Design & Implementation of a
Continuous Monitoring (ConMon) Program
Security Controls Assessed Monthly
Annual Sustainment Costs
Average Issues Discovered Monthly
Total Time in Months to Design & Implement
The Department of Defense adopted NIST’s Risk Management Framework which mandated the implementation of Continuous Monitoring (ConMon). To meet this new requirement, the client needed a design and implementation of a ConMon solution.
Context / Action
We Designed and Implemented the Continuous Monitoring Program (People and Processes only) to provide ongoing awareness and insight of the organizations security posture IAW NIST standards. ConMon allows an organization to gather relevant and up-to-date (near real-time) information about risk, threats, vulnerabilities, system and enterprise controls. The continuous monitoring strategy ensured that the organization is operating within acceptable risk tolerance levels.
In designing this solution, we mapped all of the NIST 800-53 security control framework to DoD DIACAP, SANS Top 20, Compliance Inspections, Cybersecurity Service Provider and other security control frameworks. The idea behind this was to minimize duplication of effort. By performing proper ConMon execution and assess the core controls, we were also able to use this information to validate all the other mapped controls for all the other security frameworks! This not only validates the design and effectiveness of security controls but also avoids the need to execute other independent assessment; thus killing multiple birds with one stone. This overall strategy avoids duplication of efforts, consolidates like-assessment into one, and provides overall transparency and synergy across all controls from various frameworks.