8-25-1 Ensure Security Authorization Package is properly updated |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure the security plan, security assessment report, and plan of action and milestones are updated based on the results of the continuous monitoring process.
|
NA
|
NA
|
Guide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-37
|
8-25-2 Ensure the security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the authorizing official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy is reported |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure reporting of security status of the information system (including the effectiveness of security controls employed within and inherited by the system) to the authorizing official and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy.
|
NA
|
NA
|
Guide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-37
|
8-25-3 Ensure the reported security status of the information system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable and is reviewed |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure ongoing review of reported security status (including the effectiveness of security controls employed within and inherited by the system) in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable.
|
NA
|
NA
|
Guide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-37
|
8-25-4 Ensure an information system disposal strategy is implemented, when needed, which executes required actions when a system is removed from service |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure an information system disposal strategy is implemented, when needed, which executes required actions when a system is removed from service.
|
NA
|
NA
|
Guide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-37
|