| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SA-4(8) |
FedRAMP_High_R4_SA-4(8) |
FedRAMP High SA-4 (8) |
System And Services Acquisition |
Continuous Monitoring Plan |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].
Supplemental Guidance: The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. |
link |
1 |
| FedRAMP_Moderate_R4 |
SA-4(8) |
FedRAMP_Moderate_R4_SA-4(8) |
FedRAMP Moderate SA-4 (8) |
System And Services Acquisition |
Continuous Monitoring Plan |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].
Supplemental Guidance: The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. |
link |
1 |
| NIST_SP_800-53_R4 |
SA-4(8) |
NIST_SP_800-53_R4_SA-4(8) |
NIST SP 800-53 Rev. 4 SA-4 (8) |
System And Services Acquisition |
Continuous Monitoring Plan |
Shared |
n/a |
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].
Supplemental Guidance: The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. |
link |
1 |
| NIST_SP_800-53_R5 |
SA-4(8) |
NIST_SP_800-53_R5_SA-4(8) |
NIST SP 800-53 Rev. 5 SA-4 (8) |
System and Services Acquisition |
Continuous Monitoring Plan for Controls |
Shared |
n/a |
Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. |
link |
1 |
| PCI_DSS_v4.0 |
12.8.4 |
PCI_DSS_v4.0_12.8.4 |
PCI DSS v4.0 12.8.4 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
link |
8 |