NIST SP 800-171 & CMMC 2.0 3.12.3 Requirement:
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
NIST SP 800-171 & CMMC 2.0 3.12.3 Requirement Explanation:
For security controls to remain effective they must be reviewed to determine if they are accomplishing the intended goal. As your systems, businesses process, and people change the effectiveness of your controls may diminish. Ongoing monitoring ensure that issues with your security controls are identified and corrected. Provide a plan for monitoring and assessing the state of security controls on a recurring basis that occurs more frequently than the periodic assessments discussed in CA.2.158. This monitoring and assessing plan may take the form of a checklist.
Example NIST SP 800-171 & CMMC 2.0 3.12.3 Implementation:
Create a checklist of tasks for you to perform on a monthly basis that allows you to monitor the effectiveness of your secuirty controls. The checklist can include checking reports from your anti-malware software, SIEM, and other security tools.
NIST SP 800-171 & CMMC 2.0 3.12.3 Scenario(s):
- Scenario 1:
You want to review CMMC practice AC.1.002 to ensure its effectiveness. The practice says "Limit information system access to the types of transactions and functions that authorized users are permitted to execute.". To monitor the effectiveness of this control, you review Microsoft 365 security group memberships monthly. You check to see if any unauthorized accounts have been created, if any accounts are inactive, and if any accounts have been added to the administrators group.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.