JD Biggs & Associates can assist in implementing a continuous monitoring methodology based on a near real-time risk management strategy as defined in the Risk Management Framework. In addition to security control assessments, vulnerability scanning, system and network monitoring, and other automated support, JD Biggs & Associates can help determine the security state of an information system. JD Biggs & Associates Inc. can employ industry standard tools and provide assistance in updating critical documents in the authorization package. The documents in the authorization package are considered “living documents” and updated accordingly based on actual events that may affect the security of the information system, including configuration management strategies.
FISMA (section 3544(b)(5))
requires each agency to perform for all systems “periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually.”
Page 38 FedRAMP Conops document:
Annually, CSPs must re-assess a subset of the security controls and send results to FedRAMP and leveraging agencies. The re-assessment of these controls must be completed by an accredited 3PAO. To verify this work was completed, CSPs must submit an annual self certifying that all controls are working properly.
RMF STEP 6 – Monitor Security Controls:
Guide for Applying the Risk Management Framework to Federal Information Systems A Security Life Cycle Approach