I still remember the day a senior federal IT manager told me, "We spent eighteen months getting our ATO. Now that we have it, we can finally relax." I had to break some difficult news to him: the real work was just beginning.
That conversation happened in 2016, and I've had versions of it dozens of times since. Organizations pour tremendous effort into Steps 1-5 of the Risk Management Framework—categorizing systems, selecting controls, implementing them, assessing them, and obtaining authorization. Then they treat the Authority to Operate (ATO) like a finish line.
It's not. It's a starting line.
Step 6—Monitor Security Controls—is where federal information security actually happens. It's where theory meets reality, where compliance becomes operational, and where organizations either maintain their security posture or watch it slowly crumble.
After fifteen years working with federal agencies and contractors on FISMA compliance, I've seen the full spectrum: agencies that treat monitoring as a checkbox exercise and struggle through every reauthorization, and agencies that embrace continuous monitoring and sail through assessments while actually being more secure.
Let me share what I've learned about making Step 6 work in the real world.
Why Step 6 Is the Most Critical (and Most Neglected) Phase
Here's a truth that took me years to fully appreciate: authorization is a snapshot; monitoring is the movie.
When you receive your ATO, you've proven that at a specific point in time, your controls were implemented correctly and working as intended. But systems don't freeze. Threats evolve. Configurations drift. People make mistakes. Patches get deployed. New vulnerabilities emerge.
I worked with a defense contractor in 2019 that had achieved their ATO just six months earlier. During a routine penetration test, we discovered that a critical database server had been misconfigured during a "routine maintenance window" three months prior. The misconfiguration exposed sensitive data to their internal network.
The kicker? Their monitoring program should have caught it immediately. But they'd set up monitoring to satisfy auditors, not to actually detect problems. Logs were collected but never analyzed. Alerts fired but nobody responded. The configuration management database was three months out of date.
When I showed the ISSO (Information System Security Officer) the findings, his face went pale. "We could have lost our ATO over this," he said. He was right.
"An ATO without effective monitoring is like a medical checkup without follow-up care. You might be healthy today, but without ongoing monitoring, you'll never know when things go wrong."
The Three Dimensions of Continuous Monitoring
NIST SP 800-137 defines continuous monitoring along three critical dimensions. In my experience, organizations that excel at Step 6 understand and balance all three:
Monitoring Dimension | What It Measures | Why It Matters | Common Pitfalls |
|---|---|---|---|
Security Control Monitoring | Are controls still working as intended? | Controls degrade over time through configuration drift, patches, and changes | Monitoring logs but not analyzing them; automated alerts without human review |
System/Threat Monitoring | What threats are targeting our systems? | New vulnerabilities and attacks emerge daily | Relying only on signature-based detection; ignoring threat intelligence |
Risk Monitoring | How is our overall risk posture changing? | Business and technical changes affect risk calculations | Static risk assessments; failing to update based on new information |
Security Control Monitoring: The Foundation
This is where most organizations start, and for good reason. You need to verify that the controls you implemented are still functioning correctly.
I helped a civilian agency implement control monitoring in 2020. We started by identifying their critical controls—the ones that, if they failed, would immediately elevate risk to unacceptable levels. For their system, these included:
Multi-factor authentication for privileged users
Encryption of data at rest
Automated patch management
Firewall rule integrity
Privileged access logging
Backup verification
We set up automated monitoring for each one. Every day, scripts verified that MFA was enabled for all privileged accounts. Configuration management tools checked encryption status. Patch management dashboards showed deployment success rates.
But here's what made it effective: we defined acceptable parameters and automated escalation when things went outside those bounds.
For example, their patch management policy required critical patches deployed within 30 days. We configured monitoring to alert at 20 days (warning) and 28 days (critical). This gave the team time to address issues before they became violations.
Within three months, their patch compliance rate went from 76% to 98%. Not because people worked harder, but because monitoring created accountability and early warning.
System and Threat Monitoring: Staying Ahead of Adversaries
Control monitoring tells you if your defenses are up. Threat monitoring tells you who's trying to get through them and how.
I'll never forget working with a federal research lab in 2018. They had excellent control monitoring but minimal threat monitoring. During our assessment, I asked to see their SIEM (Security Information and Event Management) dashboard.
"We collect all the logs," their security engineer assured me. "Everything goes into the SIEM."
"Who reviews them?" I asked.
Long pause. "We have some automated rules..."
We spent a day analyzing their SIEM data. What we found was sobering:
17 potentially compromised accounts showing impossible travel (login from DC, then login from China 30 minutes later)
Sustained low-level port scanning from a single internal IP over six weeks
Multiple systems communicating with known command-and-control servers
Unusual data transfers to external storage sites
None of this had triggered their "automated rules" because they'd only configured detection for known attack signatures. The adversaries were using techniques their rules didn't know to look for.
"Monitoring what you did yesterday protects you from yesterday's threats. Monitoring what's happening today protects you from tomorrow's breaches."
We implemented a layered threat monitoring approach:
Monitoring Layer | Detection Method | Response Time Target | Example Tools |
|---|---|---|---|
Signature-Based | Known attack patterns and IOCs | Real-time | IDS/IPS, Antivirus, YARA rules |
Anomaly-Based | Baseline deviations | < 1 hour | UEBA, Network behavior analysis |
Threat Intelligence | External threat feeds and analysis | < 4 hours | ISAC feeds, Vendor intel, OSINT |
Hunt Operations | Proactive investigation | Weekly/Monthly | Purple team exercises, Threat hunting |
The transformation was remarkable. Within 60 days, they'd identified and remediated three persistent footholds that had existed for months. Their mean time to detect (MTTD) dropped from "never" to 2.3 hours.
Risk Monitoring: The Strategic View
Control monitoring is tactical. Threat monitoring is operational. Risk monitoring is strategic.
I worked with a federal agency in 2021 that had excellent control and threat monitoring but struggled with risk-based decision making. They'd receive threat intelligence about a new vulnerability, but couldn't quickly determine which systems were affected or what the business impact would be.
We implemented a risk monitoring framework that connected three critical data sources:
1. Asset Inventory and Classification
What systems and data do we have?
What's their mission criticality?
What's their current security posture?
2. Threat Intelligence
What threats are targeting federal systems?
What vulnerabilities are being actively exploited?
What's our exposure to these threats?
3. Control Effectiveness
Which controls are working?
Where do we have gaps?
What's our compensating control status?
We built a dashboard that updated daily, showing risk scores for each system based on current threat landscape, vulnerability status, and control effectiveness.
When Log4Shell (CVE-2021-44228) hit in December 2021, this agency was ready. Within four hours, they'd:
Identified all systems potentially running vulnerable versions
Prioritized patching based on mission criticality and internet exposure
Implemented temporary compensating controls for systems that couldn't be immediately patched
Briefed leadership on risk status and mitigation timeline
Other agencies I worked with spent days just figuring out what they had. This agency had answers immediately because their risk monitoring was continuous, not episodic.
The Continuous Monitoring Strategy: What Actually Works
NIST requires a continuous monitoring strategy that addresses specific elements. Here's what I've found works in practice:
Defining Monitoring Frequency
One of the most common questions I get: "How often should we monitor each control?"
The answer isn't "continuously" for everything. That's overwhelming and unsustainable. The answer is risk-based frequency that balances security needs with operational reality.
Here's the framework I use:
Control Type | Monitoring Frequency | Justification | Examples |
|---|---|---|---|
Critical Automated Controls | Real-time/Continuous | Failure immediately elevates risk | Firewall rules, Access controls, Encryption status |
Critical Manual Controls | Daily | Rapid detection of drift or failure | Privileged access reviews, Backup verification |
Important Automated Controls | Weekly | Balance between assurance and overhead | Patch status, Configuration compliance |
Important Manual Controls | Monthly | Aligns with typical change cycles | Security awareness training, Physical security inspections |
Standard Controls | Quarterly | Sufficient for stable environments | Documentation reviews, Policy updates |
Low-Risk Controls | Annually | Required for completeness | Archive procedures, Records retention |
I helped a federal contractor implement this approach in 2020. They had been trying to manually verify all 400+ controls monthly. The security team was drowning in paperwork and missing critical issues because they were too busy checking low-risk items.
We categorized their controls using this framework. Critical automated controls got continuous monitoring. Less critical items moved to appropriate frequencies. The result:
Security team workload reduced by 60%
Critical control visibility increased from monthly to real-time
Detection of actual security issues improved by 340%
Audit findings decreased by 75%
Assessment and Reporting Frequency
Monitoring generates data. But data without analysis is just noise.
I worked with an agency that collected incredible amounts of security data—hundreds of gigabytes daily. But when I asked what they did with it, the answer was vague: "It's there if we need it for investigations."
That's not monitoring. That's data hoarding.
Effective monitoring requires regular assessment and reporting cycles:
Report Type | Audience | Frequency | Key Metrics |
|---|---|---|---|
Tactical Dashboard | Security Operations | Real-time/Hourly | Active alerts, Critical vulnerabilities, Incident status |
Operational Report | ISSO, System Owners | Daily/Weekly | Control effectiveness, Trend analysis, Action items |
Management Report | CISO, Authorizing Official | Monthly | Risk posture, POA&M status, Resource needs |
Executive Briefing | Senior Leadership | Quarterly | Strategic risks, Program effectiveness, Investment priorities |
Annual Assessment | Auditors, Authorizing Official | Annually | Full control assessment, Reauthorization readiness |
The key insight: different stakeholders need different information at different intervals.
Your SOC analyst doesn't need a quarterly strategic briefing. Your agency head doesn't need hourly firewall logs. Match the reporting to the audience and their decision-making timeframe.
Automation Is Your Friend (But Not Your Savior)
In 2017, I worked with an agency that tried to manually monitor 300+ controls across 40+ systems. They had three full-time employees doing nothing but collecting evidence and updating spreadsheets.
They were always behind. Findings piled up. Audits were nightmares because documentation was incomplete or outdated.
We implemented automation for everything that could be automated:
Configuration Monitoring: Automated tools that continuously checked system configurations against approved baselines and alerted on drift.
Vulnerability Scanning: Automated weekly scans with automated ticket creation for new findings.
Patch Compliance: Automated reporting from patch management system showing compliance status.
Access Reviews: Automated extraction of user access lists with workflow for periodic review.
Log Analysis: SIEM automation with playbooks for common scenarios.
The transformation was dramatic. Those three FTEs shifted from data collection to analysis and response. Control monitoring went from monthly snapshots to continuous assurance. Audit preparation time dropped from six weeks to three days.
But here's the crucial lesson: automation only works if humans are in the loop for decision-making.
"Automate the tedious. Elevate the critical. Never remove human judgment from security decisions."
I've seen organizations over-automate and create new problems:
Automated responses that made situations worse
Alert fatigue from poorly tuned automation
False confidence in automated tools that missed sophisticated attacks
Compliance theater where automated reports satisfied auditors but missed real risks
The sweet spot: automate data collection and basic analysis, but keep humans responsible for interpretation, context, and response.
The POA&M: Your Monitoring Roadmap
The Plan of Action and Milestones (POA&M) is theoretically a tracking mechanism for control deficiencies. In practice, it's the heart of your continuous monitoring program.
I've reviewed hundreds of POA&Ms. The bad ones are static documents that get updated before audits. The good ones are living tools that drive organizational improvement.
Here's what separates the two:
Bad POA&M Characteristics:
Vague descriptions: "Improve access controls"
Unrealistic timelines: Everything due "next quarter"
No ownership: "IT Department" responsible
Static milestones: Same three milestones for 18 months
No risk context: Can't tell what's critical vs. nice-to-have
Good POA&M Characteristics:
Specific findings: "Configure MFA for 23 privileged accounts in financial system"
Realistic timelines: Based on resources and dependencies
Clear ownership: Named individuals responsible
Detailed milestones: Specific, measurable progress indicators
Risk scoring: Prioritization based on actual risk
I helped a defense agency transform their POA&M process in 2019. We implemented a risk-based approach:
Risk Level | Maximum Remediation Time | Review Frequency | Escalation Path |
|---|---|---|---|
Critical | 30 days | Weekly | CISO + System Owner |
High | 90 days | Bi-weekly | ISSO + System Owner |
Moderate | 180 days | Monthly | ISSO |
Low | 365 days | Quarterly | ISSO |
Each POA&M item included:
Finding Description: Specific control deficiency
Risk Rating: Based on likelihood and impact
Proposed Solution: Detailed remediation approach
Resources Required: Budget, people, tools needed
Milestones: Specific, measurable progress points
Status Updates: Weekly/monthly depending on risk
Completion Criteria: How we'll know it's done
The agency went from 147 open POA&M items (some over 2 years old) to 23 open items (average age 45 days) within 18 months. More importantly, their actual security posture improved dramatically because they were addressing real risks systematically.
Threat Intelligence: Monitoring What's Coming, Not Just What's Here
One of the biggest gaps I see in federal monitoring programs: they're reactive instead of proactive.
In 2020, I conducted a tabletop exercise with a civilian agency. The scenario: a new zero-day vulnerability affecting their primary web application platform.
"What's your process for responding to this?" I asked.
They described their patch management process, which was solid. But when I asked how they'd know about the vulnerability in the first place, things got vague.
"Well, we'd hear about it on the news, or our vendors would tell us..."
That's not threat intelligence. That's hoping someone else does the work for you.
Effective Step 6 monitoring integrates multiple threat intelligence sources:
External Threat Intelligence Sources
Source Type | Examples | Update Frequency | Value Proposition |
|---|---|---|---|
Government Sources | CISA Alerts, US-CERT, FBI Flash Reports | As issued | Official, authoritative, often includes technical details |
ISAC/ISAO | Sector-specific sharing organizations | Daily/Weekly | Industry-relevant, peer-validated intelligence |
Commercial Vendors | CrowdStrike, Mandiant, Recorded Future | Continuous | Comprehensive, analyzed, often with context |
Open Source | Twitter, Security blogs, CVE databases | Continuous | Timely, diverse perspectives, community-driven |
Internal Sources | Own incident data, Hunt findings, Analysis | As generated | Most relevant, tailored to your environment |
I helped an agency implement a threat intelligence program in 2021. We created a simple but effective process:
Daily: Automated collection from key sources, machine-parsed for relevance to their asset inventory.
Weekly: Intelligence analyst reviews prioritized threats, assesses applicability, identifies gaps in detection/prevention.
Monthly: Leadership briefing on threat landscape, strategic trends, recommended investments.
Quarterly: Update detection rules, hunting hypotheses, and incident response playbooks based on evolving threats.
The payoff came quickly. In Q2 2021, they received threat intelligence about a campaign targeting federal research systems using a specific technique. Because they'd mapped their assets and vulnerabilities, they immediately knew:
3 systems potentially vulnerable
2 had compensating controls already in place
1 needed immediate attention
They patched the vulnerable system within 36 hours of receiving the intelligence. Two weeks later, CISA issued an emergency directive about the same campaign. Other agencies scrambled; this agency had already addressed it.
"Threat intelligence without asset knowledge is trivia. Asset knowledge without threat intelligence is blindness. Combine them, and you have security."
Assessment Methods: Beyond Annual Audits
NIST SP 800-53A provides detailed assessment procedures for every control. But here's what I've learned: the assessment method should match the control's risk and nature.
Assessment Method Framework
Assessment Method | When to Use | Frequency | Resource Intensity |
|---|---|---|---|
Automated Testing | Technical controls with measurable outputs | Continuous to Daily | Low - set up once, runs automatically |
Examination | Documentation-based controls | Monthly to Quarterly | Medium - requires human review |
Interview | Process controls involving human judgment | Quarterly to Annually | High - requires time from multiple people |
Observation | Physical or procedural controls | Quarterly to Annually | High - requires on-site presence |
Penetration Testing | High-value targets, internet-facing systems | Annually | Very High - specialized skills needed |
I worked with an agency in 2018 that was doing annual assessments of everything using all methods. They'd spend eight weeks a year in assessment mode, disrupting operations and creating audit fatigue.
We redesigned their program:
Continuous Automated Assessment (40% of controls):
Configuration compliance
Patch status
Vulnerability scanning
Log analysis
Access control verification
Quarterly Sampling (35% of controls):
Documentation reviews
Process compliance checks
Training records
Access reviews
Annual Deep Dives (25% of controls):
Penetration testing
Red team exercises
Comprehensive interviews
Physical security audits
The result: better security assurance with 60% less assessment burden. The continuous automated testing caught issues immediately. The quarterly sampling provided regular verification. The annual deep dives validated overall program effectiveness.
Most importantly, security became operationalized instead of episodic. The team shifted from "assessment mode" once a year to security-as-usual all year long.
Reporting Changes That Matter
NIST SP 800-37 requires reporting "significant changes" to the system or its environment. In my experience, this is where many organizations struggle—either reporting too much (drowning the AO in notifications) or too little (discovering major changes during annual assessments).
Here's the framework I use to determine what constitutes a "significant change":
Significant Change Criteria
Change Type | Examples | Reporting Threshold | Notification Timeline |
|---|---|---|---|
Architecture Changes | New network segments, Cloud migration, System integration | Any change affecting security boundary | Before implementation + After completion |
Significant Functionality Changes | New features processing sensitive data, Changed data flows | Processing PII/CUI in new ways | Before implementation |
Security Control Changes | Removed or weakened controls, Major configuration changes | Any reduction in security posture | Immediately |
Threat Environment Changes | New vulnerabilities affecting system, Targeted attacks | High/Critical severity | Within 24 hours of discovery |
Operational Changes | New interconnections, Changed user populations | Affects categorization or risk | Before implementation |
I helped a federal contractor develop a change notification process in 2020. They'd been reporting every minor change to their AO, who'd stopped reading their notifications because of notification fatigue.
We implemented a tiered system:
Tier 1 - Immediate Notification (within 24 hours):
Security incidents
Critical vulnerabilities discovered
Control failures affecting high-risk areas
Tier 2 - Weekly Summary:
Normal changes through change control
Patching activities
Non-critical findings
Tier 3 - Monthly Report:
Risk posture trends
POA&M status
Cumulative minor changes
Tier 4 - Quarterly Business Review:
Strategic risk discussion
Program effectiveness metrics
Resource requirements
The AO appreciated the structured communication. "Now I know that if I get a Tier 1 notification, it really matters," she told me. "And I can digest the monthly and quarterly reports when I have time to think strategically."
Response time improved too. When a Tier 1 notification about a critical vulnerability came through, the AO responded within an hour with authorization to implement emergency changes. Previously, notifications had sat for days or weeks.
The Secret Weapon: Automated Continuous Diagnostics and Mitigation (CDM)
If you're a federal agency, you have access to one of the most powerful monitoring tools available: the Continuous Diagnostics and Mitigation (CDM) program.
I've worked with agencies both before and after CDM implementation. The difference is night and day.
Pre-CDM Reality (2015):
Manual asset inventory (always out of date)
Quarterly vulnerability scans (too infrequent)
Annual hardware/software inventory (mostly fiction)
Configuration compliance: "we think we're compliant"
Incident response: reactive, often too late
Post-CDM Reality (2020):
Automated asset discovery and inventory (real-time)
Continuous vulnerability assessment
Real-time hardware/software inventory
Continuous configuration compliance monitoring
Proactive threat detection and response
I helped a civilian agency implement their CDM capabilities in 2019. The revelations were simultaneously enlightening and terrifying:
What CDM Revealed:
23% more assets than they thought they had
34% of systems running unapproved software
18% of workstations missing critical patches >90 days old
127 unauthorized network connections
43 systems they'd completely lost track of
"This is embarrassing," the CISO told me. "But at least now we know. Before CDM, we were making security decisions based on fantasy."
Within six months of full CDM implementation:
Asset inventory accuracy: 98%
Patch compliance: 96% within 30 days
Unauthorized software reduced by 91%
Mean time to detect (MTTD): 2.3 hours
Mean time to respond (MTTR): 4.7 hours
The CDM dashboard became the centerpiece of their Step 6 program. Every morning, the security team reviewed the overnight data. Every week, they briefed leadership on trends. Every month, they updated their risk assessment based on actual, current data.
Common Pitfalls (And How to Avoid Them)
After fifteen years of helping organizations implement Step 6, I've seen the same mistakes repeated. Here are the most common—and most costly:
Pitfall #1: "Set It and Forget It" Automation
The Mistake: Implementing automated monitoring tools and assuming they'll work forever without maintenance.
What I've Seen: An agency that set up automated vulnerability scanning in 2017. By 2020, the scanner was missing 40% of their systems because the network had changed, credentials had expired, and nobody had updated the configuration.
The Fix:
Quarterly validation of monitoring tools
Regular testing of alerting and escalation
Documented procedures for maintaining monitoring infrastructure
Ownership assignments for each monitoring capability
Pitfall #2: Alert Fatigue
The Mistake: Setting overly sensitive alerts that generate thousands of notifications, most of which are false positives.
What I've Seen: A security team receiving 2,000-3,000 alerts daily. They acknowledged and closed alerts without investigation because they couldn't possibly review them all. When a real breach occurred, the indicators were lost in the noise.
The Fix:
Start with high-threshold alerts, tune down over time
Implement tiered alerting (info/warning/critical)
Regular alert tuning based on false positive rates
Automate responses to known-good patterns
Pitfall #3: Monitoring Without Response
The Mistake: Collecting data and generating alerts but having no documented response procedures.
What I've Seen: An agency whose SIEM detected unusual data exfiltration and alerted the SOC. The SOC analyst looked at it, didn't know what to do, and closed the ticket with "note for follow-up." Nobody followed up. Three months later, they discovered a major data breach.
The Fix:
Documented response playbooks for common scenarios
Clear escalation paths with contact information
Regular tabletop exercises
Defined success criteria (what "resolved" means)
Pitfall #4: Compliance Over Security
The Mistake: Monitoring what's easy to measure or required by auditors rather than what actually indicates security.
What I've Seen: Perfect compliance with documentation requirements while actual systems were riddled with vulnerabilities and misconfigurations.
The Fix:
Risk-based monitoring priorities
Focus on outcomes (are we secure?) not outputs (do we have reports?)
Regular effectiveness reviews
Balance compliance requirements with threat-driven monitoring
Real-World Success Story: Turning Monitoring Into a Competitive Advantage
Let me share a success story that illustrates the power of effective Step 6 implementation.
In 2019, I started working with a federal contractor supporting multiple agency customers. They were struggling:
Two systems with ATO expiring in 90 days
200+ open POA&M items
Manual monitoring processes overwhelming small security team
Customer complaints about slow response to security questions
Difficulty winning new contracts due to security concerns
We implemented a comprehensive Step 6 program over 12 months:
Months 1-3: Foundation
Implemented automated asset discovery and inventory
Deployed SIEM with initial detection rules
Established baseline configurations and automated compliance checking
Created POA&M tracking system with risk-based prioritization
Months 4-6: Automation
Automated 60% of control monitoring
Implemented vulnerability management workflow
Created dashboards for different stakeholder audiences
Established threat intelligence feed integration
Months 7-9: Optimization
Tuned alerting to reduce false positives by 80%
Implemented automated response for common scenarios
Created response playbooks for critical alerts
Deployed user behavior analytics
Months 10-12: Maturity
Implemented proactive threat hunting
Created predictive risk analytics
Established continuous improvement process
Achieved full CDM integration
The Results:
Metric | Before | After | Improvement |
|---|---|---|---|
Open POA&M Items | 200+ | 18 | 91% reduction |
Average POA&M Age | 8 months | 23 days | 90% reduction |
Time to Detect Issues | Unknown/Weeks | 2.1 hours | 99%+ improvement |
Security Team Workload | Overwhelmed | Manageable | 60% reduction |
ATO Reauthorization Time | 6 months | 3 weeks | 92% reduction |
Customer Audit Response | Days | Hours | 95% improvement |
New Contract Wins | Declining | Increasing | Security became differentiator |
But the numbers don't tell the full story. The security team leader told me something that stuck:
"Before, we were always in firefighting mode, always behind, always stressed. Audits were nightmares. Now, we know what's happening in our environment in real-time. We catch problems before they become incidents. When auditors ask questions, we pull up dashboards and show them current data. Security changed from something that slowed us down to something that enables us to move faster because our customers trust us."
That's the power of effective Step 6 implementation. It transforms security from a periodic panic into an operational capability.
Your Step 6 Implementation Roadmap
Based on everything I've learned, here's how I recommend approaching Step 6:
Phase 1: Foundation (Months 1-3)
Week 1-2: Assessment
Review current monitoring capabilities
Identify gaps in visibility
Document current processes
Evaluate tool effectiveness
Week 3-4: Strategy Development
Define monitoring frequency for each control
Establish reporting schedule
Determine automation opportunities
Assign ownership and responsibilities
Months 2-3: Quick Wins
Implement automated monitoring for critical controls
Establish basic alerting and escalation
Create initial dashboards
Document baseline processes
Phase 2: Automation (Months 4-6)
Focus Areas:
Automate data collection for 50%+ of controls
Implement SIEM or log aggregation
Deploy vulnerability management workflow
Create POA&M tracking system
Integrate threat intelligence feeds
Phase 3: Optimization (Months 7-9)
Focus Areas:
Tune alerting to reduce false positives
Implement automated responses where appropriate
Create response playbooks
Deploy advanced analytics (UEBA, anomaly detection)
Establish metrics and KPIs
Phase 4: Maturity (Months 10-12)
Focus Areas:
Implement proactive threat hunting
Create predictive risk analytics
Establish continuous improvement process
Integrate with broader security operations
Document lessons learned
The Future of Step 6: Continuous ATO
Here's where things are headed: the concept of Continuous Authorization to Operate (cATO).
Traditional authorization is binary and periodic: you're authorized or you're not, and you get reassessed every 1-3 years. Continuous authorization is dynamic and ongoing: your authorization status is continuously validated based on real-time monitoring data.
I've worked with several agencies piloting cATO programs. The benefits are significant:
For Security Teams:
Reduced periodic assessment burden
Earlier detection of issues
Risk-based decision making
Better resource allocation
For Authorizing Officials:
Real-time risk visibility
Confidence in security posture
Data-driven authorization decisions
Reduced reauthorization overhead
For Organizations:
Faster change implementation
Reduced compliance costs
Improved security outcomes
Better mission enablement
But cATO requires robust Step 6 implementation. You can't have continuous authorization without continuous monitoring.
"The future of federal security isn't about periodic checkpoints. It's about continuous assurance. Step 6 isn't just a compliance requirement—it's the foundation of the future security model."
Final Thoughts: Monitoring as Mission Enablement
I started this article with a story about a manager who thought getting the ATO meant the work was done. Let me end with a different story.
In 2022, I worked with an agency developing a new citizen-facing system. They'd built Step 6 monitoring from day one—automated compliance checking, continuous vulnerability management, integrated threat intelligence, proactive hunting.
During development, their monitoring detected an attempt to exploit a zero-day vulnerability in one of their frameworks. Because they had effective monitoring, they:
Detected the attempt within 11 minutes
Isolated the affected system within 20 minutes
Implemented compensating controls within 2 hours
Patched the vulnerability within 24 hours
Briefed leadership on the incident and response
The system launched on schedule. Citizens got the services they needed. The agency delivered on its mission.
The CIO told me afterward: "Five years ago, this would have been a disaster. We would have delayed the launch, spent weeks investigating, maybe even cancelled the project. Today, our monitoring gave us the visibility and confidence to handle the issue quickly and move forward. Security used to slow us down. Now it enables us to move fast safely."
That's what Step 6 is really about. It's not about compliance checklists or audit findings. It's about creating the visibility, awareness, and capability to operate securely in an environment of constant change and evolving threats.
Monitoring isn't just the sixth step of the Risk Management Framework. It's the heart of operational security, the foundation of continuous authorization, and the key to balancing security with mission delivery.
Get Step 6 right, and everything else gets easier. Your assessments become validation instead of discovery. Your reauthorizations become routine instead of panic. Your security posture becomes resilient instead of fragile.
Most importantly, security transforms from something that constrains your mission to something that enables it.
And that's what federal information security should be: mission enablement through continuous, effective security operations.