Skip to content

Continuous Monitoring

Ongoing Changes to the Continuous Monitoring Process

OMB Memorandum M-24-15 mandated changes to the continuous monitoring process for cloud services that will impact all agencies. FedRAMP is working to produce updated agency processes to meet these statutory and policy requirements and support agency adoption. If a cloud service provider has been approved to adopt one of the modernized processes then agencies will have a different - easier - experience with those providers. Currently these new processes are optional for providers to encourage gradual and intentional adoption.

These new processes are developed for FedRAMP 20x and applied to Rev5 via a Balance Improvement Release process. You can read more about Balance Improvement Releases here.

Throughout the Authorization phase, CSPs are required to maintain the system, which includes performing ConMon activities. The CSP's ability to demonstrate a mature ConMon process is one of the areas evaluated during the 3PAO's assessment and during the federal agency and FedRAMP's review of the authorization package. Failure to demonstrate a mature ConMon process will prevent or delay a FedRAMP Authorized designation.
Once the Authorization phase is complete and the CSO achieves a FedRAMP Authorized designation, the CSP:

  • Continuously monitors the security posture of the CSO.

  • Provides federal agencies with information needed to make risk-based decisions about the ongoing authorization of the CSO.

The CSP is responsible for implementing the ConMon processes and tools to maintain an acceptable security posture. Each federal agency that issues an ATO for a CSO is responsible for reviewing the CSP's ConMon activities to ensure the security posture remains sufficient for its own use and supports an ongoing authorization. This includes reviewing the monthly POA&M, approving deviation requests/significant changes, and reviewing the results of the annual assessment.

These activities are described in the FedRAMP Continuous Monitoring Playbook. Please refer to this document for a more in-depth overview of these activities.

Collaborative ConMon

CSPs with more than one federal agency customer are required to implement a collaborative ConMon approach, intended to streamline the ConMon process and potentially minimize duplicative efforts in a way that helps each federal agency still perform their due diligence related to ConMon. This approach is described in the FedRAMP Continuous Monitoring Playbook. Collaborative ConMon benefits federal agencies by allowing them to share responsibility for ConMon oversight, and it benefits the CSP by creating a central forum for addressing questions and achieving consensus related to deviation requests, significant change requests, and the annual assessment, versus having to coordinate with each federal agency separately.

ConMon Best Practices

  • Authorization Planning: Start talking to the CSP about ConMon early in the process, especially if you have ConMon requirements that exceed FedRAMP's requirements. If you do, you should make the CSP aware of those requirements before authorizing the system.

  • Continuous Monitoring: Ask the CSP to hold a monthly ConMon meeting. As additional federal agency customers begin using the CSO, ask the CSP to hold a monthly collaborative ConMon meeting.

  • The meeting should be held at least one week after the monthly ConMon deliverables are submitted. This will give the federal agency team time to review the deliverables and come to the meeting ready with questions and recommendations for approvals of deviation requests or significant change requests.

  • A monthly ConMon meeting agenda might include:

    • Discussion of past due POA&Ms.

    • Deviation requests pending approval.

    • Significant change requests (i.e., planned changes, changes pending approval, and status of implementation and testing).

    • Status of annual assessment.

  • Continuous Monitoring Accountability: Think about how you will hold the CSP accountable for meeting ConMon requirements. The Performance Management section of the FedRAMP Continuous Monitoring Playbook provides recommended actions the agency AO may take when a FedRAMP Authorized CSP fails to maintain an adequate ConMon capability.