NIST 800-53 r5 · Controls catalogue · Family PM
PM-31Continuous Monitoring Strategy
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing the following organization-wide metrics to be monitored: {{ insert: param, pm-31_odp.01 }}; Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness; Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; Correlation and analysis of information generated by control assessments and monitoring; Response actions to address results of the analysis of control assessment and monitoring information; and Reporting the security and privacy status of organizational systems to {{ insert: param, pm-31_prm_4 }} {{ insert: param, pm-31_prm_5 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-754 | Improper Check for Unusual or Exceptional Conditions | 697 | Requires ongoing monitoring of organization-defined metrics and analysis, enabling checks for unusual or exceptional conditions. |
CWE-693 | Protection Mechanism Failure | 476 | Establishes continuous monitoring of control effectiveness with defined metrics and response actions, detecting protection mechanism failures. |
CWE-391 | Unchecked Error Condition | 23 | Mandates ongoing correlation, analysis, and response to monitoring results, reducing unchecked error conditions from control assessments. |
CWE-778 | Insufficient Logging | 23 | Drives organization-wide metrics, frequencies, and correlation of monitoring data, directly mitigating insufficient logging and observability. |
CWE-390 | Detection of Error Condition Without Action | 14 | Requires response actions to analysis of monitoring data, directly preventing detection of error conditions without follow-up action. |
CWE-392 | Missing Report of Error Condition | 11 | Includes explicit reporting of security status and analysis results, addressing missing reports of error or monitoring conditions. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||