CA-07 Continuous Monitoring
Introduction
This document describes how Private Mendix Platform fulfills the CA-07 control.
| Control ID | CA-07 |
|---|---|
| Control category | CA - Security Assessment and Authorization |
| Requirement baseline | FEDRAMP MODERATE |
| Responsibility and ownership | Customer - Infra, Customer - Org |
Control
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
- Establishment of organization-defined metrics to be monitored
- Establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring
- Ongoing security control assessments in accordance with the organizational continuous monitoring strategy
- Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy
- Correlation and analysis of security-related information generated by assessments and monitoring
- Response actions to address results of the analysis of security-related information
- Reporting the security status of organization and the information system to organization-defined personnel or roles at an organization-defined frequency.
Supplemental Guidance
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations.
Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports or dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions.
Automation supports more frequent updates to security authorization packages, hardware, software, or firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.
The following controls are related to this control:
- CA-02
- CA-05
- CA-06
- CM-03
- CM-04
- PM-06
- PM-09
- RA-05
- SA-11
- SA-12
- SI-02
- SI-04
For more information, refer to the following:
- OMB Memorandum 11-33
- NIST Special Publications 800-37, 800-39, 800-53A, 800-115, and 800-137
- US-CERT Technical Cyber Security Alerts
- DoD Information Assurance Vulnerability Alerts
Responsibility
Customer Responsibility
The customer is responsible for implementing this control in an appropriate manner in their organization. This includes developing and maintaining a comprehensive continuous monitoring strategy that defines metrics, monitoring frequencies, and assessment procedures to ensure compliance with federal requirements. The customer must ensure that all continuous monitoring activities, including security control assessments, status reporting, and risk response actions, are documented, reviewed, and enforced within their environment.
Guidance
Customer Responsibility
This control is governed by NIST SP 800-137, which provides guidelines for Information Security Continuous Monitoring (ISCM) for federal information systems, and NIST SP 800-53 Rev 4, which establishes the foundational continuous monitoring requirements. Customers operating within a FedRAMP or DoD SRG environment must ensure their continuous monitoring program is comprehensive, automated where possible, and aligned with organizational risk management strategies.
To meet these requirements, the customer must carry out the following actions:
-
Develop and implement a continuous monitoring program.
The customer must develop a continuous monitoring strategy that defines the metrics to be monitored, monitoring frequencies, and assessment schedules.
The Infra Implementer must implement the infrastructure in a way that complies with the continuous monitoring program, including deploying monitoring tools, configuring alerting thresholds, and enabling security event collection in accordance with NIST SP 800-137.
-
Ensure application-level monitoring compliance.
The App Implementer must implement the Mendix app in a way that complies with the continuous monitoring program as dictated by the customer. This includes integrating application-level logging, health checks, and security metrics into the organization's centralized monitoring framework as required by NIST SP 800-53A assessment procedures.
-
Maintain ongoing monitoring and reporting.
The Infra Operator and App Operator must ensure that the infrastructure and Mendix App remain in compliance with the customer's continuous monitoring program as it evolves. This includes performing regular security control assessments, correlating and analyzing security-related information, generating compliance reports, and executing response actions to address identified risks per OMB Memorandum 11-33.