Although continuous monitoring is a step found later in the Risk Management process, please expound on why developing the monitoring strategy here would assist in the later steps of both the SDLC and the RMF.
“Continuous monitoring enables information security professionals and others to see a continuous stream of near real-time snapshots of the state of risk to their security, data, the network, end points, and even cloud devices and applications. Assessing security controls as well as ongoing monitoring of security controls are both directly assisted by continuous monitoring through vulnerability monitoring processes, which many organizations already have in place.”
According to the Risk Management Framework, Continuous Monitoring officially takes place in the Operations and Maintenance, & the Disposal segments of the System Development Life Cycle, but the strategies and activities for continuous monitoring are developed much earlier, during the second step of the Risk Management Framework, during the selection of security controls, or the initiation phase of the System Development Life Cycle. The selection of the continuous monitoring software is selected early on in the System Development Life Cycle, so appropriate plans can be made for approval, budgeting, documentation, and potential disposal. By planning accordingly early on, the security architect can tailor a control baseline for the most optimally efficient deployment.
I would have to say, I sincerely doubt the Office of Personnel Management had a continuous monitoring strategy, nor did they create one after the first indication of a data breach. If they had, the situation would not have escalated to the point that it did, and tens of thousands of government worker’s personally identifiable information would still be safe.
https://www.sans.org/reading-room/whitepapers/analyst/continuous-monitoring-is-needed-35030