Why Continuous Monitoring Matters for Defense Contractor Compliance

Word count: ~1,920 Specificity markers hit: (1) NIST/CMMC control references — CA.L2-3.12.3, CA.L2-3.12.1, RA.L2-3.11.2, SI.L2-3.14.1 (2) Cost/time estimates — vulnerability scanning quarterly minimum, log review weekly, patch cycle 30/60/90 days (3) Tool/product names — Microsoft Sentinel, Splunk, Tenable Nessus, Qualys, CrowdStrike (4) Common mistake — treating continuous monitoring as a once-a-year activity (5) Decision point — what to monitor manually vs. automate

---

Why Continuous Monitoring Matters for Defense Contractor Compliance

"Continuous monitoring" is one of those phrases that shows up in CMMC requirements and immediately prompts the question: how continuous is continuous, exactly? Daily? Weekly? Does a quarterly vulnerability scan count?

Here's the direct answer: "continuous" in the CMMC context means ongoing — not point-in-time, not annual. It means you have visibility into your security posture on a regular, structured basis and that you're acting on what you find. It doesn't mean a 24/7 security operations center for every contractor, but it does mean more than an annual compliance review.

Control CA.L2-3.12.3 requires ongoing monitoring of security controls and metrics to ensure continued effectiveness. Your assessor isn't just looking at whether you have the controls today — they're looking at whether you have a program to confirm those controls remain effective over time.

Here's what that program looks like in practice.

The CMMC Controls That Drive Monitoring

Three controls form the core of a continuous monitoring program:

CA.L2-3.12.3 — Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. This is the primary monitoring requirement. It means your security controls don't just get implemented and forgotten — you verify they're working through regular review, testing, and metrics tracking.

CA.L2-3.12.1 — Periodically assess the security controls in your system. This is complementary to 3.12.3 but distinct: assessments are scheduled, structured evaluations of control effectiveness. Continuous monitoring is the ongoing activity between assessments that keeps you from finding out controls have drifted only when the assessor arrives.

RA.L2-3.11.2 — Scan for vulnerabilities periodically and when new vulnerabilities are identified. Vulnerability scanning is a core component of any continuous monitoring program. It feeds your risk picture and drives your remediation priorities.

SI.L2-3.14.1 — Identify, report, and correct system flaws in a timely manner. Patch management is the remediation side of vulnerability monitoring. Finding vulnerabilities through scanning (RA.L2-3.11.2) and fixing them in a defined timeframe (SI.L2-3.14.1) together constitute a functional monitoring and remediation cycle.

These controls work together. You can't satisfy any one of them in isolation.

What to Monitor

A monitoring program for a CMMC Level 2 environment covers five areas:

1. Vulnerability Scanning

Every CUI system needs regular vulnerability scanning. The minimum cadence is quarterly, but monthly is better and some organizations run continuous scanning using agents on each endpoint.

Tools: Tenable Nessus, Qualys, or Rapid7 InsightVM are the common choices. Nessus Professional runs around $3,000–$4,000/year for a single scanner license, which covers most small contractor environments. Cloud-based options like Qualys scale better for distributed environments.

After each scan, you should have documented results and a remediation tracking process. Critical vulnerabilities affecting CUI systems: remediate within 30 days. High severity: 60 days. Medium: 90 days. These timelines aren't in CMMC directly, but they're the benchmarks assessors reference from NIST guidance and government sector practice. Define your own timelines in your security policy — then actually meet them. An assessor who sees you have a policy that says 30 days for critical vulnerabilities and a scan report showing a 90-day-old critical finding will call that a not-met.

2. Configuration Monitoring

System configurations drift. An engineer makes a quick change to a firewall rule and doesn't document it. A Windows update modifies a Group Policy setting. An admin adds a service account without going through change control.

Configuration monitoring means comparing your actual system configurations against your documented baselines (required under CM.L2-3.4.1) and flagging deviations. Tools that help: endpoint management platforms like Microsoft Intune or JAMF run compliance checks against your security baseline. Some SIEM platforms have configuration drift detection. At minimum, run a scheduled comparison of critical configuration settings — firewall rules, MFA enforcement status, endpoint protection deployment — monthly.

Keep a log of deviations found and remediated. That log is evidence for your assessor that configuration monitoring is operational.

3. Log Review and SIEM Alerting

Audit logging is required under the AU domain (AU.L2-3.3.1 through AU.L2-3.3.9). But collecting logs isn't monitoring — reviewing them is.

Effective log monitoring has two components:

Automated alerting: Your SIEM (Microsoft Sentinel, Splunk, Elastic/ELK) should have configured alert rules that fire on security-relevant events: multiple failed login attempts, login from an unusual geographic location, access to CUI file shares outside business hours, changes to security group membership, firewall rule modifications. Alerts go to someone who acts on them.

Regular log review: Beyond automated alerts, someone should be reviewing logs on a scheduled basis — weekly at minimum for high-value sources (authentication logs, privileged access logs, security event logs for CUI systems). Document when you reviewed and what you found. A log review with zero findings documented is fine. A log review that nobody can remember doing is a finding.

If you don't have the internal capacity for regular log review, this is the most common reason defense contractors engage an MSSP. Managed detection and response (MDR) services provide 24/7 log monitoring and alerting. Pricing for small contractors typically starts around $2,000–$5,000/month.

4. Access Reviews

Access control drift is as common as configuration drift. Someone gets a project role that requires temporary elevated access, the project ends, but nobody removes the elevated access. A terminated employee's account isn't disabled for two weeks. A contractor account isn't removed after the engagement closes.

Access reviews should run quarterly for CUI systems. The review covers: active user accounts vs. current employee and contractor roster, privileged account inventory vs. authorized privileged users, service account inventory and justification for each account. This is primarily a manual process, but directory platforms (Azure AD, Okta) have built-in access review workflows that make the evidence collection straightforward.

5. Incident and Alert Tracking

Your monitoring program generates events — alerts, anomalies, policy violations, access review findings. Track all of them in a centralized log. Even findings you investigate and close as benign should be documented. Your incident log is evidence that your monitoring is operational and that you're acting on what you find.

Document each entry with: date, description, severity, investigation steps, outcome, and disposition. Use a simple ticketing system — Jira, ServiceNow, or a dedicated incident management tool. A spreadsheet works for organizations with minimal alert volume, but it breaks down quickly as the program matures.

Decision Point: Manual vs. Automated

Small defense contractors often ask whether they need automated monitoring tools or whether periodic manual review is sufficient.

The answer depends on your environment size and the alerting requirements:

Automated monitoring is necessary if: you have more than 20 systems in your CUI environment, you have users working remotely accessing CUI, or you can't dedicate 10+ hours per week to manual log review. Automated tools catch things that manual review misses and provide continuous coverage — if an account is compromised at 11 p.m. on a Friday, your SIEM fires an alert. Your manual weekly review catches it Monday morning. The difference matters.

Structured manual review can work if: your CUI environment is small (under 10 systems, single location), your user population is minimal (under 10 users), and you have someone consistently performing and documenting the reviews. "Manual" here doesn't mean informal — it means structured, scheduled, and documented.

Most organizations end up with a hybrid: automated vulnerability scanning and SIEM alerting for technical controls, manual processes for access reviews and configuration audits.

Common Mistake: The Annual Compliance Model

The failure mode here is treating CMMC compliance like an annual event: get compliant for the assessment, then let things drift until the next assessment cycle. Under this model, organizations have a clean SSP and strong control documentation at assessment time — and a degraded environment 18 months later.

This creates two problems. First, your actual security posture degrades. Second, when you submit your annual affirmation under 32 CFR Part 170, you're affirming that your score hasn't declined from your last assessment. If your monitoring program has lapsed and your environment has drifted, you may be filing an inaccurate affirmation — which creates False Claims Act exposure.

Continuous monitoring is the mechanism that makes annual affirmations accurate. If you're running quarterly vulnerability scans, monthly configuration checks, and weekly log reviews, your annual affirmation reflects a program you can actually stand behind.

The practical fix: build monitoring activities into your security calendar at the start of each year. Vulnerability scans: first week of each quarter. Access reviews: last week of each quarter. Log review: weekly, assigned to a specific person. Annual control assessment: scheduled in Q4 to inform your affirmation. Then keep the records that show you did it.

What Your Assessor Expects

For CA.L2-3.12.3, your assessor will ask how you monitor security controls on an ongoing basis. They want to see evidence of a structured monitoring program — not just a description of what you intend to do.

Bring to your assessment:

• Vulnerability scan reports from the past 12 months (at least 4 scans if quarterly, or more frequent)
• Remediation tracking records showing vulnerabilities were addressed within your defined timelines
• Log review records or SIEM alert logs showing regular review activity
• Access review documentation from the past year (quarterly reviews, ideally)
• Configuration monitoring evidence — comparison reports or compliance check results
• Your incident/alert log showing all events and their dispositions

The assessor is testing whether your monitoring is real and operational, not whether it's perfect. They expect to see some findings in your logs — that's what a functional monitoring program produces. What they don't expect is pristine documentation with zero findings, which usually indicates either an inactive program or a program that's only generating paper.

A monitoring program that finds issues and fixes them is better evidence of CMMC compliance than a monitoring program that never finds anything.

---

CTA: Pull your last four vulnerability scan reports. If you don't have four, your scanning cadence isn't meeting the quarterly minimum. Schedule your next scan and put the quarterly cadence on the calendar now.