3.12.3 — Monitor Continuously

The One-Liner

Annual checks catch problems 11 months too late. Monitor continuously.

What It Says

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

What It Actually Means

Don’t check your controls once a year and assume they’re working the other 364 days. Continuous monitoring means ongoing visibility into control effectiveness: compliance dashboards (Intune compliance, Defender Secure Score, Defender for Cloud), automated alerts when controls degrade (a device falls out of compliance, a logging source goes silent, a policy is changed), and regular human review of monitoring data (weekly or monthly). This is more frequent than the periodic assessment in 3.12.1 — that’s the deep dive, this is the constant heartbeat.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are security controls monitored on an ongoing basis?	Compliance dashboards active; alerts configured for control degradation; regular review cadence documented

---

What to Have Ready on Assessment Day

Documents they’ll review: Security assessment policy; continuous monitoring strategy; compliance dashboards (screenshots or live); alert configuration records; posture reports for management; system security plan

People they’ll talk to: Personnel with security assessment responsibilities; information security personnel; management with oversight

Live demos they’ll ask for: “Show me your compliance dashboards.” “What alerts are configured for control degradation?” “How often do you review monitoring data — show me the cadence.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “How do you monitor controls between assessments? Show me.”
• “Show me a compliance dashboard.”
• “What alerts do you have for control failures?”
• “How often do you review monitoring data?”

Real-World Example

A defense contractor uses Microsoft Secure Score, Intune compliance dashboards, and Defender for Cloud as continuous monitoring tools. The IT Security Lead reviews dashboards weekly. Alerts are configured for: device compliance drops below 95%, a logging source goes silent (3.3.4), a new critical vulnerability is detected, or a security policy is modified. Monthly, the IT Security Lead produces a one-page security posture report for the CEO: Secure Score trend, compliance percentage, open vulnerabilities, and open POA&M items. The assessor reviews the dashboards, checks alert configurations, and reviews three months of posture reports.

---

Where Companies Trip Up

Annual only. Controls checked during assessment prep and ignored the rest of the year. Implement dashboards and regular reviews.

No dashboards. No real-time visibility into control status. Deploy compliance dashboards from your existing tools (Defender, Intune, cloud platforms).

Alerts not acted on. Dashboards exist but nobody looks at them. Define a review cadence and assign ownership.

---

How to Talk About This

To a CEO or Board

We monitor our security controls continuously — weekly dashboard reviews, automated alerts for degradation, and monthly posture reports to leadership. We don’t wait for the annual assessment to find problems.

To an Engineering Team

Secure Score + Intune compliance + Defender for Cloud dashboards. Weekly review by IT Security Lead. Alerts: device compliance <95%, log source silence, critical vuln, policy change. Monthly posture report to CEO. Quarterly trend analysis.

---

Connected Requirements

Requirement	Why it matters here
3.12.1 — Test Your Controls	Periodic deep-dive assessment; this is the continuous heartbeat
3.12.4 — Maintain the SSP	Continuous monitoring may reveal SSP updates needed
3.3.4 — Alert When Logging Breaks	Logging failure alerts are a specific continuous monitoring mechanism

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: CA.L2-3.12.3 | SPRS Weight: 5 points | POA&M Eligible: No