Continuous monitoring plan documented

Why it matters

Without a continuous monitoring plan, security controls degrade silently after initial deployment: certificates expire, dependency vulnerabilities accumulate, access logs fill with anomalies no one reviews, and permission creep goes undetected. NIST 800-53 rev5 CA-7 (Continuous Monitoring) is a cornerstone FISMA control that requires defined monitoring frequency, event types, and review schedules; AU-6 (Audit Record Review, Analysis, and Reporting) mandates regular review of audit logs. FedRAMP rev5 CA-7 requires monthly vulnerability scans and annual penetration testing with documented results. CMMC 2.0 CA.L2-3.12.3 mandates a continuous monitoring strategy. A security posture that was compliant at ATO can drift out of compliance within weeks without a documented monitoring cadence.

Remediation

Create docs/continuous-monitoring-plan.md specifying tools, event types, review cadence, and escalation tiers. Reference actual tool names already deployed in your stack.

# Continuous Monitoring Plan

## Monitoring Tools
- Logs: Vercel Log Drains → Datadog (or CloudWatch)
- Uptime: Checkly or Better Uptime — 1-minute ping interval
- Vulnerability scanning: `npm audit` in CI on every PR; Snyk weekly full scan
- Dependency updates: Dependabot (daily, security-updates group)

## Events Monitored
1. Failed login attempts (threshold: >10/min per IP → P1 alert)
2. Privilege escalation (any role change → immediate Slack alert)
3. Unrecognized admin session (new device + admin role → P1)
4. 5xx error rate spike (>5% over 5-minute window → P2)
5. Dependency CVE published for a direct dependency → P2
6. Certificate expiry <30 days → P2

## Review Cadence
- **Daily:** Automated alert triage; Datadog error dashboard
- **Weekly:** Vulnerability scan results; access log anomaly review
- **Monthly:** Full audit log review; user access recertification; FedRAMP ConMon report

## Escalation Levels
- **P1 (Critical):** PagerDuty → on-call engineer within 15 minutes; incident response activated
- **P2 (High):** Slack #security → acknowledged within 4 hours; remediated within 7 days
- **P3 (Medium):** Ticket created; remediated within 30 days
- **P4 (Low):** Logged; reviewed at next monthly security sync

Detection

ID: gov-fisma-fedramp.documentation-readiness.continuous-monitoring-plan
Severity: info
What to look for: Look for documentation describing ongoing security monitoring. Count the number of required components: automated monitoring tools, event types monitored, review schedule (daily/weekly/monthly), escalation priority levels, and alerting thresholds. List all monitoring tools or services referenced.
Pass criteria: A continuous monitoring plan is documented with at least 4 components: automated monitoring mechanisms (logs, metrics, alerts), at least 5 event types monitored, review schedule with daily/weekly/monthly cadence, and escalation procedures with at least 3 priority levels. Alerting for security events (failed logins, access denial, config changes) is defined.
Fail criteria: No continuous monitoring plan found, or plan covers fewer than 4 required components.
Skip (N/A) when: Never — monitoring is fundamental for FISMA.
Detail on fail: "No continuous monitoring plan documented. No mention of log review, metrics, or alerting procedures."

Remediation: Document continuous monitoring:

# Continuous Monitoring Plan

## Automated Monitoring
- Log aggregation: CloudWatch, Datadog, or ELK Stack
- Metrics: CPU, memory, response time, error rates
- Security scanning: weekly vulnerability scans, daily log analysis
- Alerting: immediate notification for critical events

## Events Monitored
- Failed authentication attempts (5+ per minute per IP)
- Privilege escalation (role changes)
- Data access by non-authorized users
- Configuration changes
- System errors and exceptions
- Dependency vulnerabilities

## Review Schedule
- Daily: automated alerts, error logs
- Weekly: vulnerability scan results, access logs
- Monthly: comprehensive security review, user activity, compliance metrics

## Escalation
- P1 (Critical): Immediate notification, incident response activated
- P2 (High): Review within 24 hours, fix within 7 days
- P3 (Medium): Review within 1 week, fix within 30 days
- P4 (Low): Review monthly, fix as needed

Why it matters

Remediation

Create docs/continuous-monitoring-plan.md specifying tools, event types, review cadence, and escalation tiers. Reference actual tool names already deployed in your stack.

# Continuous Monitoring Plan

## Monitoring Tools
- Logs: Vercel Log Drains → Datadog (or CloudWatch)
- Uptime: Checkly or Better Uptime — 1-minute ping interval
- Vulnerability scanning: `npm audit` in CI on every PR; Snyk weekly full scan
- Dependency updates: Dependabot (daily, security-updates group)

## Events Monitored
1. Failed login attempts (threshold: >10/min per IP → P1 alert)
2. Privilege escalation (any role change → immediate Slack alert)
3. Unrecognized admin session (new device + admin role → P1)
4. 5xx error rate spike (>5% over 5-minute window → P2)
5. Dependency CVE published for a direct dependency → P2
6. Certificate expiry <30 days → P2

## Review Cadence
- **Daily:** Automated alert triage; Datadog error dashboard
- **Weekly:** Vulnerability scan results; access log anomaly review
- **Monthly:** Full audit log review; user access recertification; FedRAMP ConMon report

## Escalation Levels
- **P1 (Critical):** PagerDuty → on-call engineer within 15 minutes; incident response activated
- **P2 (High):** Slack #security → acknowledged within 4 hours; remediated within 7 days
- **P3 (Medium):** Ticket created; remediated within 30 days
- **P4 (Low):** Logged; reviewed at next monthly security sync

Detection

ID: gov-fisma-fedramp.documentation-readiness.continuous-monitoring-plan
Severity: info
What to look for: Look for documentation describing ongoing security monitoring. Count the number of required components: automated monitoring tools, event types monitored, review schedule (daily/weekly/monthly), escalation priority levels, and alerting thresholds. List all monitoring tools or services referenced.
Pass criteria: A continuous monitoring plan is documented with at least 4 components: automated monitoring mechanisms (logs, metrics, alerts), at least 5 event types monitored, review schedule with daily/weekly/monthly cadence, and escalation procedures with at least 3 priority levels. Alerting for security events (failed logins, access denial, config changes) is defined.
Fail criteria: No continuous monitoring plan found, or plan covers fewer than 4 required components.
Skip (N/A) when: Never — monitoring is fundamental for FISMA.
Detail on fail: "No continuous monitoring plan documented. No mention of log review, metrics, or alerting procedures."

Remediation: Document continuous monitoring:

# Continuous Monitoring Plan

## Automated Monitoring
- Log aggregation: CloudWatch, Datadog, or ELK Stack
- Metrics: CPU, memory, response time, error rates
- Security scanning: weekly vulnerability scans, daily log analysis
- Alerting: immediate notification for critical events

## Events Monitored
- Failed authentication attempts (5+ per minute per IP)
- Privilege escalation (role changes)
- Data access by non-authorized users
- Configuration changes
- System errors and exceptions
- Dependency vulnerabilities

## Review Schedule
- Daily: automated alerts, error logs
- Weekly: vulnerability scan results, access logs
- Monthly: comprehensive security review, user activity, compliance metrics

## Escalation
- P1 (Critical): Immediate notification, incident response activated
- P2 (High): Review within 24 hours, fix within 7 days
- P3 (Medium): Review within 1 week, fix within 30 days
- P4 (Low): Review monthly, fix as needed

Continuous monitoring plan documented

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Continuous monitoring plan documented

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History