U.S. Department of Health and Human Services
FISMA requires periodic and continuous testing and evaluation of the security controls in an information system to ensure that the controls remain effective in their application. Security control monitoring (i.e. verifying the continued effectiveness of those controls over time) and reporting are essential activities within an information security program. The ongoing monitoring of security controls can be accomplished by one or a combination of the following:
Security testing; and
Evaluation or audit.
Refer to NIST SP 800-53 Rev. 3 for security control assessment procedures.
Page 11 of 12
Operations and Maintenance Phase