Which statement best describes updating risk management documents based on continuous monitoring activities?

Continuous monitoring provides up-to-date evidence about how well security controls are working and where new risks appear. Because risk is dynamic, the information from monitoring must be reflected in the official documents that describe and manage risk—things like the system security plan, risk assessment, and the plan of actions and milestones. Updating these risk management documents keeps the authorization package accurate, shows current residual risk, and documents approved remediation steps and changes in control status. While analyzing monitoring outputs and taking appropriate actions is part of the process, the act of revising the documentation itself based on what monitoring reveals is what ties ongoing monitoring to the maintained risk posture. Disposal strategies or governance reporting are related activities but not the specific update of risk management documents driven by monitoring results.