Skip to main content
NetStable
Level 2 CA.L2-3.12.3

Monitor security controls on an ongoing basis

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to continuously monitor their security controls to ensure they are functioning as intended and protecting sensitive data. Think of it like regularly checking your car's brakes to make sure they work properly. Without ongoing monitoring, you might not realize a control has failed until it's too late. For example, if a firewall rule gets changed accidentally, it could leave your network exposed. Another example is monitoring user access logs to spot unauthorized attempts to access sensitive systems. This ongoing vigilance helps catch issues early and maintain a strong security posture.

🎯 Why It Matters

Failing to monitor security controls can lead to undetected vulnerabilities, which attackers can exploit. For instance, in the 2017 Equifax breach, a known vulnerability in a web application went unpatched for months, exposing the personal data of 147 million people. The cost of such breaches includes financial penalties, loss of customer trust, and damage to reputation. From the DoD/CMMC perspective, continuous monitoring is critical because defense contractors handle Controlled Unclassified Information (CUI) that adversaries target. This practice ensures that security controls remain effective over time, reducing the risk of data breaches and compliance failures.

How to Implement

  1. Enable logging and monitoring services in your cloud environment (e.g., AWS CloudTrail, Azure Monitor, GCP Operations Suite).
  2. Set up alerts for unusual activity, such as failed login attempts or changes to security configurations.
  3. Regularly review access logs to ensure only authorized users are accessing sensitive data.
  4. Conduct periodic vulnerability scans on cloud resources using tools like AWS Inspector or Azure Security Center.
  5. Automate compliance checks using cloud-native tools like AWS Config or Azure Policy.
  6. Document and review monitoring processes in your cloud security policy.
  7. Train staff on how to respond to alerts and escalate incidents.
⏱️
Estimated Effort
Initial setup: 2-3 days (Intermediate skill level). Ongoing monitoring: 2-4 hours per week (Basic skill level).

📋 Evidence Examples

Security Monitoring Policy

Format: PDF/DOC
Frequency: Annual update
Contents: Document outlining monitoring procedures, tools, and roles.
Collection: Download from internal policy repository.

SIEM Logs

Format: CSV/JSON
Frequency: Weekly review
Contents: Logs showing monitored events and alerts.
Collection: Export from SIEM tool.

Vulnerability Scan Reports

Format: PDF
Frequency: Monthly
Contents: Reports detailing identified vulnerabilities and remediation status.
Collection: Run scans using vulnerability scanner, save reports.

Incident Response Records

Format: Excel/DOC
Frequency: As incidents occur
Contents: Details of incidents detected through monitoring and actions taken.
Collection: Maintain in incident tracking system.

Training Records

Format: PDF/Excel
Frequency: Annual
Contents: Records of staff trained on monitoring procedures.
Collection: Export from HR or training system.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For CA.L2-3.12.3 ("Monitor security controls on an ongoing basis"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your security assessment program, SSP maintenance process, continuous monitoring capabilities, and penetration testing schedule. Reference specific tools and responsible parties. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"CA.L2-3.12.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to monitor security controls on an ongoing basis. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"CA.L2-3.12.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to monitor security controls on an ongoing basis. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"CA.L2-3.12.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Define the assessment boundary (which systems are in scope)
  • Document assessment methodology and tools
  • Identify assessors (internal team, external firm)
  • Ensure this control covers all systems within your defined CUI boundary where monitor security controls on an ongoing basis applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Security Assessment Policy
  • 📄 System Security Plan (SSP)
  • 📄 Plan of Action & Milestones (POA&M)
  • 📄 Assessment reports
  • 📄 Evidence artifacts specific to CA.L2-3.12.3
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review your SSP for completeness, verify POA&M items are being tracked and remediated, and check that assessments are conducted at the required frequency.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a documented security monitoring policy?

✅ YES → Proceed to Q2.
❌ NO → GAP: Create a monitoring policy outlining tools, procedures, and roles. Timeline: 1 week.
Remediation:
Use a template from NIST SP 800-53 or CMMC guidelines.

Question 2: Are logs from all critical systems being collected and reviewed?

✅ YES → Proceed to Q3.
❌ NO → GAP: Enable logging on all critical systems and implement a SIEM solution. Timeline: 2 weeks.
Remediation:
Deploy an open-source SIEM like ELK Stack or Graylog.

Question 3: Are alerts configured for critical security events?

✅ YES → Proceed to Q4.
❌ NO → GAP: Configure alerts for events like failed logins, malware detection, and configuration changes. Timeline: 1 week.
Remediation:
Use SIEM or cloud-native monitoring tools.

Question 4: Are vulnerability scans conducted regularly?

✅ YES → Proceed to Q5.
❌ NO → GAP: Schedule monthly vulnerability scans using tools like Nessus or OpenVAS. Timeline: 1 week.
Remediation:
Automate scans and integrate results into your SIEM.

Question 5: Are monitoring processes reviewed and updated annually?

✅ YES → Compliant.
❌ NO → GAP: Schedule an annual review of monitoring processes and update as needed. Timeline: 1 month.
Remediation:
Include monitoring in your annual security review checklist.

⚠️ Common Mistakes (What Auditors Flag)

1. Incomplete logging

Why this happens: Logging is not enabled on all critical systems.
How to avoid: Audit all systems to ensure logging is enabled and logs are centralized.

2. Lack of alerts

Why this happens: Critical events are not configured to trigger alerts.
How to avoid: Review SIEM or monitoring tool configurations to ensure alerts are set up.

3. Ignoring scan results

Why this happens: Vulnerability scan results are not acted upon.
How to avoid: Assign a team to review and remediate scan results promptly.

4. No documentation

Why this happens: Monitoring processes are not documented.
How to avoid: Create a detailed monitoring policy and update it regularly.

5. Inadequate training

Why this happens: Staff are not trained on monitoring tools and procedures.
How to avoid: Provide annual training on monitoring tools and incident response.

📚 Parent Policy

This practice is governed by the Assessment, Authorization, and Monitoring Policy

View CA Policy →

📚 Related Controls

CA.L2-3.12.1 - Develop and maintain a security assessment plan CA.L2-3.12.2 - Assess security controls periodically CA.L2-3.12.4 - Update security controls based on monitoring results
Previous
CA.L2-3.12.2
Back to CA
Next
CA.L2-3.12.4