Five common challenges of FedRAMP Continuous Monitoring 

1. Understanding FedRAMP ConMon Requirements

2. Cross-Team Communication and Collaboration

3. Selecting the Right Scanning Tools

4. Vulnerability Scanning Operations

5. POA&M (Plan of Action & Milestones) Management

According to FedRAMP, ConMon can be described as monitoring security controls as part of the overall risk management framework for information security. What does that mean in practice? Essentially, Continuous Monitoring boils down to operations on a defined frequency that includes reporting system vulnerabilities and system compliance according to FedRAMP security controls. A Cloud Service Provider (CSP) must conquer the ConMon process if they hope to maintain their authorization. This blog aims to explore the top five challenges faced by CSPs in achieving a successful ConMon program and how industry experience, such as that provided by InfusionPoints, can provide valuable insight and guidance in managing the process.

1. Understanding FedRAMP ConMon Requirements

There are hundreds of security controls and enhancements that must be implemented for FedRAMP compliance. At the time of writing this, the Low Baseline includes 125 controls, the Moderate Baseline includes 325 controls, and the High Baseline includes 421 controls. Two of the key elements to ensure an effective ConMon program are to report on system vulnerabilities monthly and perform continuous operations weekly, monthly, quarterly, and annually according to the FedRAMP Baseline. This is achieved in part by closely managing, updating, and submitting the FedRAMP Plan of Action and Milestones (POA&M) each month with full and accurate data from each month’s scans. Each vulnerability must be remediated within a specified timeframe, depending on their impact level. Thirty (30) days for high vulnerabilities, ninety (90) days for moderate vulnerabilities, and 180 days for low vulnerabilities. Managing these timelines is a great challenge for organizations to keep up with. Leveraging a dedicated team to ensure vulnerabilities are managed and remediated can mitigate risk to your FedRAMP Authority to Operate (ATO).

2. Cross-Team Communication and Collaboration

Another challenge in achieving a successful ConMon program is cross-team communication and collaboration. Often, a CSP’s cloud footprint may be global in scale creating the need for a dedicated federal team to support sensitive workloads. Communication breakdown can be treacherous, especially with a FedRAMP authorization at stake. Ways to combat this include a cultural shift to prioritize cybersecurity and achieve efficiencies through automation. By ensuring that each team member supporting the information system is ready to embrace ConMon and the vigilance that comes with it, CSP’s can mitigate risks to their ATO and keep their systems more secure. What sets FedRAMP apart is the depth and breadth of metrics that a CSP must manage, track, and report regularly. Dedicated ConMon teams are able to communicate more effectively and collaborate by leveraging dashboards, trend analysis, and automation, achieving lower risk to a CSP’s FedRAMP ATO.

3. Selecting the Right Scanning Tools

To ensure compliance with federal regulations, it is essential that all tooling used to support your ConMon program is FedRAMP compliant. Leveraging tooling from commercial environments may not meet the necessary standards for the federal government, and such tooling used must maintain an ATO at the same impact level as your information system. It is important to prevent sensitive vulnerability data from being sent to non-FedRAMP authorized SaaS. Self-hosted solutions can be effective but come with their own considerations. It is recommended to diversify your tools and avoid using one tool for all scanning operations. Keep in mind that other scanning requirements exist as part of your Software Development Life Cycle (SDLC) process and it is effective to ensure that static and dynamic scanning is conducted upstream.

4. Vulnerability Scanning Operations

To effectively manage your organization's IT assets, it is crucial to ensure that all assets are appropriately scanned and listed in a system component inventory. Additionally, it is essential to keep this system component inventory up to date. A complete monthly scan of your information system is mandatory to identify any vulnerabilities that may exist within the system. This includes scanning all databases, web applications, operating systems, and containers. While there is some guidance available on container scanning, partnering with a dedicated ConMon team such as InfusionPoints can provide expert guidance and support in conducting appropriate scans for your system to ensure comprehensive scanning and monitoring of your system assets.

5. POA&M (Plan of Action & Milestones) Management

The Plan of Action and Milestones (POA&M) is a monthly index of active vulnerabilities within the authorization boundary and the timeframes and pathways to remediate these vulnerabilities. Managing a POA&M can be tedious, especially without automation. This challenge involves documentation of raw scan outputs from various scanning tools used to support overall security posture of a particular information system. What about false positives, operational requirements, deviation requests, and vendor dependencies? It is essential to understand your system vulnerabilities and establish a path toward remediation for all findings reported by your scanning tools. Knowing how to generate an accurate POA&M and submitting it to the appropriate stakeholders such as the authorizing agency, FedRAMP Program Management Office (PMO), or Joint Authorization Board (JAB), is vital to a successful ConMon program. 

If you are interested in implementing an effective ConMon program to help better secure your information system, consider working with a dedicated cybersecurity consulting firm with a client-focused approach. InfusionPoints provides a wide range of services that can help you understand how ConMon works, offer practical guidance and provide access to a dedicated team to ensure the security of your information system. This can help you concentrate on your primary business operations while we handle ConMon. Contact InfusionPoints to learn more and begin your ConMon journey today.

Sources:

Federal Risk and Authorization Management Program (FedRAMP). "Documents & Templates." Accessed on February 15, 2023. Available at: https://www.fedramp.gov/documents-templates/.

Federal Risk and Authorization Management Program (FedRAMP). "CSP POAM Template Completion Guide." Accessed on February 15, 2023. Available at: https://www.fedramp.gov/assets/resources/documents/CSP_POAM_Template_Completion_Guide.pdf.

National Institute of Standards and Technology (NIST) and the Federal Risk and Authorization Management Program (FedRAMP). "Continuous Monitoring Strategy Guide." 2019. Available at: https://www.fedramp.gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_Guide.pdf.

National Institute of Standards and Technology (NIST). "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations." NIST Special Publication 800-137, September 2011. Available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf.