NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-14 — Testing, Training, and Monitoring
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and maintained; and Continue to be executed; and Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Supplemental Guidance
A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.
Practitioner Notes
This control ties together your security testing, training, and monitoring programs. You need to regularly test your controls, train your people, and monitor your environment — and these three activities should inform each other.
Example 1: Build an annual calendar that schedules quarterly vulnerability scans, annual penetration testing, monthly phishing simulations, and annual security awareness training. After each activity, feed the results into your POA&M and update training content to address weaknesses found.
Example 2: Use Microsoft Defender for Endpoint to continuously monitor your devices and Microsoft 365 Attack Simulator for phishing tests. When the phishing tests show high click rates in a department, schedule targeted training for that group. Use Defender's Threat and Vulnerability Management dashboard to prioritize patching based on real exposure data.