NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-7(4)Risk Monitoring

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Effectiveness monitoring; Compliance monitoring; and Change monitoring.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.

Practitioner Notes

This enhancement integrates risk monitoring into your continuous monitoring program — you are not just tracking vulnerabilities but actively monitoring changes in risk to the organization.

Example 1: Subscribe to CISA alerts and threat intelligence feeds and correlate them with your asset inventory to identify when new threats elevate risk to your specific systems.

Example 2: Use your GRC tool to flag when POA&M items exceed their remediation deadline, automatically escalating the associated risk rating and notifying the authorizing official.

More Assessment, Authorization, and Monitoring Controls

CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments