| Field | Detail |
|---|---|
| Control ID | CA-07 |
| Control name | Continuous Monitoring |
| Framework | NIST SP 800-53 Revision 5 |
| Control family | Assessment, Authorization, and Monitoring |
| Baselines | LOW MODERATE HIGH PRIVACY |
| Relevance | Organization (First Party and Third Party) |
| Risk severity | High |
What this control requires
CA-07 requires organizations to develop a continuous monitoring strategy defining system-level metrics, monitoring frequencies, and response actions. This requirement goes beyond periodic assessments. You’re building a persistent feedback loop that connects what you measure, how often you measure it, and what you do when measurements reveal risk.
In practice, this means defining which metrics reflect the security and privacy posture of each system, then setting monitoring cadences appropriate to each metric’s volatility and impact. Some controls need daily automated checks. Others warrant quarterly human assessments. Your continuous monitoring strategy must also specify how assessment data flows into correlation, analysis, and reporting so that the right personnel receive timely, actionable security and privacy status updates.
But measurement alone is not enough. The control further requires that you act on what you find. Monitoring without response actions is surveillance, not risk management. When control assessments reveal degradation, your organization must have defined processes to investigate root causes, update plans of action and milestones, and escalate findings to designated officials at established frequencies.
Why it matters
Organizations that treat monitoring as a periodic checkbox activity accumulate undetected control failures between assessment cycles. Continuous monitoring closes that gap, but most programs fall short because they lack defined system-level metrics or fail to connect monitoring outputs to response actions.
The consequences extend beyond internal gaps. Failure to maintain CA-07 introduces direct audit risk across every NIST SP 800-53 baseline. Federal agencies operating under the Federal Information Security Modernization Act (FISMA) rely on continuous monitoring to sustain their authority to operate (ATO). Without it, authorizations stall, remediation timelines stretch, and audit findings compound. For any organization subject to regulatory oversight, the absence of a documented monitoring strategy signals a systemic weakness in risk governance.
Where this breaks down is in correlation and analysis. Many teams collect monitoring data but never connect it across controls. When grouped controls degrade together, root-cause analysis becomes essential. Without it, remediation addresses symptoms while the underlying vulnerability persists.
Specifically, when monitoring cadences aren’t tied to system risk categories, high-impact systems receive the same attention as low-impact ones. The result is resource misallocation and blind spots in the areas that matter most.
What attackers exploit
- Gaps between assessment cycles where configuration drift, privilege creep, or newly disclosed vulnerabilities go undetected
- Monitoring programs without defined response actions, allowing detected anomalies to persist without investigation or remediation
- Disconnected data sources where security events, vulnerability scans, and access logs aren’t correlated, hiding multi-stage attack patterns
- Stale authorization decisions maintained by organizations that lack the compliance monitoring discipline to validate control effectiveness over time
How to implement
Most continuous monitoring programs fail not at the tool layer but at the strategy layer. Teams deploy scanners and dashboards without first defining which metrics matter, how often they need measurement, and who acts on the results.
For your organization
Step 1: Define system-level metrics. Start with the security and privacy controls most critical to your system’s risk profile. For each control, identify a measurable indicator of effectiveness. Good metrics are specific, measurable, actionable, relevant, and timely. Avoid vanity metrics that look good on dashboards but don’t drive decisions.
Step 2: Set monitoring frequencies. Not every control needs the same cadence. Access control changes may warrant daily automated checks. Policy reviews might follow a quarterly cycle. Align frequency to the volatility of each control and the system’s overall security categorization. Document these frequencies in your system-level continuous monitoring strategy.
Step 3: Automate where possible. Use vulnerability scanners, configuration management tools, and security information and event management (SIEM) platforms to collect data at the cadences you’ve defined. Automation increases consistency and enables the frequency needed for higher-impact systems.
Step 4: Build the correlation and analysis workflow. Raw monitoring data is not insight. Define how assessment results, scan outputs, and event logs feed into a unified analysis process. Assign responsibility for reviewing correlated data and identifying trends or clustered control failures that require root-cause analysis.
Step 5: Define response actions and reporting. Document what happens when monitoring reveals a control deficiency. Your plan of action and milestones should update automatically. Designate which personnel receive security and privacy status reports and at what frequency. Dashboards can supplement formal reports but shouldn’t replace them.
Common mistakes: Treating the monitoring strategy as a static document rather than a living program. Defining metrics that can’t actually be measured with available tooling. Reporting monitoring results without connecting them to risk response decisions.
For your vendors
When your vendors operate systems that process your data, their continuous monitoring maturity directly affects your risk exposure. Self-attestation alone is insufficient for validating ongoing control effectiveness.
Questionnaire questions to include:
- Do you maintain a documented continuous monitoring strategy at the system level?
- What system-level metrics do you track, and at what frequencies?
- How do you correlate monitoring data across controls to identify systemic issues?
- What is your process for generating and acting on plans of action and milestones when monitoring reveals control deficiencies?
- How frequently do you report security and privacy status to system owners and authorizing officials?
Evidence to request:
- A copy of the system-level continuous monitoring strategy (redacted if needed)
- Sample control assessment reports showing assessment frequency and findings
- Sample status reports demonstrating that monitoring results reach designated personnel
- Impact analysis records showing how monitoring findings informed risk response decisions
Red flags to watch for:
- Vendors who describe monitoring as “annual penetration testing” or confuse periodic assessments with continuous monitoring
- No documented metrics or frequencies, indicating an ad hoc approach
- Monitoring reports that show zero findings over extended periods, suggesting the program isn’t genuinely operational
- No evidence of response actions tied to monitoring findings
Tools like UpGuard Vendor Risk support ongoing monitoring for third-party risk management by continuously assessing vendor security postures and surfacing changes that could indicate control degradation. Pairing automated vendor risk monitoring with periodic evidence requests creates a more complete picture than either approach alone.
Evidence examples
Auditors evaluating CA-07 under this framework examine artifacts that demonstrate your continuous monitoring program is operational, not just documented.
| Evidence Type | Example Artifact |
|---|---|
| Continuous monitoring strategy | System-level strategy document defining metrics to monitor, monitoring frequencies, assessment schedules, correlation methods, and reporting cadences aligned to the organizational strategy |
| Control assessment reports | Completed assessment records showing which controls were evaluated, assessment methods used, findings identified, and recommended corrective actions |
| Plan of action and milestones | Tracker listing identified control deficiencies from monitoring, assigned owners, remediation steps, target completion dates, and current status |
| Security and privacy status reports | Periodic reports delivered to designated personnel summarizing monitoring results, risk trends, and response actions taken during the reporting period |
| Configuration management records | Baseline configurations, change logs, and drift detection outputs demonstrating ongoing configuration monitoring against approved baselines |
| System monitoring records | Automated scan results, SIEM alert summaries, and event log reviews showing continuous data collection at defined monitoring frequencies |
Cross-framework mapping
| Framework | Control(s) | Coverage |
|---|---|---|
| ISO 27001:2022 | 5.36 Compliance with policies, rules and standards for information security | Partial |
| NIST SP 800-171 Rev 3 | 03.12.03 Continuous Monitoring | Partial |
Related controls
- AC-02 — Account Management: continuous monitoring of account provisioning and deprovisioning validates that access controls remain effective between reviews
- AC-06 — Least Privilege: monitoring helps detect privilege creep and unauthorized elevation that accumulates over time
- AC-17 — Remote Access: ongoing monitoring of remote access connections identifies unauthorized or anomalous sessions
- AT-04 — Training Records: monitoring training completion rates ensures personnel maintain the security awareness required by the monitoring program
- AU-06 — Audit Record Review, Analysis, and Reporting: audit log analysis feeds directly into the continuous monitoring data correlation process
- AU-13 — Monitoring for Information Disclosure: detecting unauthorized information disclosure is a key metric within a continuous monitoring strategy
- CA-02 — Control Assessments: periodic control assessments provide the baseline against which continuous monitoring measures ongoing effectiveness
- CA-05 — Plan of Action and Milestones: monitoring findings generate and update the plan of action and milestones that track remediation
- CA-06 — Authorization: continuous monitoring sustains the authorization to operate by providing ongoing evidence that risk remains acceptable
- CM-03 — Configuration Change Control: configuration monitoring detects unauthorized changes that could degrade control effectiveness
Frequently asked questions
What is NIST SP 800-53 CA-07
CA-07 is the NIST SP 800-53 control that requires organizations to develop a continuous monitoring strategy defining system-level metrics, monitoring frequencies, and response actions for ongoing security and privacy awareness. The strategy must include correlation and analysis of assessment data, reporting to designated personnel, and defined processes for acting on findings. It applies across LOW, MODERATE, HIGH, and PRIVACY baselines.
What happens if CA-07 is not implemented
Without CA-07, organizations lose ongoing visibility into control effectiveness, allowing security posture degradation to go undetected between periodic assessments. Authorization decisions become based on stale data because no mechanism exists to update plans of action and milestones or security status reports with current findings. For federal systems, the absence of a continuous monitoring strategy can jeopardize the authority to operate and trigger audit findings across multiple control families.
How do you audit CA-07
Auditors verify that a documented system-level continuous monitoring strategy exists and aligns with the organizational strategy. They examine whether the strategy defines specific system-level metrics, monitoring frequencies, and frequencies for assessing control effectiveness. Auditors also review control assessment reports for evidence of ongoing assessments, check that monitoring data is correlated and analyzed, and confirm that security and privacy status reports are delivered to designated personnel at the defined frequencies.
How often should continuous monitoring assessments be performed
The frequency of continuous monitoring assessments depends on each system’s security categorization and the volatility of individual controls. NIST guidance states that “continuous” means frequent enough to support risk-based decisions, not necessarily real-time for every metric. High-impact systems and high-volatility controls warrant more frequent automated checks, while lower-risk controls may follow weekly or monthly assessment cycles as documented in your system-level continuous monitoring strategy.