I am looking for a good example of a Continuous Monitoring Policy/Plan/SOP (or all of the above) for use within the DoD RMF world. Anyone?
Here is one where they combine the policy and the NIST standards into one document. Personally, I'd make two separate documents but this is a start. Also, check out NIST SP 800-137 and 137A for more info on the subject.
https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Security_Assessment_Authorization.pdf
From a technical perspective I suggest thinking about the solution architecture and then adding the security monitoring components. I like storyboarding those kinds of solutions, they are more practical than paper policy.
Each agency (there is roughly 100 command/service/agencies) has their own interpretation of continuous monitoring. Start with looking at the specific agencies document structure (font/headings/etc.) to develop a template then tailor it. You also might be able to get some insight from DoD policies as well.
I am also looking for Continuous Monitoring Strategy & Continuous Monitoring Plan templates to satisfy the RMF controls. Anyone know where to find good templates please let us know. Thank you.
The team I'm on at HQDA G6 is working the ConMon strategy with other components. We will likely follow NIST SP 800-137 as a base but align with Sentinel's Army RMF 2.0 strategy and the Army Unified Network Plan. I will share any useful docs once we put them together and get the go ahead to distribute them. In the mean time I can recommend the FedRAMP continuous monitoring documents that also follow NIST 800-137.