Continuous monitoring updates which document?

Continuous monitoring is the ongoing verification of security controls and the system’s security posture. The Security Assessment Plan is the document that governs how those assessments are planned and executed, including the procedures, frequencies, and scope of testing. As monitoring reveals changes in controls, new vulnerabilities, or updated risk information, the SAP is updated to reflect revised assessment activities and schedules. This keeps the assessment approach aligned with the current reality of the system and ensures ongoing, effective evaluation. The System Security Plan describes the system and its implemented controls and is updated for configuration or design changes, but the ongoing assessment activities themselves are defined and adjusted in the Security Assessment Plan. The Plan of Action and Milestones tracks remediation efforts, not the continual assessment plan, and the Risk Assessment Report is produced from risk analyses rather than being the live target of continuous monitoring.