https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43388#M309 <P>Here is one where they combine the policy and the NIST standards into one document. Personally, I'd make two separate documents but this is a start. Also, check out NIST SP 800-137 and 137A for more info on the subject.&nbsp;</P><P>&nbsp;</P><P><A title="https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Security_Assessment_Authorization.pdf" href="https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Security_Assessment_Authorization.pdf" target="_blank" rel="noopener">https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Security_Assessment_Authorization.pdf</A></P> Wed, 17 Feb 2021 18:16:29 GMT tmekelburg1 2021-02-17T18:16:29Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43385#M308 <P>I am looking for a good example of a Continuous Monitoring Policy/Plan/SOP (or all of the above) for use within the DoD RMF world.&nbsp; Anyone?</P> Mon, 09 Oct 2023 09:48:13 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43385#M308 BIRISH 2023-10-09T09:48:13Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43388#M309 <P>Here is one where they combine the policy and the NIST standards into one document. Personally, I'd make two separate documents but this is a start. Also, check out NIST SP 800-137 and 137A for more info on the subject.&nbsp;</P><P>&nbsp;</P><P><A title="https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Security_Assessment_Authorization.pdf" href="https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Security_Assessment_Authorization.pdf" target="_blank" rel="noopener">https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Security_Assessment_Authorization.pdf</A></P> Wed, 17 Feb 2021 18:16:29 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43388#M309 tmekelburg1 2021-02-17T18:16:29Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43402#M314 <P>From a technical perspective I suggest thinking about the solution architecture and then adding the security monitoring components. I like storyboarding those kinds of solutions, they are more practical than paper policy.</P> Thu, 18 Feb 2021 02:44:16 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43402#M314 AppDefects 2021-02-18T02:44:16Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43675#M336 <P>Each agency (there is roughly 100 command/service/agencies) has their own interpretation of continuous monitoring.&nbsp; Start with looking at the specific agencies document structure (font/headings/etc.) to develop a template then tailor it. You also might be able to get some insight from DoD policies as well.&nbsp;</P> Wed, 03 Mar 2021 13:34:54 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/43675#M336 RRoach 2021-03-03T13:34:54Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/59292#M871 <P>I am also looking for&nbsp;<SPAN>Continuous Monitoring Strategy &amp;&nbsp;Continuous Monitoring Plan templates to satisfy the RMF controls. Anyone know where to find good templates please let us know. Thank you.</SPAN></P> Thu, 18 May 2023 22:38:48 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/59292#M871 JaceSin 2023-05-18T22:38:48Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/64176#M989 <P>The team I'm on at HQDA G6 is working the ConMon strategy with other components. We will likely follow NIST SP 800-137 as a base but align with Sentinel's Army RMF 2.0 strategy and the Army Unified Network Plan. I will share any useful docs once we put them together and get the go ahead to distribute them. In the mean time I can recommend the FedRAMP continuous monitoring documents that also follow NIST 800-137.</P> Fri, 03 Nov 2023 17:32:45 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/64176#M989 RMF_Expert 2023-11-03T17:32:45Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/78825#M1299 do you happen to have any work breakdown structure for continuous monitoring? Tue, 15 Apr 2025 11:06:48 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/78825#M1299 clane 2025-04-15T11:06:48Z https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/78848#M1300 <P>You can Start with templates aligned to NIST SP 800-137, 800-37,&nbsp; and 800-53.</P><P>&nbsp;</P><P>NIST SP 800-53 provides a comprehensive catalog of security and privacy controls<BR />NIST SP 800-137 provide comprehensive guidance on establishing and assessing Information Security Continuous Monitoring (ISCM) programs.<BR />NIST SP 800-37 outlines the RMF process, including the development and implementation of a continuous monitoring strategy at the organizational level. ​</P> Tue, 15 Apr 2025 21:51:08 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Continuous-Monitoring-Plan-RMF/m-p/78848#M1300 akkem 2025-04-15T21:51:08Z