Continuous monitoring is an important FedRAMP requirement. To achieve and maintain authorization, cloud service providers must implement FedRAMP’s continuous monitoring framework (often referred to as ConMon) based on the National Institute of Standards and Technology (NIST) special publication 800-137.
One of the biggest reasons ConMon is required is the inevitable migration of more and more data to digital. This includes sensitive data such as personally identifiable information (PII) and protected health information (PHI).
To protect themselves and their customers, organizations are required by government agencies around the world to continuously monitor their systems for potential threats and to ensure the ongoing effectiveness of implemented security controls.
This article will cover the basic principles of ConMon as well as the steps to cover some of the challenging requirements to meet FedRAMP authority to operate (ATO).
A basic description of ConMon is that it helps ensure the confidentiality, integrity, and availability of data on a constant basis by providing real-time information about the organization’s security posture.
An effective ConMon program works to accomplish the following:
Collects, correlates, and analyzes security-related information while providing information on any threats in the environment
Assesses all security controls
Provides actionable communication of security status across the organization
Integrates information security and risk management frameworks
Continuous Monitoring Basics:
In today’s cybersecurity environment, basic security controls, such as firewalls and antivirus software, are no longer enough to protect an organization against sophisticated attacks.
Many organizations are constantly changing their network and security architecture, making it even more critical to implement ConMon capabilities.
ConMon involves regularly assessing and analyzing an organization’s security posture, identifying potential risks, and implementing necessary controls and countermeasures.
The objective is to implement a FedRAMP baseline strategy where the organization can maintain a consistent level of security, sufficient to protect their network and remain compliant with the stringent security standards set forth by NIST/FedRAMP before the organization goes through the approval process.
Appropriate software and technology must be implemented to an organization’s ConMon solution to achieve FedRAMP compliance.
ConMon tools should cover the following elements:
Risk Management: Continuously assessing risks associated with the organization’s systems, data, and processes.
Security Control Monitoring: Regularly evaluating the effectiveness of implemented security controls and ensuring their proper configuration and operation.
Vulnerability and Patch Management: Proactively identifying and addressing vulnerabilities in systems and applications, and promptly applying necessary patches and updates.
Incident Response: Establishing robust incident response processes to detect, analyze, and respond to security incidents in a timely and effective manner. FedRAMP authorization process requires the organization to demonstrate that they are able to adequately respond to security incidents and follow/maintain their incident response plan. Details on incident communication guidelines and reporting requirements can be found on the FedRAMP website here – FedRAMP Incident Communication Procedures.
Continuous Improvement: Regularly reviewing and updating security policies, procedures, and controls based on evolving threats, vulnerabilities, and best practices.
Achieving FedRAMP Compliance Through Effective Continuous Monitoring
Keeping up with FedRAMP standards can be a challenge for organizations seeking compliance.
As explained, ConMon is an important requirement in the FedRAMP authorization package, and it may be the one element that your organization is missing.
ConMon requirements specify different monitoring controls and frequencies, based on FedRAMP-defined risk levels, covering areas like configuration management, vulnerability scanning, security information and event management (SIEM), and incident response.
To comply with FedRAMP ConMon requirements, organizations should set up a system to proactively identify and address potential security risks, vulnerabilities, and threats across their network.
Setting up Continuous Monitoring for a FedRAMP Readiness Assessment:
To effectively prepare for a FedRAMP readiness assessment, organizations must establish a comprehensive program, requiring time, resources, and effort.
A Successful FedRAMP ConMon program has the following factors in place:
Continuous Monitoring Team: Assemble a dedicated team responsible for implementing and managing the program. This team should include representatives from various domains, such as security, IT operations, risk management, and compliance. Once the necessary tools are in place, the organization will need a team of security professionals consistently monitoring dashboards and making sure the proper alerts are configured. FedRAMP’s Collaborative ConMon Quick Guide provides details on the collaborative ConMon approach for cloud service providers, including charters, meeting agendas, and other specific instructions and requirements.
Defined Monitoring Requirements: Identify the specific security controls, systems, and data that require ConMon based on FedRAMP requirements and the organization’s risk profile. This includes determining monitoring frequencies, thresholds, and reporting mechanisms. All reporting guidelines must be documented, actively updated, and followed in accordance with the latest laws and regulations.
Security Information and Event Management (SIEM): Deploy a SIEM solution to collect, aggregate, and analyze security-related log data from various sources, including firewalls, intrusion detection/prevention systems (IDS/IPS), servers, and applications. The SIEM will enable real-time monitoring, correlation, and alerting of potential security incidents. Once the SIEM is implemented, the ConMon team needs to ensure that the proper team members are notified of security alerts. Regular meetings are recommended to review SIEM logs and network activity.
Vulnerability Scanning and Management: Implement a vulnerability scanning and management solution to identify and prioritize vulnerabilities in systems and applications. This should include automated scanning, patch management, and remediation processes to promptly address identified vulnerabilities. Details on FedRAMP guidance / requirements for vulnerability scanning can be found on their website, which is linked here.
Configuration Management: Implement configuration management processes to monitor and maintain an accurate inventory of hardware and software assets, as well as their configurations. This ensures that any unauthorized changes or deviations from approved baselines are detected and addressed promptly.
Conduct Regular Security Assessments: Perform periodic assessments, such as penetration testing, risk assessments, and compliance audits, to evaluate the effectiveness of the continuous monitoring program and identify potential gaps or areas for improvement. FedRAMP guidance on penetration testing and vulnerability scanning can be found on their website here – FedRAMP Penetration Test Guidance | FedRAMP Vulnerability Scanning Requirements.
Foster Continuous Improvement: Regularly review and update the continuous monitoring program based on lessons learned, evolving threats, and changes in FedRAMP requirements. Encourage feedback and collaboration from all stakeholders to identify areas for improvement and implement necessary adjustments.
Establish Reporting and Compliance Tracking: Implement mechanisms for reporting and tracking compliance with FedRAMP requirements. This includes generating regular reports, dashboards, and metrics to demonstrate the organization’s security posture and adherence to the continuous monitoring program. An important part of regular reporting includes a Plan of Action and Milestones (POA&M) which is explained more in the next section.
POA&M and ConMon
In the context of FedRAMP, a POA&M is a detailed plan that outlines the actions and milestones necessary to address identified security risks, vulnerabilities, or deficiencies within a specific timeframe.
POA&Ms are required for both the initial authorization and the continuous monitoring phases of the FedRAMP process. During initial FedRAMP assessments and authorization phases, a CSP must develop a POA&M to address any security control weaknesses or deficiencies identified during the security assessment. The POA&M includes a description of each weakness, the proposed remediation actions, the responsible parties, and the planned completion dates for each action.
Continuous monitoring is an ongoing process that ensures the CSP maintains compliance with FedRAMP security requirements and effectively manages security risks over time.
When new ConMon risks or vulnerabilities are identified, the CSP must update their POA&M with appropriate remediation actions and milestones.
The POA&M serves as a living document that is regularly reviewed and updated throughout the ConMon phase. CSPs must provide regular updates of their POA&M to the FedRAMP Program Management Office (PMO) and the authorizing agency, demonstrating their progress in addressing identified risks and vulnerabilities.
Effective management of POA&Ms is crucial for maintaining FedRAMP compliance and ensuring the ongoing security and resilience of cloud services used by federal agencies. By continuously identifying, assessing, and mitigating security risks through POA&Ms, CSPs can demonstrate their commitment to security and foster trust in their cloud offerings within the federal government.
FedRAMP has a POA&M Excel sheet template available on their website, which provides a structured framework for tracking risk mitigation relating to system vulnerabilities and deficiencies.
Supporting Documentation for a Successful ConMon Program
According to FedRAMP guidelines, organizations must develop and maintain comprehensive documentation to demonstrate their adherence to continuous monitoring requirements.
Organizations also need to have a continuous monitoring plan and procedures in place to document the components of their ConMon program. Proper documentation plays a crucial role in ensuring the effectiveness and auditability of the program.
A ConMon plan should be included in the organization’s system security plan and provide information on the following:
Monitoring Strategy: Outline the organization’s approach to continuous monitoring, including the scope, objectives, and overall methodology.
Monitoring Requirements: A detailed description of all the security controls, systems, and data that require continuous monitoring, as well as the monitoring frequencies and thresholds.
Monitoring Processes and Procedures: Processes and procedures for conducting various continuous monitoring activities, such as vulnerability scanning, log analysis, configuration management, and incident response.
Reporting and Compliance Tracking: Mechanisms for generating reports, dashboards, and metrics to demonstrate compliance with FedRAMP requirements and the organization’s security posture.
Continuous Improvement: Processes for regularly reviewing and updating the continuous monitoring program based on lessons learned, evolving threats, and changes in FedRAMP requirements.
Roles and Responsibilities: Clearly define roles and responsibilities for personnel involved in the continuous monitoring program, such as security analysts, system administrators, and incident response teams. Third party assessment organizations also have a large role in most ConMon programs attempting the FedRAMP security authorization process. Some external roles and responsibilities which come into play are explained below.
External FedRAMP ConMon Roles & Responsibilities
Agency Authorizing Official (AO) – Agency AOs oversee organization’s ConMon activities, any significant changes in the system, as well as reporting artifacts such as vulnerability scan reports, and POA&Ms. AO’s collect this information to make decisions about ongoing authorization.
FedRAMP Joint Authorization Board (JAB) – Reviews the system’s ConMon program on a regular basis. The JAB authorization process ensures that reporting is completed on a regular basis and can authorize or revokes a system’s authority to operate as necessary.
FedRAMP Program Management Office (PMO) – Acts as a liaison for the JAB provisional authority to ensure systems are strictly adhering to their established ConMon plan. The PMO receives ConMon and significant change reports on behalf of the JAB.
Third Party Assessment Organization (3PAO) – Responsible for verifying and validating the control implementation in the ConMon phase of the FedRAMP authorization process. 3PAOs must be able to confirm the integrity of data provided by the organization.
For more details on the responsibilities of these roles and a more thorough breakdown of ongoing ConMon authorization requirements, including JAB performance management please review FedRAMP’s Continuous Monitoring Performance Management Guide.
FedRAMP also requires organizations to maintain records providing updated evidence of their continuous monitoring efforts, including but not limited to the following:
Vulnerability Management: Records of vulnerability scans, identified vulnerabilities, risk assessments, and remediation efforts, including patch management activities.
Configuration Management: An up-to-date inventory of hardware and software assets, as well as documentation of approved configurations and any deviations from established baselines.
Security Information and Event Management (SIEM): Logs and reports from SIEM solutions, including security event correlation, analysis, and incident response activities.
Incident Response: Detailed records of security incidents, including incident reports, root cause analyses, and lessons learned.
Assessment and Audit Reports: Results of periodic security assessments, penetration tests, and compliance audits conducted by internal or external auditors.
Policy and Procedure Updates: Documentation of any updates or revisions made to security policies and procedures based on the continuous monitoring program’s findings.
To assist organizations going through the process, FedRAMP provides a Continuous Monitoring Deliverables template on their website. This template provides instructions on maintaining these records along with AO submission instructions and further breakdown of the specific deliverables required in the authorization process. Activity frequency requirement, descriptions, and references to the specific FedRAMP control IDs are also listed in this template.
To ensure the effectiveness and auditability of the continuous monitoring program, organizations should consistently maintain Documentation including any changes in processes, tools, or personnel.
All documentation should include version control so all changes can be tracked over time. Secure storage mechanisms must also be in place, along with proper access control, to ensure only authorized personnel can access and update ConMon documentation.
By maintaining comprehensive and accurate documentation, organizations can demonstrate their FedRAMP compliance with ConMon requirements and provide auditors with the necessary evidence to validate their security posture. Additionally, well-documented processes and procedures support knowledge transfer, training, and consistent implementation of the continuous monitoring program over time across the organization.
Embrace Continuous Monitoring
Achieving and maintaining FedRAMP security compliance is an ongoing process that requires a proactive and comprehensive approach to continuous monitoring.
If your organization does not have already have robust continuous monitoring capabilities, the initial readiness assessment process will require some effort to make sure that all bases are covered, but, once the program is in place, the organization will benefit from improved visibility into its own systems, compliance with ongoing FedRAMP ConMon requirements, and overall peace of mind. Effective continuous monitoring practices are integral to keeping organizations ahead of emerging threats, to identifying and mitigating risks in a timely manner, and to protecting federal government data. Organizations should embrace continuous monitoring not only because FedRAMP compliance requires it, but also to contribute to an effective security posture, fostering trust and confidence among stakeholders and customers.
