What You Need to Know About FedRAMP Continuous Monitoring

Originally published by Schellman.

To become FedRAMP authorized, you must pass the initial, rigorous FedRAMP assessment. But in the following years, you’ll also need to complete Annual Assessments performed by a third-party assessment organization (3PAO) if you’re interested in maintaining that compliance.

It’s what’s called the FedRAMP Annual Assessment, and as one of the market’s most experienced 3PAOs, we’re going to explain what you need to know about this post-Initial Assessment period so that you can set accurate expectations for your process.

FedRAMP Continuous Monitoring: A Breakdown

Should you choose to proceed through FedRAMP, an Annual Assessment is required as part of your continuous monitoring (ConMon) requirements for as long as your system is in service to a federal customer. As we mentioned before, this consists of an Annual Assessment you’ll need to consistently undergo, but what does that mean exactly?

To get you down on the basics, we’ve broken this ConMon process down into six important criteria with details, so let’s get started.

1. 3PAO

The same organization that completed your Initial Assessment can also handle your year-to-year ConMon if you should so choose. That being said, if you weren’t pleased with your initial 3PAO, you aren’t bound to stick with them and you can switch to another for a different experience. Should you indeed choose to go in another direction, you need only ensure that your new assessor is accredited by the American Association for Lab Accreditation (A2LA).

You might want to switch 3PAOs for whatever reason, but we would caution you that there’s usually a correlation between price and skillset. So, if you’re looking to go with a cheaper option, be aware that issues may arise with the quality of the assessment that may affect your Authority to Operate (ATO) status.

2. FedRAMP Annual Assessment Controls

Every year you go through an Annual Assessment, there will be a set of core controls assessed (129 controls)—these are required controls that will be assessed every year for an Annual Assessment. To satisfy these controls, you must provide new evidence—you cannot reuse evidence from previous years.

The Annual Assessment will be different in that, aside from that core set, you’ll only be assessed against what amounts to about a third of the remaining controls tested during your initial assessment, and these will be chosen by your 3PAO.

Every 3PAO will differ slightly in how they determine which non-core controls are in scope for each year. That’s because FedRAMP requires that, by the end of your third Annual Assessment year, all baseline controls must be assessed.

In some cases—like if you have specific overlays such as International Traffic in Arms Regulation (ITAR), Criminal Justice Information Services (CJIS), or Health Insurance Portability and Accountability Act (HIPAA)—all of the specific controls related to those overlays may be required to be assessed every year regardless.

NOTE: Department of Defense (DoD) Impact Levels (IL)4, IL5, and IL6 systems have additional control overlays that must be considered for Annual Assessment purposes. This is an additional scoping exercise for CSPs that have a P-ATO at IL4, IL5, or IL6.

3. POA&M

While your Initial Assessment is more focused on uncovering all of the residual risks in your environment—as well as documenting any deviations and vulnerability scan findings—during your Annual Assessment, your 3PAO will validate any POA&M items closed since the last assessment, as well as all open POA&M items.

The 3PAO will also confirm whether you remediated these vulnerabilities and other findings within the FedRAMP required timeframes for the risk level:

• Low: 180 days.
• Moderate: 90 days
• High: 30 days

It’s particularly important that you prioritize remediating and or mitigating any high findings—especially Federal Mandates—that are found during any of your assessments as the assessment report’s “recommendation” is dependent on the residual risk. Federal Mandates can be found in the Readiness Assessment Report template on the FedRAMP website.

4. Assessment Cost

While prices will vary due to many factors (complexity, overlays, etc.), the typical cost reduction is due to a parallel reduction in control scoping for these annual assessments.

The Annual Assessment is a de-scoped assessment when compared to the Initial Assessment; however, the reduced scope is only for the controls. The penetration test and the deliverables are not reduced in scope, resulting in the approximately 80% cost difference between the Initial and Annual Assessments.

5. Significant Change Request (SCR)

Used to accommodate security and architecture changes in your environment that affect the security controls of the system, an SCR includes the scope of controls that are relevant to the service, feature, or security provisions and that are being affected by the SCR.

A penetration test will also need to be included with the SCR for the attack vectors affected by the change

6. Agency Review

The agency sponsor (or JAB) will review your SAR package after your Initial Assessment. That’s a lengthy process—the PMO review alone takes a good chunk of time and culminates with a formal out brief and review meeting(s).

During ConMon years, FedRAMP only requires your agency to review those same documents, and they’re usually more expedient. Depending on your agency’s involvement, they may want to hold a review meeting with your 3PAO to discuss the results of the security assessment.

Moving Forward with Your FedRAMP Compliance

FedRAMP requires a regular Annual Assessment in support of the required ConMon activities to ensure that the security of your system is maintained while it’s being used by the federal government. Now, you know what to expect at a high level once you complete your FedRAMP Initial Assessment and enter this crucial period known as continuous monitoring.