Continuous Monitoring

Continuous Monitoring is a core practice in any comprehensive cyber security program, especially for federal agencies and government contractors. The Office of Management and Budget (OMB) requires all federal agencies to report on the status of their information systems in near real-time as a way to reduce overall risk and ongoing situational awareness, a concept it calls continuous monitoring. National Institute of Standards and Technology (NIST) SP 800-137 describes continuous monitoring as a key component of a comprehensive security plan: One that shifts the emphasis from reactive security to a more automated and proactive model.

By continuously monitoring your information systems, you will

  • Gain near real-time visibility into your physical and virtual assets.
  • Understand threats in your environment, including found vulnerabilities and misconfigurations.
  • Comply with FISMA through automated asset, configuration and vulnerability management and assess any planned or unplanned changes that occur in your information systems.
  • Automate FISMA reporting requirements by sending crucial data directly and compatibly to CyberScope

Continuous Monitoring encompasses three of 16 FISMA capabilities: Automated Asset Management, Automated Configuration Management, and Automated Vulnerability Management. A continuous monitoring program satisfies the FISMA requirement for frequent security control assessments, as the U.S. government requires that federal agencies are aware of any changes to their systems as they happen.

How does Rapid7 help me continuously monitor my information systems?

Both Nexpose and Metasploit provide the capabilities federal agencies need to go beyond baseline assessments and get near real-time, actionable information about their security programs.

By using Rapid7's solutions for continuous monitoring, you can focus on what really matters: simply better.


  • Use Nexpose to automate discovery and scanning of all your physical and virtual assets. While scanning your infrastructure, check for misconfigurations and compliance with FISMA requirements, such as NIST 800-53 rev.4 and NIST SP 800-137 guidelines.
  • Complete a security assessment of discovered vulnerabilities, misconfigurations and malware.
  • Flag any assets that are not configured in compliance with regulations such as FDCC and USGCB.


  • Prioritize issues that need urgent attention based on a number of criteria to choose from, including available Metasploit exploits, Real Risk score and CVE scores.
  • Automate your workflows for report generation and distribution
  • Generate reports within Nexpose whenever you need them: Set a schedule or run them ad-hoc. Set up automated CyberScope reports in Nexpose, which is SCAP validated. to make compliance with FISMA quick and painless.


  • Validate real threats in real-time with Rapid7's Metasploit, which seamlessly integrates with Nexpose to give you valuable context about the status of your security programs.
  • Send actionable remediation reports to your IT teams so that they can fix or mitigate key security threats.

Nexpose Enterprise Trial

Use Nexpose Enterprise for continuous monitoring and compliance

Start Trial Today

Continuous Monitoring Webcast

How to adapt continuous monitoring and exercise real-time control

Watch Now

FISMA Compliance Guide

Learn the requirements and steps in becoming FISMA compliant

Download Now