Departments may need to update their implemented security controls for various reasons, including when
there is:
• A change in departmental missions or objectives;
• A change in a departmental business activity (e.g., collection of new, more sensitive information
under an existing departmental program);
• A change in business needs for security (e.g., as a result of legislative or policy changes);
• A requirement for change as a result of a departmental threat assessment update. (i.e., a program
is targeted by more sophisticated threat agents); and
• A requirement for change as a result of performance monitoring (e.g., a security control has
proven ineffective in adequately protecting related information systems).