Kimon is developing a continuous security monitoring strategy for his organization. Which one of the following is not normally used when determining assessment and monitoring frequency?

According to NIST SP 800-137, organizations should use factors such as security control volatility, system categorization/impact levels, security controls providing critical functions, controls with identified weaknesses, organizational risk tolerance, threat information, vulnerability information, risk assessment results, the output of monitoring strategy reviews, and reporting requirements to determine assessment and monitoring frequency. Security control operational burden is not typically used as a factor.