FedRAMP Continuous Monitoring
Enforced by: FedRAMP PMO / OMB
Current as of November 22, 2022
Plain Language Summary
FedRAMP authorization requires ongoing monitoring: monthly vulnerability scans, annual pen tests, significant change notifications, and incident reporting to US-CERT within 1 hour.
Once a cloud service offering receives FedRAMP authorization, the cloud service provider must perform ongoing continuous monitoring. Requirements include: monthly vulnerability scanning of operating systems, web applications, and databases; annual penetration testing; significant change notifications; annual security assessment of a subset of controls; incident reporting within 1 hour for US-CERT reportable incidents; and regular Plan of Action and Milestones (POA&M) updates.