STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

PM-31

Program ManagementRev 5organization

Continuous Monitoring Strategy

Baselines:Privacy

Control Statement

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

Supplemental Guidance

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CA-7](#ca-7), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b), [SI-4](#si-4).

Related Controls (50)

AC-2AC-6AC-17AT-4AU-6AU-13CA-2CA-5CA-6CA-7CM-3CM-4CM-6CM-11IA-5IR-5MA-2MA-3MA-4PE-3PE-6

CCI Identifiers (23)

CCI-004483Implement continuous monitoring programs that include ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy.CCI-004484Develop an organization-wide continuous monitoring strategy for correlation and analysis of information generated by control assessments and monitoring.CCI-004485Implement continuous monitoring programs that include correlation and analysis of information generated by control assessments and monitoring.CCI-004487Implement continuous monitoring programs that include response actions to address results of the analysis of control assessment and monitoring information.CCI-004488Develop an organization-wide continuous monitoring strategy for reporting the security status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.CCI-004489Develop an organization-wide continuous monitoring strategy for reporting the privacy status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.CCI-004490Implement continuous monitoring programs that include reporting the security status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.

Linked STIG Checks (0)

No STIG checks reference this control.

PE-14
PE-16
PE-20
PL-2
PM-4
PM-6
PM-9
PM-10
PM-12
PM-14
PM-23
PM-28
PS-7
PT-7
RA-3
RA-5
RA-7
SA-9
SA-11
SC-5
SC-7
SC-18
SC-38
SC-43
SI-3
SI-4
SI-12
SR-2
SR-4
CCI-004491Implement continuous monitoring programs that include reporting the privacy status of organizational systems to organization-defined personnel or roles on an organization-defined frequency.
CCI-004493Defines the personnel or roles for whom to report the privacy status of organizational systems.
CCI-004494Defines the frequency of reporting the security status of organizational systems to organization-defined personnel or roles.
CCI-004495Defines the frequency of reporting the privacy status of organizational systems to organization-defined personnel or roles.
CCI-004473Develop an organization-wide continuous monitoring strategy establishing organization-defined metrics to be monitored.
CCI-004492Defines the personnel or roles for whom to report the security status of organizational systems.
CCI-004481Defines the frequencies for developing and implementing continuous monitoring programs for assessment of control effectiveness.
CCI-004474Implement continuous monitoring programs that include establishing organization-wide metrics to be monitored.
CCI-004475Defines the metrics for developing and implementing continuous monitoring programs.
CCI-004476Develop an organization-wide continuous monitoring strategy establishing organization-defined frequencies for monitoring.
CCI-004477Develop an organization-wide continuous monitoring strategy establishing organization-defined frequencies for assessment of control effectiveness.
CCI-004478Defines the frequencies for developing and implementing continuous monitoring programs for monitoring.
CCI-004479Implement continuous monitoring programs that include establishing organization-wide frequencies for monitoring.
CCI-004480Implement continuous monitoring programs that include establishing organization-wide frequencies for assessment of control effectiveness.
CCI-004482Develop an organization-wide continuous monitoring strategy for ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy.
CCI-004486Develop an organization-wide continuous monitoring strategy for response actions to address results of the analysis of control assessment and monitoring information.