NIST 800-171 • LEVEL 2 • SECURITY ASSESSMENT AND MONITORING
3.12.3 — Continuous Monitoring
Continuous monitoring at the system level facilitates ongoing awareness of the system security posture to support risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk-based decisions. Different types of security requirements may require different monitoring frequencies.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- a system-level continuous monitoring strategy is developed.
- a system-level continuous monitoring strategy is implemented.
- ongoing monitoring is included in the continuous monitoring strategy.
- security assessments are included in the continuous monitoring strategy.
Practitioner Notes
Continuous monitoring means you do not just check your security posture once a year and forget about it. You have tools and processes running all the time to watch for changes that could introduce risk.
Example 1: Deploy a SIEM solution (like Microsoft Sentinel or Splunk) that ingests logs from your firewall, Active Directory, endpoints, and cloud services. Set up detection rules for high-risk events -- failed login brute-force attempts, new admin accounts created, or firewall rules changed. Review alerts daily.
Example 2: Enable Microsoft Defender for Cloud Apps to continuously monitor your cloud environment. It flags risky behaviors like mass file downloads, sign-ins from impossible travel locations, or OAuth app consent grants. Alerts are generated automatically and assigned to your security team for triage.
The point is not to drown in dashboards -- it is to make sure someone is watching for meaningful changes to your security posture between formal assessments.