To ensure secure configurations throughout the useful operational life of your information systems, you must ensure that you are adequately conducting continuous monitoring of your information security controls.

Information systems lose their secure configurations for many reasons:

• Updates to software may unexpectedly remove a secure configuration
• During an update, a secure configuration may inadvertently not be applied
• Secure configurations may not be applied during an update for convenience
• A secure configuration may be removed for testing purposes and not reapplied, or a mitigating/compensating control may not be applied if it is found that the secure configuration may be causing a mission impact.

In these cases, the offending configuration must be identified and repaired to ensure the continued security of the organization.