Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

What Continuous Monitoring Really Means



Ronald S. Ross


[Print Title: "Establishing a Secure Framework"] Recently, NIST completed a fundamental transformation of the traditional certification and accreditation process into a comprehensive, near real-time, security life cycle process as part of a Risk Management Framework (RMF). The RMF, described in NIST Special Publication 800-37, provides a dynamic, six-step approach to managing cybersecurity risk. The strength of the RMF is based on the comprehensive nature of the framework which focuses as much attention on selecting the right security controls and effectively implementing those controls as it does on security assessment, authorization, and continuous monitoring. The strategy is simple. “Build It Right, Then Continuously Monitor.” The RMF, when used in conjunction with the three-tiered enterprise risk management approach described in NIST SP 800-39 (Tier 1-governance level, Tier 2-mission/business process level, and Tier 3-information system level) and the broad-based continuous monitoring guidance in NIST SP 800-137, provides a comprehensive process for developing, implementing, and monitoring a cybersecurity program capable of protecting core organizational missions and business functions from a range of threats, including cyber attacks. Article can also be viewed at FedTech:…
FedTech Magazine
Summer 2012


cybersecurity, continuous monitoring, Risk Management Framework, RMF


Ross, R. (2012), What Continuous Monitoring Really Means, FedTech Magazine, [online], (Accessed April 19, 2024)
Created July 24, 2012, Updated January 27, 2020