HOME

SA-4 (8)

SA-4 (8) H M
Description

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].

FedRAMP
  • H SA-4 (8) [at least the minimum requirement as defined in control CA-7]
  • M SA-4 (8) [at least the minimum requirement as defined in control CA-7]
DISA Cloud Computing SRG

Not appropriate for DoD to define for all CSP's infrastructure or service offerings

Source:
DoD RMF TAG

Supplemental Guidance

The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations.

Further Guidance

SA-4 (8) Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired.

Related Controls