Continuous Monitoring

FedRAMP Authorized? Excellent. Get Ready for the Hard Part.

Achieving FedRAMP authorization is a complex, expensive undertaking. But staying authorized is a daily grind. Even the most disciplined, well-resourced security teams have trouble keeping up with FedRAMP’s Continuous Monitoring requirements.

So let 38North do it for you.

FedRAMP Continuous Monitoring Requirements

The FedRAMP Continuous Monitoring Strategy Guide describes the complex, ongoing process required to maintain FedRAMP authorization. While some elements are addressed by your 3PAO – such as the formal annual assessment – most of the work falls on you as the Cloud Service Provider (CSP).

38North Continuous Monitoring-as-a-Service

38North helps you keep pace with these relentless ConMon activity and deliverable requirements by providing dedicated support to your continued authorization. From staff augmentation for focused tasks, to outsourced support to every FedRAMP ConMon activity, 38North can carry much of the ConMon compliance burden.

Our Continuous Monitoring as-a-Service approach uses your existing tools and processes to meet all FedRAMP requirements. Our Subject Matter Experts have years of experience supporting ConMon for FedRAMP and nearly every US cabinet agency. We understand how these organizations evaluate ConMon submissions and can navigate around roadblocks to keep you continually authorized.

FedRAMP Continuous Monitoring requires:

  • Daily maintenance of security monitoring and audit logging infrastructure
  • Monthly scanning, reporting and submission of Plans of Action and Milestones (POA&M) documentation
  • Monthly meetings with FedRAMP and/or Agency Authorizing Officials
  • Quarterly FedRAMP authorization package and documentation updates
  • Annual incident response and contingency plan testing and reporting
  • Regular adherence to critical processes such as training, change control, supply chain management and access control reviews
  • Periodic Security Impact Analyses, deviation requests and FedRAMP Significant Change Request Form completion
ConMon is Important. But It Shouldn’t Become Your Top Priority.

FedRAMP ConMon can quickly overwhelm your priority list, bogging your teams down with compliance activity. With us, your internal IT and security teams can avoid compliance fatigue and stay focused on the priorities that matter most to your organization.

Our continuous monitoring services – offered all together or a la carte as needed – include:

Service AreaDescriptionBenefits
ConMon Planning and CommunicationsKeep the ConMon project plan up-to-date, and handle FedRAMP, Agency and 3PAO scheduling.Avoid logistical and communications headaches while ensuring on time achievement of all internal and external FedRAMP milestones.
Documentation and Evidence MaintenanceWe manage the documents that form that core of your FedRAMP authorization package, while leading the quarterly and annual review and update efforts. We also produce and track evidence of compliance to facilitate your 3PAOs annual assessment. With decades of experience maintaining authorization packages, we can efficiently review and update documentation, freeing your resources to stay focused on organizational priorities.
Vulnerability Scanning and POA&MsWe update, configure, run and interpret the asset discovery, network, application and database scans mandated by FedRAMP. We also work with your team to update the formal POA&M submission template and complete all required monthly reporting.Scanning issues are the primary cause of ConMon failures. We keep your scanning tools tuned and up to date, while ensuring full coverage of your asset inventory. We also help filter false positives to present an accurate monthly picture to FedRAMP.
FedRAMP Penetration TestingWe conduct focused penetration testing prior to the formal annual assessment.Pretesting proactively identifies issues that may have emerged since the last test, to ensure a clean annual assessment.
Support to FedRAMP ProcessesHands-on support to critical process areas, such as audit log reviews, change control, patch and vulnerability management, and access control reviews. Keep process, documentation and evidence collection from overwhelming your operational teams.
Software AssuranceThe 38North software assurance team conducts static and dynamic code assessments to meet FedRAMP code review requirements.Code analysis tools are notorious for drowning developers in false positives. We triage findings for you, and then work with developers to remediate issues without impacting functionality.
Enterprise Training OversightDevelop all required training and also oversee general awareness and specialized training for personnel supporting the FedRAMP boundary.We bring specialized approaches that address FedRAMP’s unique training, tracking and reporting requirements.
Incident Response and Contingency Plan TestingWe plan, coordinate, conduct and document incident response and contingency plan testing. Tackle the technical and logistical challenges of conducting and documenting exercises that meet FedRAMP’s exacting requirements.
Supply Chain SecurityFedRAMP requires strict scrutiny of third-parties and suppliers that support your system. We will oversee the security and compliance posture of all external suppliers, document system interconnections and ensure they meet FedRAMP conditions. Make certain that third-parties continuously meet security requirements so that supplier compliance issues do not jeopardize your FedRAMP authorization.
Representation at Key Meetings38North senior advisors represent our clients at monthly, quarterly, annual and on-demand meetings with the FedRAMP Program Management Office (PMO), Agency Authorizing Officials (AOs), the Department of Defense (DoD) and other stakeholders as required. By speaking FedRAMP and Agency AO language, we advocate on your behalf to ensure that the strength and effectiveness of your security and compliance posture is fully communicated to the government.
Annual Assessment SupportWhile your 3PAO conducts the annual assessment, we help you collect technical evidence, clean up documentation and prep your teams in advance. We can also represent you in front of your 3PAO, Agency AOs and the FedRAMP JAB.With your team prepared, evidence collected and system hardened, we facilitate a fast, smooth, clean annual assessment.

Next Steps

Contact us to get started. The first step is a one hour introductory session. In this call we get introduced, gather technical details and figure out which of our FedRAMP ConMon services make the most sense for you. We also offer unbilled follow up calls if you have any additional questions or need consulting advice as you prepare for FedRAMP continuous monitoring.

Following our initial meetings, formal proposals and pricing are submitted within one week. We can kick off ConMon services within two weeks of contract signature.

Jeremiah Thompson

Director of Cloud Security Architecture

Jeremiah Thompson is 38North’s Director of Cloud Security Architecture. He leads 38North’s technical teams as they tackle engineering challenges and design secure, compliant cloud security architectures.

For over 18 years Jeremiah has helped clients in the commercial, defense and federal civilian sectors engineer secure solutions to modern cyber challenges. Prior to 38North, he served as a Director at Coalfire, one of the nation’s preeminent Third-Party Assessment Organizations (3PAOs). At Coalfire he led FedRAMP and DoD FedRAMP+ assessments supporting Fortune 500 organizations. He was also a Lead Information Security Compliance Auditor supporting the National Cancer Institute, and an Information Security Compliance Auditor at IBM.

Jeremiah currently holds CISSP, CISM, CAP, C|EH, Security+, Network+, CCSK and MCP certifications.

Andy Davidson

Senior Director of Cloud Security

Andy Davidson is Senior Director of Cloud Security at 38North. He leads 38North Senior Advisors as they prepare IaaS, PaaS and SaaS providers for the rigors of FedRAMP authorization. One of the nation’s most experienced FedRAMP practitioners, Andy has been supporting FedRAMP assessment and consulting efforts since the initial FedRAMP pilot project. He specializes in helping hyperscale Cloud Service Providers (CSPs) navigate FedRAMP requirements and successfully achieve Provisional Authorities to Operate (P-ATO).

Prior to 38North, Andy was Senior Director of FedRAMP and Assessment Services at Coalfire, one of the leading Third-Party Assessment Organizations (3PAOs). At Coalfire, he was responsible for growing the 3PAO practice and managing assessor teams in the execution of high profile assessments for Fortune 500 CSPs. He also helped start Veris Group’s 3PAO practice. Prior to Veris, Andy was an IT security consultant at Booz Allen Hamilton, supporting security assessments and engineering efforts across the federal government.

Linda Morales

Senior Director of Global Compliance

Linda Morales is the Senior Director of Global Compliance at 38North Security. She leads assessments for customers in the healthcare, federal and commercial spaces. She specializes in helping organizations prepare for and complete FISMA, FedRAMP and HIPAA assessments. She is adept at leading teams to deliver efficient, accurate security reviews that withstand scrutiny from federal regulators. Linda is also a recognized expert in Healthcare security, helping Health-IT providers secure and defend Protected Health Information (PHI).

Prior to 38North, Linda served as a Director at Endeavor Systems, where she played a key role growing the federal security services practice. She also served as Security Manager for the Federal Aviation Administration’s (FAA) enterprise-wide assessment program, with responsibility for 150+ systems across FAA.

Linda earned a BS in Computer Science and a Masters in Engineering Management, with a focus in Information Security, both from The George Washington University. She is also a Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), and a Registered Practitioner with the Cybersecurity Maturity Model Certification Advisory Board (CMMC-AB).

Spence Witten

Senior Advisor and Director of Business Development

Spence Witten is a 38North Senior Advisor and Director of Business Development. He serves as a trusted security advisor to 38North’s clients in the cloud services, healthcare, financial, defense and critical infrastructure communities.

Prior to 38North, Spence was Vice President of Global Sales at Lunarline. Spence led sales and marketing across ten cybersecurity business units, culminating in Lunarline’s acquisition by Motorola Solutions. Prior to becoming VP of Global Sales, Spence ran Lunarline’s US Federal Security Services practice, overseeing Lunarline’s defense, intelligence and federal civilian portfolio. He was also an early employee of Endeavor Systems. He played a key role in Endeavor’s rapid expansion in the federal, civilian, defense, and research and development markets, through to Endeavor’s successful acquisition.

An Adjunct Professor at Cleveland-Marshall College of Law, Spence serves on the Board of Directors for the Center for Cybersecurity and Privacy Protection at Cleveland State University. He is also a member of CyberOhio, the official cybersecurity advisory board for the Governor of Ohio.

Virginia Suazo

Senior Director of Cloud Security Advisory

Virginia Suazo is 38North’s Senior Director of Cloud Security Advisory. She is responsible for leading 38North’s cloud security and compliance efforts, with a speciality in helping global CSPs juggle multiple overlapping regulatory frameworks.

Before joining 38North, Virginia worked at a tech startup supporting the first and only Red Hat OpenStack Platform that is FedRAMP-authorized. She played a vital role in successfully obtaining FedRAMP Moderate and High authorizations for IaaS, PaaS, and SaaS systems, while supporting other certifications including DoD IL4/5, PCI DSS, HIPAA and HITECH. Her 15 years of cybersecurity experience also includes several tours supporting US federal agencies, including State Department, Department of Justice, Health and Human Services, Food and Drug Administration, General Services Administration and Department of Transportation.

Matt Earley


Matt Earley is 38North’s founder and President. He started 38North – the premier cloud security advisory company, in the US and internationally – to solve complex security challenges while developing trusted relationships with an elite client base.

For over 20 years Matt Earley has designed and implemented security solutions for the US and Australian federal governments, critical infrastructure, utilities, and for global finance and healthcare organizations. He focuses on lean security architecture design and prioritizing security efforts based on the critical needs of his clients.

Prior to founding 38North, Matt was the director of federal services at Endeavor Systems, where he was responsible for Endeavor’s largest business unit, serving the Federal Aviation Administration, Department of Homeland Security and some of the world’s largest security operations centers. He was also a Senior Manager in the Australian Department of Defense, where he represented Australasia on the Common Criteria Management Board.

Matt has a Bachelor of Engineering in computer engineering from the University of Canberra in Australia, and a Master’s in engineering management from George Washington University. He also is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).