FedRAMP issues revised continuous monitoring guidance
- By Sara Friedman
The Federal Risk and Authorization Management Program released new guidance to streamline and clarify the continuous monitoring program.
Based on feedback from cloud service providers and the Joint Authorization Board review teams, the need for such improvements had been apparent for some time. “We spend about 75 percent of our security budget in continuous monitoring in my office alone, and it is too much for any agency or organization to maintain,” FedRAMP Director Matt Goodrich said at a Dec. 8 Digital Government Institute event. “We are looking to reduce the burden of continuous monitoring -- not only in our office but for our vendors as well.”
The new and updated documents seek to improve the overall FedRAMP authorization process and clarify certain elements or expectations. They also create structure in some of the parts of the processes that CSPs and JAB reviewers may have interpreted differently.
The FedRAMP Continuous Monitoring Performance Management Guide replaces the Provisional Authority to Operate Management and Revocation guide. It explains what actions FedRAMP officials will take when a CSP fails to maintain an adequate risk management program and lays out escalation processes and procedures.
The Plan of Action and Milestones (POA&M) Completion Guide updates an existing document with new guidance on how to complete the POA&M processes. FedRAMP's updated POA&M template provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts.
The Continuous Monitoring and Strategy Guide provides guidance on continuous monitoring and ongoing authorization to meet FedRAMP requirements for maintaining a security authorization.
FedRAMP also released new documents for Digital Identity Requirements and Transport Layer Security Requirements. The Digital Identity Requirements provides guidance on compliance with National Institute of Standards and Technology Special Publication 800-63 that emphasizes federation, new password guidance and options for easing restrictions on in-person identity validation. CSPs are required to implement the NIST requirements by July 1, 2018, for FedRAMP-authorized systems.
The Transport Layer Security Requirements summarize guidance on the use of cryptographic protocols that provide communications security over computer networks. CSPs must implement the TLS requirements by July 1, 2018.
All CSPs are also now required to include a form summarizing scans and risk adjustments as part of their monthly continuous monitoring submissions.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.