CA-7: Continuous Monitoring

Statement

• Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

  • a.

    Establishing the following system-level metrics to be monitored: system-level metrics ;

  • b.

    Establishing frequencies for monitoring and frequencies for assessment of control effectiveness;

  • c.

    Ongoing control assessments in accordance with the continuous monitoring strategy;

  • d.

    Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

  • e.

    Correlation and analysis of information generated by control assessments and monitoring;

  • f.

    Response actions to address results of the analysis of control assessment and monitoring information; and

  • g.

    Reporting the security and privacy status of the system to organization-defined personnel or roles organization-defined frequency .

  • • Requirement:

      Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

    • Requirement:

      CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.

    • Guidance:

      FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.