Skip to content

CA-7: Continuous Monitoring

An OSCAL Control

Statement

    • Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

      • a.

        Establishing the following system-level metrics to be monitored: ;

      • b.

        Establishing for monitoring and for assessment of control effectiveness;

      • c.

        Ongoing control assessments in accordance with the continuous monitoring strategy;

      • d.

        Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;

      • e.

        Correlation and analysis of information generated by control assessments and monitoring;

      • f.

        Response actions to address results of the analysis of control assessment and monitoring information; and

      • g.

        Reporting the security and privacy status of the system to .

        • Requirement:

          Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.

        • Requirement:

          CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.

        • Guidance:

          FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.