Skip to content

M-24-15 Section VI. Continuous Monitoring

FedRAMP's continuous monitoring processes should incentivize security through agility, and should enable Federal agencies to use the most current and innovative cloud computing products and services possible. FedRAMP should seek input from CSPs and develop processes that enable CSPs to maintain an agile deployment lifecycle that does not require advance Government approval, while giving the Government the visibility and information it needs to maintain ongoing confidence in the FedRAMP-authorized system and to respond timely and appropriately to incidents.

The FedRAMP PMO, in coordination with the FedRAMP Board and CISA, is responsible for establishing a framework for continuous monitoring of cloud services and products, subject to the approval of OMB and the Department of Homeland Security (DHS). FedRAMP is encouraged to develop a framework that:

  • Prioritizes agility of development and deployment by CSPs, to support automation, the rapid development of security features in cloud products, and broader development, security, and operations (DevSecOps) practices within the cloud ecosystem;

  • Redesigns the process for overseeing changes to cloud computing products and services to one that primarily monitors the CSP's change process itself, rather than individual changes. Once a CSO is authorized, the FedRAMP process should generally empower CSPs to deploy changes and fixes at their own pace, without requiring advance approval from FedRAMP or an authorizing official for individual changes to existing FedRAMP authorized products and services;

  • Provides CISA technical data to understand risks and to detect threats to agency information and information systems;

  • Avoids promoting the division of cloud services into commercially-focused and Government-focused instances. In general, to encourage both security and agility, Federal agencies should use the same infrastructure relied on by the rest of CSPs' commercial customer base;

  • Ensures CSP incident response resilience through procedures, communication and reporting timelines, and other tools that help to protect Federal systems and information from potential attacks on cloud-based infrastructure; and

  • Facilitates regular and routine updates to the framework implementation based on the most pressing threats, policies, regulations, and guidance.

Standard Level of Continuous Monitoring

For all FedRAMP authorized products and services, the FedRAMP PMO will provide a standard level of continuous monitoring support. The FedRAMP PMO will set this standard level of monitoring support by analyzing and identifying the highest-impact controls for ensuring the security of FedRAMP products and services. It will provide recommendations for the supported monitoring levels to the FedRAMP Board for review, feedback, and approval. When finalized, the FedRAMP PMO will provide supported monitoring to all agency customers of authorized FedRAMP products and services. The monitoring data provided to agencies will support agencies in making risk determinations for authorized cloud computing products and services, including when the CSO is leveraged within another information system.

Special Reviews

The FedRAMP PMO may conduct a special review of existing FedRAMP authorizations, regardless of authorization path. The FedRAMP Board must approve the special review and establish an expedited deadline for its completion. Once approved, the FedRAMP Director will work with the FedRAMP Board to jointly convene a working group consisting of members from across the Federal Government with relevant expertise. This working group will have the specific purpose of developing processes and goals tailored to the nature and technical architecture of the CSP, and will oversee the review of the CSP's authorizations. Within the deadline established by the Board for the review, the working group will conclude its work and produce a report, which will be submitted to the FedRAMP Director and FedRAMP Board, along with any recommended changes that should be required of the CSP to maintain a FedRAMP authorization.

Emergency Directives

When the FedRAMP PMO becomes aware of significant vulnerabilities in a CSO with a FedRAMP authorization, the FedRAMP PMO will provide that information to the CSP and impacted agencies for remediation and establish escalation pathways for vulnerabilities not sufficiently addressed in a timely manner. Unresolved concerns that are not addressed in a timely-manner may be noted to potential agency customers on the FedRAMP Marketplace. The FedRAMP PMO will develop and maintain procedures for responding to CISA Binding Operational and Emergency Directives (BODs),1 in collaboration with CISA, OMB, and the FedRAMP Board.

Collaboration with CISA

To increase integrity and further trust in the FedRAMP program, FedRAMP should leverage Government-wide tools and best practices to enhance its monitoring efforts. Specifically, to the greatest extent possible, FedRAMP must ensure that it uses CISA's capabilities and shares relevant data and tools for monitoring FedRAMP's products and services.

  1. CISA's BODs may be viewed at: https://www.cisa.gov/news-events/directives.