【正文】 務(wù)產(chǎn)品的硬件或軟件變化，或是因為新漏洞，系統(tǒng)的安全態(tài)勢可能會隨時間發(fā)生變化。Ongoing assessment of security controls results in greater control over the security posture of the CSP system and enables timely riskmanagement decisions. Securityrelated information collected through continuous monitoring is used to make recurring updates to the security assessment package. Ongoing due diligence and review of security controls enables the security authorization package to remain current which allows agencies to make informed risk management decisions as they use cloud services. 安全控制措施的持續(xù)評估使CSP系統(tǒng)的安全態(tài)勢得到更強的安全控制，并能及時實施風險管理決策。 automate collection, analysis and reporting of data where ，收集確定的措施需要的數(shù)據(jù)，并對發(fā)現(xiàn)作報告；盡可能將數(shù)據(jù)收集、分析和報告過程自動化。AOs對行動計劃和里程碑（POAamp。During incident response, both CSPs and leveraging agencies are responsible for coordinating incident handling activities together, and with USCERT. The team based approach to incident handling ensures that all parties are informed and enables incidents to be closed as quickly as possible. 在應(yīng)急響應(yīng)中，CSPs，利益相關(guān)的代理，以及USCERT，一起負責協(xié)調(diào)處理緊急事件。 Assessing changed controls on an ad hoc basis as requested by the AOs for any changes made to the system by the CSP.按照AOs（授權(quán)機構(gòu)）的要求，一旦CPS對系統(tǒng)做出任何變更，隨時對變更的控制措施進行評估。There are additional requirements for testing and control selection for CSPs that are transitioning to the FedRAMP 80053 Revision 4 baseline. For additional guidance to on Revision 4 transition testing guidance, review the FedRAMP Revision 4 Transition Guide.測試的附加要求和CPS的可選控制措施，正在成為FedRAMP 80053 版本4的基線。CSP也要遵循應(yīng)急響應(yīng)并對《FedRAMP事件通信規(guī)程》中包含的報告指南。 CSPs are required to submit a schedule of activities within 15 days from the date of their authorization to their AOs and annually thereafter. This schedule assists CSPs in managing continuous monitoring activities.CSP需要在其獲得授權(quán)之日起的15日內(nèi)，提交活動計劃表給其AOs，此后每年提交一次。 [Assignment: organizationdefined frequency]].2Auditable EventsAU2a, AU2dCertain events must be continuously monitored. AU2a auditable events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changesAU2d Frequency: continually3Information System Component InventoryCM8(3)aCSPs must be able to detect new assets continuously, using automated mechanisms with a maximum fiveminute delay in detection.This activity should be automated. 4Incident ReportingIR6CSPs must report incidents in accordance with the FedRAMP Incident Communications Procedure. 252。If concerns arise about the security posture of the CSP system, AOs may ask for a security artifact at any point in time. For example, if a CSP indicates in their System Security Plan that they actively monitor information system connections, the AO could ask the CSP to send them log file snippets for a particular connection at any point in time. If it bees known that an entity that connects to a CSP has been promised by an unauthorized user, the AO coordinate with the CSP to check in on the interconnection monitoring of the CSP. CSPs should anticipate that aside from scheduled continuous monitoring deliverables, and aside from testing performed by 3PAOs, that the AOs may request certain system artifacts on an ad hoc basis if there are concerns. 如果對CSP系統(tǒng)的安全態(tài)勢產(chǎn)生擔憂，AOs可以在任何時間點請求一個安全組建。After implementation the CSP must submit a new Security Assessment Report to the AO based on a security assessment performed by a 3PAO in accordance with the SAP and within the timeframe agreed between the CSP and AO. Additionally, the CSP will need to submit updated documentation pertaining to the newly implemented changes.實施變更之后，CSP必須提交新的《安全評估報告》給AO，這份報告是3PAO依據(jù)SAP，在CSP和AO約定的時間表內(nèi)基于安全評估完成的。As part of the continuous monitoring process CSPs are required to have a 3PAO perform an assessment on an annual basis for a subset of the overall controls implemented on the system. During the annual assessment the controls listed in Table A1 are tested along with an additional number of controls selected by the AO. The AO has the option to vary the total number of controls tested to meet the desired level of effort for testing. The AO selects the additional controls for testing based on the following criteria in Table 31. 作為持續(xù)監(jiān)管過程的一部分，要求CSP有3PAO每年為其系統(tǒng)中實施的全面控制措施的一個子集實施評估。 Assessing a defined subset of the security controls annually. 安全控制措施確定子集的年度評估 Responsibilities 持續(xù)監(jiān)管角色及責任. Authorizing Official 授權(quán)機構(gòu)Authorizing Officials and their teams (“AOs”) serve as the focal point for coordination of continuous monitoring activities for CSPs. CSPs must coordinate with their AOs to send security control artifacts at various points in time. The AOs monitor both the Plan of Action amp。更新的文檔為FedRAMP的基線安全控制措施按原計劃持續(xù)保護系統(tǒng)的供證明。其他NIST文檔如NIST SP 80037修訂版1中提到了“安全控制的持續(xù)評估”。Continuous Monitoring Strategy amp。重要的是要注意“持續(xù)監(jiān)管”和“持續(xù)安全評估”的意義在本質(zhì)上是一樣的，也應(yīng)理解為相同的事件。As defined by the National Institute of Standards and Technology (NIST), the process for continuous monitoring includes the following initiatives:正如NIST的定義，持續(xù)監(jiān)管的過程包括如下舉措：l Define a continuous monitoring strategy based on risk tolerance that maintains clear visibility into assets and awareness of vulnerabilities and utilizes uptodate threat ，這樣的監(jiān)管策略具有資產(chǎn)可見性，知悉安全隱患，并能夠利用最新的威脅信息。 Milestones (POAamp。 Notify FedRAMP ISSO of CSP incident activity 通知FedRAMP的ISSO（信息系統(tǒng)安全官） CSP緊急事件活動。 Submitting the assessment report to the ISSO one year after the CSP’s authorization date and each year thereafter.CSP授權(quán)日期之后的一年以及往后的每一年，提交評估報告給ISSO在每年的評估期間，對表A1中所列的控制措施連同AO選擇的一些額外控制措施一起進行測試。另外，CSP需要提交適合最近實施的變更的更新文檔。例如，如果一個CSP在其《系統(tǒng)安全計劃》中表明他們積極地監(jiān)控信息系統(tǒng)連接，AO可能要求CSP發(fā)送其在任何時間點的一個特殊連接的日志文件片段。IR6a. [USCERT incident reporting timelines as specified in NIST Special Publication 80061 (as amended)]5Temperature amp