Review the security status of a system (including the effectiveness of security controls) on an ongoing basis to determine whether the risk remains acceptable.