Systems enter the Continuous Monitoring (CM) Phase, Step 6 of the NIST Risk Management Framework (RMF), after achieving authorization to operate (ATO). The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the Authorizing Official (AO) when changes occur that may impact the security of the system. CM consists of three tasks:
- Configuration management and control;
- Security control monitoring; and
- Status reporting and documentation, which are performed continuously throughout the life cycle of an information system.