring

o Recognize the role of security-focused configura�on management (SecCM) in risk
management
o Differen�ate the four phases of security configura�on management (SecCM)
o Iden�fy configura�on management controls in support of con�nuous monitoring
o Iden�fy the role of the patch management process in security-focused configura�on
management (SecCM)

Why Configuration Management Is Needed

Configuration Management Overview
Informa�on systems are composed of many interconnected components in mul�ple ways to meet a
variety of business, mission, and informa�on security needs. How these informa�on system (IS)
components are networked, configured, and managed is cri�cal in providing adequate informa�on
security and suppor�ng an organiza�on’s risk management process. The configura�on management
(CM) process ensures that the protec�on features are implemented and maintained on the system.
The CM process includes a formal change control process of all security relevant aspects of the IS.

IS Changes
An IS typically is in a constant state of change in response to new, enhanced, corrected, or updated
hardware and so�ware capabili�es. IS change also occurs when patches for correc�ng so�ware flaws
and other errors to exis�ng components are implemented. New security threats and changing
business func�ons can also require IS changes.

Implemen�ng IS changes almost always results in some adjustment to the system configura�on. To
ensure that the required adjustments to the system configura�on do not adversely affect the

May 2024 Center for Development of Security Excellence Page 25

Con�nuous Monitoring Student Guide

security of the informa�on system or the organiza�on from opera�on of the informa�on system, a
well-defined CM process that integrates informa�on security is needed. CM is applied to establish
baselines and for tracking, controlling, and management of many aspects of business development
and opera�ons (for example, products, services, manufacturing, business processes, and informa�on
technology).

NIST Special Publica�on 800-137A provides a three-step traceability chain to focus system CM on
security. First, there should be an organiza�on-wide policy. Next, there should be procedures for
security focused CM. Finally, those procedures must be followed.

Review Activity
Review Activity 1
Which of the following are security-focused configura�on management (SecCM) roles in risk
management?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 Ensuring that adjustments to the system configura�on do not adversely affect the security of
the informa�on system
 Establishing configura�on baselines and tracking, controlling, and managing aspects of
business development
 Ensuring that adjustments to the system configura�on do not adversely affect the
organiza�on’s opera�ons
 Establishing a firm schedule for security patch updates every six months

Four Phases of Security Configuration Management

What is SecCM?
Security-focused configura�on management (SecCM) is the management and control of
configura�ons for informa�on systems. SecCM enables security and facilitates the management of
informa�on security risk. There are four phases in SecCM:

• Planning
• Iden�fying and Implemen�ng Configura�ons
• Controlling Configura�on Changes
• Monitoring

Planning
The Planning Phase involves developing policy and procedures for the baseline configura�on and
subsequent configura�on changes. Industry is not required to have a formal Change Control

May 2024 Center for Development of Security Excellence Page 26

Con�nuous Monitoring Student Guide

Board; however, they must s�ll document their change control process. The policies and
procedures include:

• Implementa�on of SecCM plans

• Integra�on into:
o Exis�ng security program plans
o Configura�on Control Boards (CCBs)
o Configura�on change control processes
o Tools and technology
o Use of common secure configura�ons and baseline configura�ons
o Monitoring
o Metrics for compliance

A Baseline Configura�on is a set of specifica�ons for a system, or configura�on items (CI), within
a system, that has been formally reviewed and agreed on at a given point in �me, and which can
be changed only through change control procedures. It serves as a basis for future builds,
releases, and/or changes to informa�on systems. The documenta�on includes informa�on about
informa�on system components, such as the standard so�ware packages installed on
worksta�ons, notebook computers, servers, network components, or mobile devices. It specifies
current version numbers and patch informa�on on opera�ng systems and applica�ons; and
configura�on se�ngs/parameters. The baseline configura�on details the network topology, and
the logical placement of those components within the system architecture. Baseline
configura�ons of informa�on systems reflect the current enterprise architecture. This requires
crea�ng new baselines as organiza�onal informa�on systems change over �me.

Identifying and Implementing Configurations

A�er the planning and prepara�on ac�vi�es are completed, a secure baseline configura�on for
the informa�on system is developed, reviewed, approved, and implemented. The approved
baseline configura�on for an informa�on system and associated components represents the
most secure state consistent with opera�onal requirements and constraints. For a typical
informa�on system, the secure baseline may address configura�on se�ngs, so�ware loads,
patch levels, how the informa�on system is physically or logically arranged, how various security
controls are implemented, and documenta�on. Where possible, automa�on is used to enable
interoperability of tools and uniformity of baseline configura�ons across the informa�on system.

Controlling Configuration Changes

In phase 3, Controlling Configura�on Changes, emphasis is put on the management of change to
maintain the secure, approved baseline of the informa�on system. Changes are formally
iden�fied, proposed, reviewed, analyzed for security impact, tested, and approved prior to
implementa�on. Impact Analyses ensure changes have been implemented as approved and

May 2024 Center for Development of Security Excellence Page 27

Con�nuous Monitoring Student Guide

determines whether there are any unan�cipated effects of the change on exis�ng security
controls. In this phase, a variety of access restric�ons for change are employed, including:

• Access controls (e.g., privileged access and what type of change is permited)
• Process automa�on
• Abstract layers
• Change windows
• Verifica�on and audit ac�vi�es

Monitoring
Monitoring ac�vi�es in Phase 4 of SecCM are used as the mechanism to validate that the
informa�on system is adhering to organiza�onal policies, procedures, and the approved secure
baseline configura�on. Monitoring iden�fies undiscovered/undocumented system components,
misconfigura�ons, vulnerabili�es, and unauthorized changes. It also facilitates situa�onal
awareness and documents devia�ons. All of these, if not addressed, can expose organiza�ons to
increased risk. SecCM monitoring is done through assessment and repor�ng ac�vi�es. Reports
address the secure state of individual informa�on system configura�ons and are used as input to
Risk Management Framework informa�on security con�nuous monitoring requirements.

CM Policies and Procedures

The System Security Plan (SSP) or your organiza�on’s equivalent of the system security plan,
describes the CM procedures and documenta�on process for changes to any IS hardware, so�ware,
and security documenta�on. The ISSM with the assistance of the ISSO, if designated, are responsible
for authorizing all security relevant baseline changes to the applicable ISs profile(s) to include
hardware, so�ware, procedures, reports, and audit records.

The ISSO supports the organiza�on’s ISCM program by assis�ng the ISO in comple�ng ISCM
responsibili�es and by par�cipa�ng in the configura�on management process.

Local Policies define the security se�ngs associated with user ac�vi�es conducted within the
computer system. Through local policies, ac�vi�es are recorded on the audit log, user rights are
granted, and specific opera�ng system (OS) security parameters are defined. These parameters
include digital signatures, guest accounts, secure channel encryp�on, and access to network
resources.

May 2024 Center for Development of Security Excellence Page 28

Con�nuous Monitoring Student Guide

Review Activity
Review Activity 2
Identify the SecCM phase for each activity description. Select the best response. Check your answer in
the Answer Key at the end of this Student Guide.

Descrip�on 1 of 4. In this phase, a variety of access restric�ons for change are employed.

 Phase 1
 Phase 2
 Phase 3
 Phase 4

Descrip�on 2 of 4. In this phase, ac�vi�es focus on valida�ng the IS adheres to the policies,
procedures, and approved baseline configura�on.

 Phase 1
 Phase 2
 Phase 3
 Phase 4

Descrip�on 3 of 4. In this phase, ac�vi�es address configura�on se�ngs, so�ware loads, patch
levels, how the IS is arranged, and how various security controls are implemented.

 Phase 1
 Phase 2
 Phase 3
 Phase 4

Descrip�on 4 of 4. In this phase, ac�vi�es involve developing policy and procedures including
implementa�on plans, change control processes, and metrics for compliance, to name a few.

 Phase 1
 Phase 2
 Phase 3
 Phase 4

May 2024 Center for Development of Security Excellence Page 29

Con�nuous Monitoring Student Guide

Configuration Management Controls

CM Controls for Continuous Monitoring
NIST Special Publica�on 800-53, Revision 5, Security and Privacy Controls for Informa�on Systems
and Organiza�ons, details CM controls in support of con�nuous monitoring of informa�on systems
and organiza�ons. This con�nuous monitoring determines the ongoing effec�veness of controls,
changes in informa�on systems and environments of opera�on, and the state of security and privacy
organiza�on wide.

Security controls address both security func�onality and security assurance. CM controls suppor�ng
con�nuous monitoring include:

• CM-1 Policy and Procedures

• CM-2 Baseline Configura�on
• CM-3 Configura�on Change Control
• CM-4 Impact Analyses
• CM-5 Access Restric�ons for Change
• CM-6 Configura�on Se�ngs
• CM-7 Least Func�onality
• CM-8 System Component Inventory
• CM-9 Configura�on Management Plan (CMP)
• CM-10 So�ware Usage Restric�ons
• CM-11 User-Installed So�ware
• CM-12 Informa�on Loca�on
• CM-13 Data Ac�on Mapping
• CM-14 Signed Components

CM-1 Policy and Procedures

This control addresses:

• Purpose, scope, roles, responsibili�es

• Management commitment
• Coordina�on among organiza�onal en��es
• Compliance
• Procedures to facilitate the implementa�on of CM controls

May 2024 Center for Development of Security Excellence Page 30

Con�nuous Monitoring Student Guide

It is consistent with:

• Applicable laws, execu�ve orders, direc�ves, regula�ons, policies, standards, and

guidelines
• Procedures to facilitate the implementa�on of the configura�on management policy and
the associated configura�on management controls

The organiza�onal risk management strategy is a key factor in establishing policy and
procedures.

CM-2 Baseline Configuration

This control establishes baseline configura�ons for opera�onal informa�on systems and system
components including communica�ons and connec�vity-related aspects of systems.

• It includes informa�on about IS components (e.g., standard so�ware packages installed

on worksta�ons, notebook computers, servers, network components, or mobile devices;
current version numbers and patch informa�on on opera�ng systems and applica�ons;
and configura�on se�ngs/parameters)
• It serves as a basis for future builds, releases, or changes to systems and includes:
o Security and privacy control implementa�ons
o Opera�onal procedures
o Informa�on about system components
o Network topology
o Logical placement of components in the system architecture

CM-3 Configuration Change Control

This control involves the systema�c proposal, jus�fica�on, implementa�on, tes�ng, review, and
disposi�on of changes to the systems, including system upgrades and modifica�ons. The
Configura�on Control Board (CCB) is the establishment of—and charter for—a group of qualified
people with responsibility for the process of controlling and approving changes throughout the
development and opera�onal lifecycle of products and systems. This may also be referred to as a
change control board.

The Configura�on Change Control includes changes to baseline configura�ons for components
and configura�on items of informa�on systems, opera�onal procedures, changes to
configura�on se�ngs for system components, remediate vulnerabili�es,
unscheduled/unauthorized changes, and changes to remediate vulnerabili�es. Audi�ng of
changes takes place before and a�er changes are made.

May 2024 Center for Development of Security Excellence Page 31

Con�nuous Monitoring Student Guide

CM-4 Impact Analyses

Analyzes changes to the IS to determine poten�al security impacts prior to change
implementa�on. The analysis may include:

• Reviewing security plans and system design documenta�on for control implementa�on
and how specific changes might affect the controls
• Assessing the risk of the change to understand the impact
• Determining if addi�onal controls are needed

It is performed by organiza�onal personnel with informa�on security responsibili�es (e.g.,

Informa�on System Administrators, Informa�on System Security Officers, Informa�on System
Security Managers, and Informa�on System Security Engineers).

CM-5 Access Restrictions for Change

This control:

• Defines, documents, approves and enforces physical and logical access restric�ons
associated with changes to the system
• Includes physical and logical access controls, workflow automa�on, media libraries,
abstract layers (e.g., changes implemented into external interfaces rather than directly
into systems), and change windows (e.g., changes occur only during specified �mes)
• Supports audi�ng of the enforcement ac�ons
• Only qualified and authorized individuals are permited to ini�ate changes in the system

CM-6 Configuration Settings

This control applies to the parameters that can be changed in hardware, so�ware, or firmware
components that affect the security and privacy posture or func�onality of the system. Security-
related parameters include:

• Registry se�ngs
• Account, file, directory permission se�ngs
• Se�ngs for func�ons, ports, protocols, services, and remote connec�ons
• Configura�on se�ngs: mainframe computers, servers, worksta�ons, opera�ng systems,
mobile devices, input/output devices, protocols, and applica�ons
• Privacy parameters (impact privacy posture of systems) include se�ngs for access
controls, data processing preferences, and processing and reten�on permissions

May 2024 Center for Development of Security Excellence Page 32

Con�nuous Monitoring Student Guide

Organiza�ons establish organiza�on-wide configura�on se�ngs and subsequently derive specific

configura�on se�ngs for systems. The established se�ngs become part of the configura�on
baseline for the system.

CM-7 Least Functionality

This control configures the system to provide only organiza�on-defined mission essen�al
capabili�es to limit risk. Prohibit or restrict the use of Ports, Protocols, and Services
Management (PPSM). PPSM standardizes procedures to catalog, regulate, and control the use
and management of protocols in the Internet protocol suite, and associated ports (also known as
protocols, data services, and associated ports or ports, protocols, and services). This can also be
referred to as PPS on DOD informa�on networks (DODIN), including the connected informa�on
systems, pla�orm IT systems, pla�orm IT (PIT), and products based on the poten�al that
unregulated PPSM can damage DOD opera�ons and interests. It applies to all PPS used
throughout planned, newly developed, acquired, and exis�ng DODIN (whether used internal or
external to the enclave), which include DOD IT.

Organiza�ons determine which func�ons and services are candidates for:

• Removing unused or unnecessary so�ware

• Disabling unused or unnecessary physical and logical ports/protocols (e.g., USB, FTP, and
HTTP)

The purpose is to prevent unauthorized connec�on of unauthorized connec�on of components,

transfer of informa�on, and tunneling.

Organiza�ons can u�lize network scanning tools, intrusion detec�on and preven�on systems,
and end-point protec�on technologies such as firewalls and host-based intrusion detec�on
systems to iden�fy and prevent the use of prohibited func�ons, ports, protocols, and services.

CM-8 Information System Component Inventory

This control is to:

• A. Develop an inventory of the system components that:

o Accurately reflects the system
o Includes all components within the system
o Does not include duplicate accoun�ng of components assigned to any other
system
o Is at the level of granularity deemed necessary for tracking and repor�ng
o Includes organiza�on-defined informa�on deemed necessary to achieve effec�ve
system accountability
• B. Review and update the system component inventory

May 2024 Center for Development of Security Excellence Page 33

Con�nuous Monitoring Student Guide

The organiza�on can employ automated mechanisms to detect the presence of unauthorized
hardware, so�ware, and firmware components within the informa�on system; and take the
following ac�ons when unauthorized components are detected:

• Disable network access by such components

• Isolate the components
• No�fy designated personnel

CM-9 Configuration Management Plan (CMP)

The CMP is generated during the development and acquisi�on phase of the system development
lifecycle. CM ac�vi�es occur throughout the system development life cycle. CMPs define
processes and procedures for how configura�on management is used to support system
development life cycle ac�vi�es. A CMP is developed, documented and implemented for the
system that:

• Addresses roles, responsibili�es, and configura�on management processes and

procedures
• Establishes a process for iden�fying configura�on items throughout the system
development life cycle and for managing the configura�on of the configura�on items
• Defines the configura�on items for the system and places the configura�on items under
configura�on management
• Is reviewed and approved by organiza�on-defined personnel or roles
• Protects the configura�on management plan from unauthorized disclosure and
modifica�on

There are two types of CM ac�vi�es:

• Developmental CM ac�vi�es such as the control of code and so�ware libraries

• Opera�onal CM ac�vi�es such as control of installed components and how the
components are configured

CM-10 Software Usage Restrictions

This control ensures that so�ware use:

• Complies with contract agreements and copyright laws

• Tracks usage of so�ware and associated documenta�on protected by quan�ty licenses
to control copying and distribu�on; and

May 2024 Center for Development of Security Excellence Page 34

Con�nuous Monitoring Student Guide

• Controls and documents the use of peer-to-peer file sharing technology to prevent
unauthorized distribu�on, display, performance, or reproduc�on of copyrighted work.

The organiza�on can impose restric�ons on open-source so�ware.

CM-10(1): From a security perspec�ve, the major advantage of open-source so�ware is that it
provides organiza�ons with the ability to examine the source code. However, remedia�ng
vulnerabili�es in open-source so�ware may be problema�c and there are also various licensing
issues associated with open-source so�ware including, for example, the constraints on deriva�ve
use of such so�ware.

CM-11 User-Installed Software

Establishes governance over installa�on of so�ware by users, enforces so�ware installa�on
policies through iden�fied methods and monitors policy compliance at a defined frequency.

Permited so�ware installa�ons may include updates and security patches to exis�ng
so�ware and downloading new applica�ons from organiza�on-approved “app stores.”

Prohibited so�ware installa�ons include so�ware with unknown or suspect pedigrees

or so�ware that organiza�ons consider poten�ally malicious. Policies selected for
governing user-installed so�ware are organiza�on-developed or provided by some
external en�ty.

Policy enforcement methods include:

• Procedural methods (e.g., periodic examina�on of user accounts).

• Automated methods (e.g., configura�on se�ngs implemented on organiza�onal
informa�on systems), or both.
• Organiza�ons should iden�fy permited and prohibited ac�ons regarding so�ware
installa�on. Control enhancements can include alerts for unauthorized installa�ons and
prohibi�ng installa�on without privileged status.

CM-12 Information Location

• Iden�fy and document the loca�on of organiza�on-defined informa�on and the specific
system components on which the informa�on is processed and stored.
• Iden�fy and document the users who have access to the system and system components
where the informa�on is processed and stored.
• Document changes to the loca�on (i.e., system or system components) where the
informa�on is processed and stored.

May 2024 Center for Development of Security Excellence Page 35

Con�nuous Monitoring Student Guide

CM-13 Data Action Mapping

Develop and document a map of system data ac�ons. Data ac�ons are system opera�ons that
process personally iden�fiable informa�on. The processing of such informa�on encompasses the
full informa�on life cycle, which includes collec�on, genera�on, transforma�on, use, disclosure,
reten�on, and disposal.

CM-14 Signed Components

Prevent the installa�on of organiza�on-defined so�ware and firmware components without
verifica�on that the component has been digitally signed using a cer�ficate that is recognized
and approved by the organiza�on. So�ware and firmware components prevented from
installa�on unless signed with recognized and approved cer�ficates include so�ware and
firmware version updates, patches, service packs, device drivers, and basic input/output system
updates.

Review Activity
Review Activity 3
For each question, select the best response. Check your answer in the Answer Key at the end of this
Student Guide.

Ques�on 1 of 4: This control includes physical and logical access controls and supports audi�ng of
the enforcement ac�ons. Only qualified and authorized individuals are permited to ini�ate changes
in the system.

 Configura�on Change Control

 Access Restric�ons for Change
 Configura�on Se�ngs
 Least Func�onality
 So�ware Usage Restric�ons
 User-Installed So�ware

Ques�on 2 of 4: This control ensures that so�ware use complies with contract agreements and
copyright laws, tracks usage, and documents the use of peer-to-peer file sharing technology to
prevent unauthorized distribu�on, display, performance, or reproduc�on of copyrighted work.

 Configura�on Change Control

 Access Restric�ons for Change
 Configura�on Se�ngs
 Least Func�onality
 So�ware Usage Restric�ons
 User-Installed So�ware

May 2024 Center for Development of Security Excellence Page 36

Con�nuous Monitoring Student Guide

Ques�on 3 of 4: This control involves the systema�c proposal, jus�fica�on, implementa�on, tes�ng,
review, and disposi�on of changes to the systems, including system upgrades and modifica�ons.

 Configura�on Change Control

 Access Restric�ons for Change
 Configura�on Se�ngs
 Least Func�onality
 So�ware Usage Restric�ons
 User-Installed So�ware

Ques�on 4 of 4: This control applies to the parameters that can be changed in hardware, so�ware, or
firmware components that affect the security and privacy posture or func�onality of the system,
including registry se�ngs, account/directory permission se�ngs, and se�ngs for func�ons, ports and
protocols.

 Configura�on Change Control

 Access Restric�ons for Change
 Configura�on Se�ngs
 Least Func�onality
 So�ware Usage Restric�ons
 User-Installed So�ware

Patch Management
Why Do We Need Patches?
As many as 85 percent of targeted atacks are preventable! Why? Cyber threat actors con�nue to
exploit unpatched so�ware to conduct atacks against cri�cal infrastructure and organiza�ons.

Patch Management defines how patches are priori�zed and approved through the configura�on
change control process. Patches are tested for their impact on exis�ng secure configura�ons and
integrated into updates to approved baseline configura�ons. Recall that the Access Restric�ons for
Change control limits privileges to users with a verified cer�ficate to implement patches.

It is important that IT opera�ons and maintenance staff who support the IS are ac�ve par�cipants in
the configura�on change control process and are aware of their responsibility for following it. If
significant business process reengineering is needed, upda�ng a patch management process and
training may be required.

Patch Management and SecCM

An organiza�on’s patch management process is important in reducing vulnerabili�es in an
informa�on system. It is integrated at a number of points within the four SecCM phases: Phase 1:

May 2024 Center for Development of Security Excellence Page 37

Con�nuous Monitoring Student Guide

Planning; Phase 2: Iden�fying and Implemen�ng Configura�ons; Phase 3: Controlling Configura�on

Changes; and Phase 4: Monitoring.

This includes upda�ng baseline configura�ons to the current patch level. Patch management in the
SecCM Phase 2, includes tes�ng and approving patches as part of the configura�on change control
process. It also integrates with this phase in performing the Impact Analyses to ensure changes have
been implemented properly and to determine whether there are any unan�cipated effects of the
change on exis�ng security controls. Patch management is integral to SecCM Phase 4 in monitoring
systems and components for current patch status.

Review Activity
Review Activity 4
Which phase of SecCM involves the management of change to maintain the secure, approved
baseline of a system?

Select the best response. Check your answer in the Answer Key at the end of this Student Guide.

 Phase 1: Planning
 Phase 2: Iden�fying and Implemen�ng Configura�ons
 Phase 3: Controlling Configura�on Changes
 Phase 4: Monitoring

May 2024 Center for Development of Security Excellence Page 38

Con�nuous Monitoring Student Guide

Lesson 5: Auditing and Log Reviews

Introduction
Objectives
An audit is an independent review and examina�on of records and ac�vi�es to assess the adequacy
of security controls iden�fied in NIST 800-53. Audits ensure compliance with established policies and
opera�onal procedures.

In this lesson, you will examine how audit logs support con�nuous monitoring.

Here are the lesson objec�ves.

• Examine how audit logs support con�nuous monitoring

o Iden�fy audit requirements
o Locate the Security Event Log on a computer
o Define key informa�on provided in an audit trail analysis

Audit Capability
What Is Security Auditing?
Security audi�ng involves recognizing, recording, storing, and analyzing informa�on related to
security-relevant ac�vi�es.

The audit records individual entries in an audit log related to an audited event used to determine
what type of event occurred; when it occurred; where it occurred; source of the event' outcome of
the event; and iden�fy individuals, subjects, or objects/en��es associated with the event.

Audit trails are chronological records that reconstruct and examine the sequence of ac�vi�es
surrounding or leading to a specific opera�on, procedure, or event in a security-relevant transac�on
from incep�on to result.

In conjunc�on with appropriate tools and procedures, audit trails can assist in detec�ng security
viola�ons, performance problems, and flaws in applica�ons.

Audit trails, also known as audit logs, can provide a means to help accomplish several security-
related objec�ves, including individual accountability, reconstruc�on of events (ac�ons that happen
on a computer system), intrusion detec�on, and problem analysis. The audit log runs in a privileged
mode, so it can access and supervise all ac�ons from all users.

Audits – Operational Resilience

Audit logs are an important part of con�nuous monitoring and fundamental to opera�onal
resilience. As stated in DODI 8500.01, Cybersecurity policy on opera�onal resilience, “…Atempts
made to reconfigure, self-defend, and recover should produce an incident audit trail.”

May 2024 Center for Development of Security Excellence Page 39

Con�nuous Monitoring Student Guide

Audit policy is also established in DODD 5205.16, The DOD Insider Threat Program. This policy states:
It is DOD’s policy that through an integrated capability to monitor and audit informa�on for insider
threat detec�on and mi�ga�on, the DOD Insider Threat Program will gather, integrate, review,
assess, and respond to informa�on derived from counterintelligence, security, cybersecurity, civilian
and military personnel management, workplace violence, an�terrorism risk management, law
enforcement, the monitoring of user ac�vity on DOD informa�on networks, and other sources as
necessary and appropriate to iden�fy, mi�gate, and counter insider threats.

Operational Resilience
To ensure opera�onal resilience, the DOD informa�on technology will be planned, developed,
tested, implemented, evaluated, and operated to ensure availability any�me, anywhere.

From DODI 8500.01, Cybersecurity:

3.b. Opera�onal Resilience. DOD IT will be planned, developed, tested, implemented,

evaluated, and operated to ensure that:

(1) Informa�on and services are available to authorized users whenever and wherever
required according to mission needs, priori�es, and changing roles and responsibili�es.

(2) Security posture, from individual device or so�ware object to aggregated systems of
systems, is sensed, correlated, and made visible to mission owners, network operators,
and to the DOD Informa�on Enterprise consistent with DODD 8000.01 (Reference (r)).

(3) Whenever possible, technology components (e.g., hardware and so�ware) have the
ability to reconfigure, op�mize, self-defend, and recover with litle or no human
interven�on. Atempts made to reconfigure, self-defend, and recover should produce an
incident audit trail.

Audits Requirements in the NISPOM Rule

32 CFR 117.18 details audit requirements to ensure informa�on system security. These requirements
can be categorized into general requirements, informa�on system security program requirements,
and insider threat program requirements.

It is essen�al that contractor informa�on systems are properly managed to protect against
unauthorized disclosure of classified informa�on. The contractor will use a risk-based approach and
implement protec�ve measures that include minimum standards for their insider threat program.
Protec�ve measures must align with guidance in the Federal Informa�on Security Moderniza�on
Act.

Contractors must also maintain informa�on system security programs that incorporate a risk-based
set of management, opera�onal, and technical security controls. The program must include policies
and procedures to reduce informa�on security risks to an acceptable level and that address
informa�on security throughout the full informa�on system life cycle. The program must also
address plans and procedures to manage data spills and compromises, including sani�za�on and
recovery methods.

May 2024 Center for Development of Security Excellence Page 40

Con�nuous Monitoring Student Guide

Finally, contractor informa�on system security programs must address informa�on system security
training for authorized users. Under the NISPOM Rule, contractors must establish and maintain an
insider threat program that address key components, such as user ac�vity monitoring, informa�on
sharing procedures, con�nuous monitoring, and limi�ng user ac�vity data to privileged users.

Audit Log Information

The audit log allows organiza�on administrators to review the ac�ons performed by members of
your organiza�on quickly. It includes details such as who performed the ac�on, what the ac�on was,
and when it was performed. The Audit Log records ac�vi�es by user accounts and is a rou�ne tool
for system security. The log provides records of such ac�vi�es as:

• Unauthorized ac�vity
• Access atempts
• Connec�ons to specific resources
• Modifica�ons to folders, files, and directories
• System events
• Password changes

You can define the ac�vi�es recorded in the Audit Log in terms of successful or failed atempts at the
specific User ac�ons.

Event Logs
Event logs record observable occurrences in a system, such as password changes, failed logons or
accesses, security or privacy atribute changes, and more. The types of events logged are significant
and relevant to system security and individual privacy.

Whenever these types of events occur, Windows and other opera�ng systems, or OS, record the
event. The Event Viewer tracks informa�on in several different logs including Applica�on (program)
events, security-related events, setup events, system events, and forwarded events. Once the system
audi�ng op�ons are set, the event logs will record events that occur on the computer system. An
event is defined as an ac�on that elicits a response from the programs, so�ware, and applica�ons
residing within the computer system. Event logs can be filtered and should be archived. The filter
op�on within Event Viewer can be used to analyze the event logs.

Note: This informa�on is specific to Windows. Users of other opera�ng systems should refer to their
help guide.

Application (Program) Events

Events are classified as error, warning, or informa�on, depending on the severity of the event.
An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily
significant, but might indicate a possible future problem. An informa�on event describes the
successful opera�on of a program, driver, or service.

May 2024 Center for Development of Security Excellence Page 41

Con�nuous Monitoring Student Guide

Security-Related Events
These events are called audits and are described as successful or failed depending on the event,
such as whether a user trying to log on to Windows was successful.

Setup Events
Computers that are configured as domain controllers will have addi�onal logs displayed here.

System Events
System events are logged by Windows and Windows system services, and are classified as error,
warning, or informa�on.

Forwarded Events
These events are forwarded to this log by other computers.

Security-Relevant Objects
Security-relevant objects and directories are part of all OSs but are not iden�fied in the same way or
may not reside in the same folders/directories. They include OS executables, OS configura�on,
system management and maintenance executables, audit data and security-relevant so�ware.

Security-relevant so�ware includes, but is not limited to, virus protec�on so�ware and defini�ons,
clearing and sani�za�on so�ware, and audi�ng and audit reduc�on so�ware. It also includes
password generators and trusted downloading process so�ware (Hex editors). Security-relevant
so�ware also includes maintenance and diagnos�c so�ware—that is, so�ware that is capable of
verifying system performance and/or configura�on, so�ware disconnect rou�nes, and archived audit
logs. Security-relevant objects must be protected and audited.

The primary purpose of audits is to promote User accountability. While DOD Component
Requirements may be different, the following requirements are recommended as a good baseline:
conduct Audit Log Reviews weekly and archive Audit Logs for a period of one year or one review
cycle. Applicable laws, regula�ons, and policies may mandate a different period of reten�on.

May 2024 Center for Development of Security Excellence Page 42

Con�nuous Monitoring Student Guide

Review Activity
Review Activity 1
Which of the following is an audit requirement in the NISP?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 Audit records limited to user access log-on

 Systems are properly managed to protect against unauthorized disclosure of classified
informa�on
 A risk-based set of management, opera�onal, and technical security controls
 Audit trails limited to network-level ac�vity and applica�ons
 Policies that address key components of the insider threat program

Locating the Event Logs – A Practical Exercise

Practical Exercise Overview
Though more and more cri�cal systems within the DOD are using Linux, and the DOD has released its
own secure flavor of the OS, for this exercise, you can find and view the Security Event Log on a
computer with Windows 11.

Instruc�ons for finding the security event log in Windows 11:

Step 1: Select the Windows icon at the lower le� of the screen.
Step 2: Type Event Viewer in the Search box.
Step 3: Expand the Windows Logs folder in the le� pane by selec�ng the plus sign.
No�ce there are 5 types of event logs set up on this computer.
Step 4: Select the Security event log in the le� naviga�on pane.
Step 5: Double-click the first event to view the details.
Step 6: Examine the details for the selected event.

May 2024 Center for Development of Security Excellence Page 43

Con�nuous Monitoring Student Guide

Review Activity 2
Which of the following correctly iden�fies the ini�al steps to find the security event log on a
computer?

Select the best response. Check your answer in the Answer Key at the end of this Student Guide.

 Windows icon > Select Event Viewer > Security event log
 Windows icon > Type Event Viewer > Expand Windows Logs folder
 System and Security > Security event log > Event Viewer
 Event Viewer > Security event log > System and Security

Interpreting Audit Logs

Audit Trail Analysis
While your command may have different requirements, the NISPOM rule specifies the type of
informa�on that must be gathered and the standard events that must be audited when using
automated audi�ng on a system. These automated audit trails must include enough informa�on to
determine the ac�on, the date and �me of the ac�on, the system en�ty that ini�ated/completed the
ac�on, and the resources involved. They must include changes in user authen�ca�on; blocking of a
user ID, terminal or access port (and the reason); and denial of access for excessive logon atempts.

This informa�on includes successful and unsuccessful logons and logoffs as well as unsuccessful
accesses to security-relevant objects and directories. It also includes changes in user authen�ca�on,
blocking of a user ID, terminal or access port, and the reason. Automated audit trails also provide
denial of access for excessive logon atempts informa�on. The NISPOM rule also requires that the
contents of audit trails must be protected against unauthorized access, modifica�on or dele�on. The
organiza�on System Security Plan (SSP) will define specific audi�ng requirements

Audit Codes
There are many audit codes to help you interpret what was happening when an event occurred.
Depending on your opera�ng system the audit codes may vary. Review the audit codes listed to
familiarize yourself with these o�en-seen Windows audit codes.

• 4624 - successful logon

• 4625 - unsuccessful logons
• 4634 - successful logoff
• 4625 - account lockout
• 4657 - permissions error
• 4704/4705 - User right assigned/removed

May 2024 Center for Development of Security Excellence Page 44

Con�nuous Monitoring Student Guide

Review Activity
Review Activity 3
Which of the following is key informa�on provided in an audit trail analysis?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 Successful and unsuccessful logons/logoffs

 Denial of access for excessive logon atempts
 Unsuccessful accesses to security-relevant objects and directories
 Changes in user authen�ca�on
 Blocking of a user ID, terminal or access port (and the reason)

May 2024 Center for Development of Security Excellence Page 45

Con�nuous Monitoring Student Guide

Lesson 6: Counterintelligence and Cybersecurity in Continuous

Monitoring

Introduction
Objectives
Security vulnerabili�es and threats are very real in today’s complex and interrelated environment.
Threats come in many forms and may materialize in different ways. Some threats are found within
your office. Others originate within foreign intelligence en��es. Electronic threats may be carried out
by hackers and cyber criminals. In addi�on, the increasing number of emerging threats can have
severely adverse effects on opera�ons, assets, and people.

In order to iden�fy these threats and vulnerabili�es, counterintelligence and cybersecurity personnel
must work with system owners to employ con�nuous monitoring to facilitate ongoing awareness of
threats, vulnerabili�es, and informa�on security to support organiza�onal risk management
decisions.

This lesson describes the importance of mul�ple security disciplines involved in con�nuous
monitoring. It then iden�fies insider threat ac�vi�es and how con�nuous monitoring ensures
opera�onal resilience as well as interoperability and reciprocity as mandated by DOD. The lesson
concludes with best prac�ces.

Here are the lesson objec�ves.

• Examine how counterintelligence and cybersecurity personnel support con�nuous

monitoring
o Describe the role of counterintelligence and cybersecurity in iden�fying threats to
Government assets
o Describe con�nuous monitoring capabili�es for detec�ng threats and mi�ga�ng
vulnerabili�es
o Recognize how con�nuous monitoring supports interoperability, opera�onal resilience,
and opera�onal reciprocity

Why Multiple Security Disciplines Are Needed

Hardening the DOD Information Enterprise
Monitoring, analysis, and detec�on ac�vi�es, including trend and patern analysis, are performed by
mul�ple disciplines in the Department of Defense. Con�nuous monitoring ensures detec�on of
unauthorized ac�vity that can include disrup�on, denial, degrada�on, destruc�on, exploita�on, or
access to computer networks, informa�on systems or their contents, or the� of informa�on.
Cyberspace defense uses architectures, cybersecurity, intelligence, counterintelligence (CI), other

May 2024 Center for Development of Security Excellence Page 46

Con�nuous Monitoring Student Guide

security programs, law enforcement, and other military capabili�es to harden the DOD Informa�on
Enterprise. Hardening DOD infrastructure ensures it is more resistant to penetra�on and disrup�on.
It also strengthens the U.S. ability to respond to unauthorized ac�vity and defend DOD informa�on
and networks against sophis�cated and agile cyber threats. Cyberspace defense methods translate
into quick recovery from cyber incidents.

What Threats and Vulnerabilities Does CM Detect?

DCSA counterintelligence and cybersecurity personnel support DOD Security Specialists and cleared
industry to apply CM for the iden�fica�on and mi�ga�on of vulnerabili�es and threats. While
adversaries are interested in anything that will strengthen their advantage - whether it is a military,
compe��ve, or economic advantage - technology assets are the greatest target.

So, what are key vulnerabili�es and threats to inves�gate?

Vulnerabilities and Threats to Investigate

Security func�onality that is highly resistant to penetra�on, tamper, and bypass requires a
significant work factor on the part of adversaries to compromise the confiden�ality, integrity, or
availability of the informa�on system or system components where that func�onality is
employed.

Vulnerabili�es and threats that are inves�gated as part of your con�nuous monitoring role
include:

• Actual or atempted unauthorized access

• Password cracking, key logging, encryp�on, hacking ac�vi�es, and account
masquerading
• Use of account creden�als by unauthorized par�es
• Tampering with or introducing unauthorized elements into informa�on systems
• Unauthorized downloads or uploads of sensi�ve data; unexplained storage of encrypted
data
• Unauthorized use of removable media or other transfer devices
• Downloading or installing non-approved computer applica�ons
• Unauthorized email traffic to and from foreign des�na�ons
• Denial of service atacks or suspicious network communica�ons failures
• Data exfiltrated to unauthorized domains
• Unexplained user accounts
• Social engineering, electronic elicita�on, email spoofing, or spear phishing

May 2024 Center for Development of Security Excellence Page 47

Con�nuous Monitoring Student Guide

Trends – Suspicious Network Activity

When adversaries are able to collect enough informa�on, they can piece it together and learn things
– even classified things – which have serious consequences to U.S. na�onal security. Common
methods of Suspicious Network Ac�vity are cyber intrusion, viruses, malware, backdoor atacks,
acquisi�on of usernames and passwords, and similar targe�ng. Countermeasures to guard against
these collec�on methods include frequent audits, not relying on firewalls to protect against all
atacks, repor�ng intrusion atempts, and requests from unknown sources.

Organiza�ons should implement effec�ve logging and log management tools; employ security
controls to protect confiden�ality, integrity, and availability of the system; log in using least privilege
and separa�on of du�es; and secure supply chain opera�ons. Organiza�ons should also disable or
uninstall unused/unnecessary opera�ng system, or OS, func�onality, protocols, ports, and services.
Limit the so�ware that can be installed and the func�onality of that so�ware.

Review Activities
Review Activity 1
Which of the following describe the role of counterintelligence and cybersecurity in iden�fying
threats to DOD assets?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 Sharing and repor�ng unauthorized accesses atempts, denial of service atacks, exfiltrated
data, and other threats/vulnerabili�es in a �mely manner
 Monitoring and audi�ng on an annual basis
 Conduc�ng trend analysis as part of the monitoring and detec�on ac�vi�es
 Implemen�ng cyberspace defenses to ensure DOD informa�on systems and networks are
resistant to penetra�on and disrup�on

Review Activity 2
Which of the following are detectable threats and vulnerabili�es that can be captured and mi�gated
through con�nuous monitoring (CM) capabili�es?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 Unexplained storage of encrypted data

 Use of account creden�als by unauthorized par�es
 Hacked personal mobile phone directory
 Downloading or installing non-approved computer applica�ons

May 2024 Center for Development of Security Excellence Page 48

Con�nuous Monitoring Student Guide

Recognizing Possible Insider Threat Activities

What Does CM Disclose?
Audits and monitoring of informa�on systems may disclose anomalous behaviors which may indicate
poten�al insider threats. Some of these ac�vi�es may include evidence of logging onto a system at
strange hours or working hours inconsistent with job assignment. Prin�ng or downloading of files
without permissions or excessively even with permissions could be an indicator of insider threat
ac�vity. Atempts to gain access to unauthorized files or the removal of classifica�on markings on
documents also pose an insider threat. Finally, transmission of informa�on to foreign IP addresses,
unreported foreign contacts, and contact with a known or suspected intelligence officer also send
red flags. As a key component of the risk management framework, CM ensures opera�onal resilience
whereby informa�on resources are trustworthy, missions are ready for informa�on resources
degrada�on or loss, and network opera�ons have the means to prevail in the face of adverse events.

Cybersecurity Reciprocity
DOD will establish and maintain a con�nuous monitoring capability that provides cohesive
collec�on, transmission, storage, aggrega�on, and presenta�on of data that conveys current
opera�onal status to affected DOD stakeholders. DOD Components will achieve cohesion through
using the common con�nuous monitoring framework, lexicon, and workflow as specified in NIST SP
800-137.

Integra�on and interoperability of DOD IT is managed to minimize shared risk. This can be achieved
by ensuring that the security posture of one system is not undermined by vulnerabili�es of
interconnected systems. Full integra�on into system life cycles as a visible element of DOD
Component IT por�olios, and through adherence to DOD architecture principles, adop�ng a
standards-based approach, and sharing the level of risk necessary to achieve mission success. t

Cybersecurity products, such as firewalls, file integrity checkers, virus scanners, intrusion detec�on
systems, and an�-malware so�ware, should operate in a net-centric manner to enhance the
exchange of data and shared security policies.

Insight and oversight include measuring, reviewing, verifying, monitoring, facilita�ng, and
remedia�ng. Effec�ve insight and oversight depend on three condi�ons implemented across DOD:
coordinated and consistent implementa�on, organiza�on direc�on, and a culture of accountability.
First, ensure coordinated and consistent cybersecurity implementa�on and repor�ng across all
organiza�ons without impeding local missions. Next, organiza�on direc�on includes organiza�onal
mechanisms for establishing and communica�ng priori�es and objec�ves, principles, policies,
standards, and performance measures. Finally, a culture of accountability aligns internal processes,
maintains accountability, and informs, makes, and follows through on decisions with implica�ons for
cyberspace protec�on and defense.

The DOD CIO in partnership with the DOD Components define, collect, and report on strategic
cybersecurity metrics.

In turn, integra�on and interoperability lead to cybersecurity reciprocity. This reciprocity ensures
that the security posture of an IS or pla�orm informa�on technology system is available. An

May 2024 Center for Development of Security Excellence Page 49

Con�nuous Monitoring Student Guide

authorizing official from another organiza�on can use that evidence to make credible, risk-based
decisions regarding the acceptance and use of systems and the informa�on that they process, store,
or transmit.

Implementing Information Systems Security Aspects of Configuration

Management
Although there is no one-size-fits-all approach to SecCM, there are prac�ces that organiza�ons can
consider when developing and deploying secure configura�ons. These prac�ces can serve to detect
and deter possible insider threat ac�vi�es. The NIST SP 800-128, Appendix F, provides a list of best
prac�ces to reduce and decrease risks to informa�on systems and informa�on technology. These
include:

• Use Common Secure Configura�ons for Se�ngs

• Control So�ware Installa�on
• Centralize Policy and Common Secure Configura�ons for Configura�on Se�ngs
• Tailor Secure Configura�ons according to System/Component Func�on and Role
• Eliminate Unnecessary Ports, Services, and Protocols (Least Func�onality)
• Limit the Use of Remote Connec�ons
• Develop Strong Password Policies
• Develop a Patch Management Process
• Implement Endpoint Protec�on Pla�orms (EPPs)
• Use Cryptography

Implement Endpoint Protection Platforms (EPPs)

Endpoint Protec�on Pla�orms include:

• An�-malware
• Personal Firewalls
• Host-based Intrusion Detec�on and Preven�on System (IDPS)
• Restrict the use of mobile code

Use Cryptography
• In many systems, cryptography is considered to be part of the secure configura�on of
the system. There are a variety of places to implement cryptography to protect data,
including individual file encryp�on, full disk encryp�on, Virtual Private Network
connec�ons, etc.

• DODI 8500.01 mandates, “DOD will public key-enable DOD ISs and implement a DOD-
wide Public Key Infrastructure (PKI) solu�on.”

May 2024 Center for Development of Security Excellence Page 50

Con�nuous Monitoring Student Guide

Review Activity
Review Activity 3
Which of the following is an example of how con�nuous monitoring (CM) supports opera�onal
resilience, interoperability, and opera�onal reciprocity?

Select all that apply. Then check your answers in the Answer Key at the end of this Student Guide.

 Recommenda�on based on monitoring and analysis to move to an unlimited remote

connec�on usage policy
 Detec�on of transmited informa�on to foreign IP addresses
 Monitoring the collec�on, transmission, storage, aggrega�on, and presenta�on of data that
conveys current opera�onal status
 Recommenda�on based on monitoring and analysis to move to an opt-out policy on the
Public Key Infrastructure (PKI) solu�on
 Collec�on and repor�ng on strategic cybersecurity metrics
 Analysis of cybersecurity products (e.g., firewalls, intrusion detec�on systems) that operate
in a net-centric manner

May 2024 Center for Development of Security Excellence Page 51

Con�nuous Monitoring Student Guide

Lesson 7: Course Conclusion

Course Conclusion
Course Summary
Informa�on security con�nuous monitoring is defined as maintaining ongoing awareness of
informa�on security, vulnerabili�es, and threats to support organiza�onal risk management
decisions.

In this course, you learned about the role of CM in risk management as it supports the organiza�on,
the mission/business process, and the informa�on system. Next, you examined how the informa�on
system con�nuous monitoring process and its tasks support the 3-�ered approach to risk
management. You then delved deeper into security-focused configura�on management and the CM
controls, including patch management. You discovered in the Audi�ng and Log Reviews the
importance of audit trails as a CM ac�vity and then found the event logs in a prac�cal exercise.
Finally, you learned about the importance of mul�ple security disciplines involved in CM and how
CM ensures opera�onal resilience, interoperability, and opera�onal reciprocity.

Lesson Review
Here is a list of the lessons in the course.

• Lesson 1: Course Introduc�on

• Lesson 2: Risk Management
• Lesson 3: Con�nuous Monitoring Strategy and Tasks
• Lesson 4: Security Configura�on Management
• Lesson 5: Audi�ng and Log Reviews
• Lesson 6: Counterintelligence and Cybersecurity in Con�nuous Monitoring
• Lesson 7: Course Conclusion

Course Objectives
Congratula�ons. You have completed the Continuous Monitoring course.

You should now be able to perform all of the listed ac�vi�es.

• Iden�fy the role of con�nuous monitoring through risk management

• Examine how Informa�on Security Con�nuous Monitoring (ISCM) supports the three-�ered
approach to risk management
• Describe how configura�on management controls enable con�nuous monitoring
• Examine how audit logs support con�nuous monitoring

May 2024 Center for Development of Security Excellence Page 52

Con�nuous Monitoring Student Guide

• Examine how counterintelligence and cybersecurity personnel support con�nuous

monitoring

To receive course credit, you must take the Continuous Monitoring examina�on. Please use the
Security Training, Educa�on, and Professionaliza�on Portal (STEPP) system to access the online
exam.

May 2024 Center for Development of Security Excellence Page 53

Con�nuous Monitoring Student Guide

Appendix A: Answer Key

Lesson 2 Review Activities

Review Activity 1
Which of the following are important roles of the NISP in con�nuous monitoring?

 To establish organiza�onal business processes

 To ensure that cleared industry safeguards classified informa�on and informa�on systems
(correct response)
 To protect cri�cal assets (correct response)
 To thwart foreign adversaries and insider threats to informa�on systems (correct response)

Feedback: The important roles of the NISP in continuous monitoring include ensuring cleared
industry safeguards classified information and information systems; protecting critical assets; and
thwarting foreign adversaries and insider threats.

Review Activity 2
Statement 1 of 3. This implements policy, assigns responsibili�es, establishes requirements, and
provides procedures for the protec�on of classified informa�on that is disclosed to, or developed by,
contractors of the U.S. Government.

 Na�onal Industrial Security Program Opera�ng Manual (NISPOM) Rule (correct response)
 Na�onal Ins�tute of Standards and Technology Special Publica�on (NIST SP)
 DOD Policy and Guidance

Feedback: The NISPOM Rule implements policy, assigns responsibilities, establishes requirements,
and provides procedures for the protection of classified information that is disclosed to, or developed
by, contractors of the U.S. Government.

Statement 2 of 3. This policies and guidance establishes the requirement for an integrated and
con�nuous capability to monitor and audit for threats and vulnerabili�es from internal and external
sources.

 NISPOM Rule
 NIST SP
 DOD Policy and Guidance (correct response)

Feedback: DOD Policy and Guidance calls for a multi-tiered cybersecurity risk management process
capable of continuous monitoring for insider and foreign adversary threats and vulnerabilities.

May 2024 Center for Development of Security Excellence Page A-1

Con�nuous Monitoring Student Guide

Statement 3 of 3. These publica�ons provide detailed guidance on the development and

implementa�on of an Informa�on System Con�nuous Monitoring (ISCM) program and security-
focused configura�on management.

 NISPOM Rule
 NIST SP (correct response)
 DOD Policy and Guidance

Feedback: The NIST publications provide guidelines for applying the Risk Management Framework
and the development and implementation of an ISCM program that mitigates the threats and
vulnerabilities to information systems.

Review Activity 3
Which of the following iden�fy how the RMF supports risk management?

 The RMF process ensures that business process decisions can override user informa�on
system concerns.
 The RMF process provides a flexible approach with decision-making at Tier 3.
 The RMF process ensures traceability and transparency across all levels of the organiza�on.
(correct response)
 The RMF process emphasizes con�nuous monitoring and �mely correc�on of deficiencies.
(correct response)

Feedback: The RMF supports risk management by providing a process that ensures traceability and
transparency across all levels of the organization and emphasizes continuous monitoring and timely
correction of deficiencies.

Review Activity 4
Statement 1 of 3. Informa�on System Owner (ISO) categorizes systems at this level.

 Tier 1: Organiza�on
 Tier 2: Mission/Business Process
 Tier 3: Informa�on Systems (correct response)

Feedback: Performing at the Tier 3 Information Systems level, the ISO categorizes the systems.

Statement 2 of 3. The DOD Component SISO has authority and responsibility for security controls
assessment at this level.

 Tier 1: Organiza�on
 Tier 2: Mission/Business Process
 Tier 3: Informa�on Systems (correct response)

May 2024 Center for Development of Security Excellence Page A-2

Con�nuous Monitoring Student Guide

Feedback: The DOD Component SISO has authority and responsibility for security controls
assessment at this level.

Statement 3 of 3. Authorizing Officials (AOs) monitor and track overall execu�on of system-level
POA&Ms. AOs cannot delegate authoriza�on decisions.

 Tier 1: Organiza�on
 Tier 2: Mission/Business Process
 Tier 3: Informa�on Systems (correct response)

Feedback: Performing at the Tier 3 Information Systems level, Authorizing Officials (AOs) monitor and
track overall execution of system-level POA&Ms. AOs cannot delegate authorization decisions.

Lesson 3 Review Activities

Review Activity 1
Statement 1 of 3. ISCM strategy at this level is focused on the controls that address the
establishment and management of the organiza�on’s informa�on security program, including
establishing the minimum frequency with which each security control or metric is to be assessed or
monitored.

 Tier 1
 Tier 2 (correct response)
 Tier 3

Feedback: Tier 2 MISSION/BUSINESS PROCESSES ISCM strategies focus on the controls that address
the establishment and management of the organization’s information security program, including
establishing the minimum frequency with which each security control or metric is to be assessed or
monitored.

Statement 2 of 3. ISCM strategy at this level is focused on high-level informa�on security governance
policy as it relates to risk to the organiza�on as a whole, to its core missions, and to its business
func�ons.

 Tier 1 (correct response)

 Tier 2
 Tier 3

Feedback: Tier 1 ORGANIZATION ISCM strategy focuses on high-level information security

governance policy as it relates to risk to the organization as a whole, to its core missions, and to its
business functions.

May 2024 Center for Development of Security Excellence Page A-3

Con�nuous Monitoring Student Guide

Statement 3 of 3. ISCM strategy at this level is focused on ensuring that all system-level security
controls are implemented correctly, operate as intended, produce the desired outcome with respect
to mee�ng the security requirements for the system, and con�nue to be effec�ve over �me.

 Tier 1
 Tier 2
 Tier 3 (correct response)

Feedback: Tier 3 INFORMATION SYSTEMS ISCM strategy focuses on ensuring that all system-level
security controls are implemented correctly, operate as intended, produce the desired outcome with
respect to meeting the security requirements for the system, and continue to be effective over time.

Review Activity 2
Statement 1 of 4. Given the ISCM process, in this step security-related informa�on required for
metrics, assessments, and repor�ng is collected and, where possible the collec�on, analysis, and
repor�ng of data is automated.

 Step 1: Define an ISCM strategy

 Step 2: Establish an ISCM program
 Step 3: Implement an ISCM program (correct response)
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program

Feedback: In Step 3: Implement an ISCM program, security-related information required for metrics,
assessments, and reporting is collected and, where possible, the collection, analysis, and reporting of
data are automated.

Statement 2 of 4. Given the ISCM process, in this step adjus�ng the ISCM strategy and maturing
measurement capabili�es to increase visibility into assets and awareness of vulnerabili�es, further
enable data-driven control of the security of an organiza�on’s informa�on infrastructure, and
increase organiza�onal resilience.

 Step 1: Define an ISCM strategy

 Step 2: Establish an ISCM program
 Step 3: Implement an ISCM program
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program (correct response)

May 2024 Center for Development of Security Excellence Page A-4

Con�nuous Monitoring Student Guide

Feedback: In Step 6: Review and Update the monitoring program adjusting the ISCM strategy and
maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities,
further enable data-driven control of the security of an organization’s information infrastructure, and
increase organizational resilience.

Statement 3 of 4. Given the ISCM process, in this step the metrics, status monitoring frequencies,
control assessment frequencies, and an ISCM technical architecture are determined.

 Step 1: Define an ISCM strategy

 Step 2: Establish an ISCM program (correct response)
 Step 3: Implement an ISCM program
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program

Feedback: In Step 2: Establish an ISCM program the metrics, status monitoring frequencies, control
assessment frequencies, and an ISCM technical architecture are determined.

Statement 4 of 4. Given the ISCM process, in this step the ISCM strategy is developed based on risk
tolerance that maintains clear visibility into assets, awareness of vulnerabili�es, up-to-date threat
informa�on, and mission/business impacts.

 Step 1: Define an ISCM strategy (correct response)

 Step 2: Establish an ISCM program
 Step 3: Implement an ISCM program
 Step 4: Analyze data and Report findings
 Step 5: Respond to findings
 Step 6: Review and Update the monitoring program

Feedback: In Step 1: Define an ISCM strategy based on risk tolerance that maintains clear visibility
into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business
impacts.

Lesson 4 Review Activities

Review Activity 1
Which of the following are security-focused configura�on management (SecCM) roles in risk
management?

 Ensuring that adjustments to the system configura�on do not adversely affect the security of
the informa�on system (correct response)
 Establishing configura�on baselines and tracking, controlling, and managing aspects of
business development (correct response)

May 2024 Center for Development of Security Excellence Page A-5

Con�nuous Monitoring Student Guide

 Ensuring that adjustments to the system configura�on do not adversely affect the
organiza�on’s opera�ons (correct response)
 Establishing a firm schedule for security patch updates every six months

Feedback: SecCM roles in risk management ensure adjustments to the system configuration do not
adversely affect the security of the information system or the organization’s operations as well as
establishing configuration baselines and tracking, controlling, and managing aspects of business
development.

Review Activity 2
Descrip�on 1 of 4. In this phase, a variety of access restric�ons for change are employed.

 Phase 1
 Phase 2
 Phase 3 (correct response)
 Phase 4

Feedback: In Phase 3, Controlling Configuration Changes, a variety of access restrictions for change
are employed, including: Access controls, process automation, abstract layers, change windows, and
verification and audit activities.

Descrip�on 2 of 4. In this phase, ac�vi�es focus on valida�ng the IS adheres to the policies,
procedures, and approved baseline configura�on.

 Phase 1
 Phase 2
 Phase 3
 Phase 4 (correct response)

Feedback: In Phase 4, Monitoring, activities focus on validating the IS adheres to the policies,
procedures, and approved baseline configuration as well as to identify undiscovered/undocumented
system components, misconfigurations, vulnerabilities, and unauthorized changes.

Descrip�on 3 of 4. In this phase, ac�vi�es address configura�on se�ngs, so�ware loads, patch
levels, how the IS is arranged, and how various security controls are implemented.

 Phase 1
 Phase 2 (correct response)
 Phase 3
 Phase 4

May 2024 Center for Development of Security Excellence Page A-6

Con�nuous Monitoring Student Guide

Feedback: In Phase 2, Identifying and Implementing Configurations, activities address configuration

settings, software loads, patch levels, how the IS is arranged, and how various security controls are
implemented.

Descrip�on 4 of 4. In this phase, ac�vi�es involve developing policy and procedures including
implementa�on plans, change control processes, and metrics for compliance, to name a few.

 Phase 1 (correct response)

 Phase 2
 Phase 3
 Phase 4

Feedback: In Phase 1, Planning, activities involve developing policy and procedures including
implementation plans, change control processes, and metrics for compliance, to name a few.

Review Activity 3
Ques�on 1 of 4: This control includes physical and logical access controls and supports audi�ng of
the enforcement ac�ons. Only qualified and authorized individuals are permited to ini�ate changes
in the system.

 Configura�on Change Control

 Access Restric�ons for Change (correct response)
 Configura�on Se�ngs
 Least Func�onality
 So�ware Usage Restric�ons
 User-Installed So�ware

Feedback: The Access Restrictions for Change control includes physical and logical access controls
and supports auditing of the enforcement actions. Only qualified and authorized individuals are
permitted to initiate changes in the system.

Ques�on 2 of 4: This control ensures that so�ware use complies with contract agreements and
copyright laws, tracks usage, and documents the use of peer-to-peer file sharing technology to
prevent unauthorized distribu�on, display, performance, or reproduc�on of copyrighted work.

 Configura�on Change Control

 Access Restric�ons for Change
 Configura�on Se�ngs
 Least Func�onality
 So�ware Usage Restric�ons (correct response)
 User-Installed So�ware

May 2024 Center for Development of Security Excellence Page A-7

Con�nuous Monitoring Student Guide

Feedback: The Software Usage Restrictions control ensures that software use complies with contract
agreements and copyright laws, tracks usage, and documents the use of peer-to-peer file sharing
technology to prevent unauthorized distribution, display, performance, or reproduction of
copyrighted work.

Ques�on 3 of 4: This control involves the systema�c proposal, jus�fica�on, implementa�on, tes�ng,
review, and disposi�on of changes to the systems, including system upgrades and modifica�ons.

 Configura�on Change Control (correct response)

 Access Restric�ons for Change
 Configura�on Se�ngs
 Least Func�onality
 So�ware Usage Restric�ons
 User-Installed So�ware

Feedback: The Configuration Change Control involves the systematic proposal, justification,
implementation, testing, review, and disposition of changes to the systems, including system
upgrades and modifications.

Ques�on 4 of 4: This control applies to the parameters that can be changed in hardware, so�ware, or
firmware components that affect the security and privacy posture or func�onality of the system,
including registry se�ngs, account/directory permission se�ngs, and se�ngs for func�ons, ports and
protocols.

 Configura�on Change Control

 Access Restric�ons for Change
 Configura�on Se�ngs (correct response)
 Least Func�onality
 So�ware Usage Restric�ons
 User-Installed So�ware

Feedback: The Configuration Settings control applies to the parameters that can be changed in
hardware, software, or firmware components that affect the security and privacy posture or
functionality of the system, including registry settings, account/directory permission settings, and
settings for functions, ports and protocols.

Review Activity 4
Which phase of SecCM involves the management of change to maintain the secure, approved
baseline of a system?

 Phase 1: Planning
 Phase 2: Iden�fying and Implemen�ng Configura�ons

May 2024 Center for Development of Security Excellence Page A-8

Con�nuous Monitoring Student Guide

 Phase 3: Controlling Configura�on Changes (correct response)

 Phase 4: Monitoring

Feedback: Phase 3: Controlling Configuration Changes, involves the management of change to

maintain the secure, approved baseline of a system.

Lesson 5 Review Activities

Review Activity 1
Which of the following is an audit requirement in the NISP?

 Audit records limited to user access log-on

 Systems are properly managed to protect against unauthorized disclosure of classified
informa�on
 A risk-based set of management, opera�onal, and technical security controls (correct
response)
 Audit trails limited to network-level ac�vity and applica�ons
 Policies that address key components of the insider threat program (correct response)
Feedback: Audit requirements in the NISP include: systems that are properly managed to protect
against unauthorized disclosure of classified information; a risk-based set of management,
operational, and technical security controls; and policies that address key components of the insider
threat program.

Review Activity 2
Which of the following correctly iden�fies the ini�al steps to find the security event log on a
computer?

 Windows icon > Select Event Viewer > Security event log
 Windows icon > Type Event Viewer > Expand Windows Logs folder (correct response)
 System and Security > Security event log > Event Viewer
 Event Viewer > Security event log > System and Security
Feedback: The progression to access the security event log is to select Windows icon; then type Event
Viewer; and then expand the Windows Logs folder.

Review Activity 3
Which of the following is key informa�on provided in an audit trail analysis?

 Successful and unsuccessful logons/logoffs (correct response)

 Denial of access for excessive logon atempts (correct response)
 Unsuccessful accesses to security-relevant objects and directories (correct response)

May 2024 Center for Development of Security Excellence Page A-9

Con�nuous Monitoring Student Guide

 Changes in user authen�ca�on (correct response)

 Blocking of a user ID, terminal or access port (and the reason) (correct response)
Feedback: All of these answer choices are key information for an audit trail analysis.

Lesson 6 Review Activities

Review Activity 1
Which of the following describe the role of counterintelligence and cybersecurity in iden�fying
threats to DOD assets?

 Sharing and repor�ng unauthorized accesses atempts, denial of service atacks, exfiltrated
data, and other threats/vulnerabili�es in a �mely manner (correct response)
 Monitoring and audi�ng on an annual basis
 Conduc�ng trend analysis as part of the monitoring and detec�on ac�vi�es (correct
response)
 Implemen�ng cyberspace defenses to ensure DOD informa�on systems and networks are
resistant to penetra�on and disrup�on (correct response)

Feedback: Counterintelligence and cybersecurity go hand-in-hand to protect DOD assets by: Sharing
and reporting unauthorized accesses attempts, denial of service attacks, exfiltrated data, and other
threats/vulnerabilities in a timely manner; Conducting trend analysis as part of the monitoring and
detection activities; and Implementing cyberspace defenses to ensure DOD information systems and
networks are resistant to penetration and disruption.

Review Activity 2
Which of the following are detectable threats and vulnerabili�es that can be captured and mi�gated
through con�nuous monitoring (CM) capabili�es?

 Unexplained storage of encrypted data (correct response)

 Use of account creden�als by unauthorized par�es (correct response)
 Hacked personal mobile phone directory
 Downloading or installing non-approved computer applica�ons (correct response)

Feedback: Through CM capabilities the following would be investigated and analyzed: Unexplained
storage of encrypted data; Use of account credentials by unauthorized parties; and downloading or
installing non-approved computer applications.

May 2024 Center for Development of Security Excellence Page A-10

Con�nuous Monitoring Student Guide

Review Activity 3
Which of the following is an example of how con�nuous monitoring (CM) supports opera�onal
resilience, interoperability, and opera�onal reciprocity?

 Recommenda�on based on monitoring and analysis to move to an unlimited remote

connec�on usage policy
 Detec�on of transmited informa�on to foreign IP addresses (correct response)
 Monitoring the collec�on, transmission, storage, aggrega�on, and presenta�on of data that
conveys current opera�onal status (correct response)
 Recommenda�on based on monitoring and analysis to move to an opt-out policy on the
Public Key Infrastructure (PKI) solu�on
 Collec�on and repor�ng on strategic cybersecurity metrics (correct response)
 Analysis of cybersecurity products (e.g., firewalls, intrusion detec�on systems) that operate
in a net-centric manner (correct response)

Feedback: CM supports operational resilience, interoperability, and operational reciprocity in the

following ways: Detection of transmitted information to foreign IP addresses; Monitoring the
collection, transmission, storage, aggregation, and presentation of data that conveys current
operational status; Collection and reporting on strategic cybersecurity metrics; and Analysis of
cybersecurity products (e.g., firewalls, intrusion detection systems) that operate in a net-centric
manner.

May 2024 Center for Development of Security Excellence Page A-11