Which task establishes the organization's Continuous Monitoring Strategy?

Continuous Monitoring is the ongoing, updated assessment of security controls to maintain an authorization. The essential task here is to set up how that monitoring will be done across the organization—the planning, scope, roles, data sources, frequency, and response procedures that guide every subsequent monitoring activity. The option that explicitly creates this overarching plan at the organizational level is the one that establishes the Continuous Monitoring Strategy - Organization. It defines who does what, what data is collected, how often monitoring occurs, what thresholds trigger action, and how findings influence risk decisions across the enterprise. The other choices focus on specific outputs or steps—planning and approving a document, defining what information is collected, or reporting authorization status—not on establishing the overall approach to continuous monitoring.