Continuous assessment is a process that monitors the initial security accreditation of an information system for tracking changes. What is this best described as?

The idea being tested is ongoing oversight of security controls to keep a system authorized as it changes. This describes continuous assessment because it focuses on continuously monitoring the information system and its security posture to ensure it remains within the approved authorization, even as hardware, software, configurations, or operators change. It isn’t just a one-time check; it tracks changes over time to maintain authorization. The other activities are more specific tasks. Security auditing is usually a formal, periodic review of controls and records. Vulnerability scanning automatically looks for known weaknesses but doesn’t by itself maintain authorization status. Penetration testing simulates attacks to test defenses but is a targeted test, not the ongoing process of monitoring and maintaining accreditation.