πΌ CA-7 Continuous Monitoring (L)(M)(H)
- Contextual name: πΌ CA-7 Continuous Monitoring (L)(M)(H)
- ID:
/frameworks/fedramp-high-security-controls/ca/07 - Located in: πΌ Assessment, Authorization, and Monitoring
Descriptionβ
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing control assessments in accordance with the continuous monitoring strategy;
d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
e. Correlation and analysis of information generated by control assessments and monitoring;
f. Response actions to address results of the analysis of control assessment and monitoring information; and
g. Reporting the security and privacy status of the system to [FedRAMP Assignment: to include JAB/AO][Assignment: organization-defined frequency].
CA-7 Additional FedRAMP Requirements and Guidance:
Guidance: FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.
Requirement: Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
Requirement: CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.
Similarβ
- Sections
/frameworks/nist-sp-800-53-r5/ca/07
- Internal
- ID:
dec-c-70e09a60
- ID:
Similar Sections (Take Policies From)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ NIST SP 800-53 Revision 5 β πΌ CA-7 Continuous Monitoring | 6 | 8 |
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ FedRAMP Low Security Controls β πΌ CA-7 Continuous Monitoring (L)(M)(H) | 1 | 8 | ||
| πΌ FedRAMP Moderate Security Controls β πΌ CA-7 Continuous Monitoring (L)(M)(H) | 2 | 8 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CA-7(1) Independent Assessment (M)(H) | ||||
| πΌ CA-7(4) Risk Monitoring (L)(M)(H) |
Policies (8)β
| Policy | Logic Count | Flags |
|---|---|---|
| π AWS Account Multi-Region CloudTrail is not enabled π’ | 1 | π’ x6 |
| π AWS API Gateway API Access Logging in CloudWatch is not enabled π’ | 1 | π x1, π’ x5 |
| π AWS API Gateway API Execution Logging in CloudWatch is not enabled π’ | 1 | π’ x6 |
| π AWS API Gateway REST API Stage X-Ray Tracing is not enabled π’ | 1 | π’ x6 |
| π AWS CloudTrail S3 Bucket Access Logging is not enabled. π’ | 1 | π’ x6 |
| π AWS EC2 Auto Scaling Group behind ELB doesn't use ELB health check π’ | 1 | π’ x6 |
| π AWS S3 Bucket Server Access Logging is not enabled π’ | 1 | π’ x6 |
| π AWS VPC Flow Logs are not enabled π’ | 1 | π x1, π’ x5 |