Obtaining a software approval with the federal government and its agencies as a contractor and obtaining an Authority to Operate (ATO) is not a one-time process. We’re not just referring to the need to recertify annually and pass occasional audits. We’re talking about an additional part of the process, the final part of the NIST Risk Management Framework: Monitoring.
Monitoring, also referred to as Continuous Monitoring or ConMon, is the process of watching and reviewing your systems and processes to ensure that security doesn’t slip and, in the event of a breach, that said breach is detected and addressed as soon as possible.
We’ll break down what you need to know and do, but if you want to dig into the documentation directly from the source, some useful resources include:
- The National Institute of Standards and Technology Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations
- The FedRAMP Continuous Monitoring Strategy Guide
- The FedRAMP Continuous Monitoring Performance Management Guide
Many other documents are available as well to explain and expound upon specific questions you may have. If you have a need for a specific resource, you can often find it on FedRAMP.gov, the NIST website, or linked within another publication. We’ll also provide what resources we have if you ask.
BLUF - Bottom Line Up Front
Continuous monitoring is crucial for maintaining security and compliance for federal contractors, involving six key steps: Define security posture, Establish a monitoring framework, Implement the system, Analyze and report findings, Respond to issues, and Review and update processes. Engaging a certified third-party assessment organization is critical for audits. Choose appropriate tools for vulnerability checks and reporting. For FedRAMP compliance, work with certified platforms and experts to streamline processes and mitigate risks.
A Six-Step Process
Broadly, continuous monitoring is divided into six steps or phases. Five of them are intimately linked with the overall process of establishing your security and acquiring your ATO. The sixth is the final state of established continuous monitoring and response.
Step 1: Define
The first step is defining your overall security posture at each relevant level and the requirements and minimums you must uphold for each relevant security control.
This is partially determined by your overall integration with government information and Covered Defense Information (CDI) and partially by your defined impact level as determined by addressing the Federal Information Processing Standard (FIPS) 199 guidelines (for more information see our guide on FIPS (here). In general, most guides and reviews will consider your impact level to be Moderate, as the vast majority of Cloud Service Providers (CSPs) working for FedRAMP Authorization will fall into that category.
Step 2: Establish
The second step is to take your defined security posture and awareness of controls and set up a technical framework for monitoring those security controls. This includes defining how each control must be monitored and how often those controls are checked. This would also include guidance and procedures on how to respond to anomalies in the metrics, or how to respond if defined thresholds are breached for monitored items.
Some controls aren’t necessarily frequently accessed, changed, or used, and so can be allowed to be checked less often than others with greater import.
Step 3: Implement
The third step is the implementation of your monitoring system. Here, you will collect, organize, and review the information on each security control, including status updates and reports.
FedRAMP recommends automating as much of this as possible, both to eliminate human error and to ensure compliance with timing and logging policies.
Step 4: Analyze and Report
Once data has been gathered through the implemented monitoring system, reports must be created, reviewed, and analyzed. It does you no good to simply file these logs away with no attention, after all. These logs must be analyzed to determine if your security posture is still appropriate, if any changes need to be made, if any signs of a breach or intrusion have been detected, and if there are any other oddities that need attention.
This is occasionally a multi-part process. If a situation arises, you may need to perform a more detailed audit and gather more data to perform further analysis.
This step ends with a report of your findings, distilled from technical logs into tangible, readable, and actionable information. For many organizations, reporting – while less strenuous and thorough than the auditing required for annual authentication – is a monthly requirement.
Step 5: Respond
The second to last step in the defined continuous monitoring process is responding if anything unusual is discovered in the previous analysis. Responses come in three axis: technical responses, managerial responses, and operational responses.
An incident can be anything from an actual data breach, to the failed results of a penetration test, to a third-party report of a zero-day exploit, to a change in security standards you previously upheld. Your target is frequently a moving one and a response is necessary to maintain an ongoing security posture. In other words, you can’t simply rest on your laurels even if no serious incidents occur.
Step 6: Review and Update
The final phase is to review the results of your analysis and response and see what changes may need to be applied to step 1’s definition and step 2’s establishment of your continuous monitoring system. Implement any changes that need to be made to maintain the appropriate level of security and begin again.
Overall, while the six steps are defined and laid out in FedRAMP documentation, the core concept is simple. You are implementing a system of ongoing monitoring, along with incident response and reporting, to make sure that you maintain your security. Everything else is the details of how you go about it.
Concerns and Details for Continuous Monitoring
When you’re implementing continuous monitoring, there are many questions and concerns that may come up. We’ve answered the most common questions here, but if you have another we haven’t addressed, feel free to ask us directly, and we’ll help shed light on the situation for you.
Working with a 3PAO
When you seek FedRAMP ATO, you will need to work with a certified third-party assessment organization (such as ourselves) for a thorough audit and review of your systems and security. You will also need to work with a 3PAO to perform your annual assessments as required according to your impact level.
There is no rule, however, that says that you must continue working with the same 3PAO indefinitely. If you didn’t like or had issues with the service of the 3PAO you initially worked with, you can change your 3PAO at any time. Some are better than others in terms of being thorough, proactive, or reasonably priced.
If you’re interested to see how we can help you as both a continuous monitoring platform and a certified 3PAO, click here to learn more.
Additional Security Requirements
There are a variety of situations where your business as a CSP, the information you handle as a government contractor, the industry in which you work, or your defined federal impact level will alter the requirements for continuous monitoring.
Your Impact Level. Impact levels have been simplified to just three levels: low, moderate, and high. The majority of CSPs will fall into the moderate category, but those in the high category will have more stringent requirements and additional reporting requirements and audits to pass as befitting the information they handle.
A POAM is a plan to go from, say, 90% of the way to compliance to 100% of the way to compliance over a specified timeframe. Low-impact CSPs have a greater amount of time to go through their POAM, while high-impact CSPs have the shortest window.
However, you don’t wait until your POAM is complete to begin continuous monitoring. ConMon begins as soon as you receive your ATO.
This is covered in the original six phases of continuous monitoring. Each cycle, as your POAM progresses, any new controls or interactions you make must be accounted for and added to your monitoring. The two fit together naturally.
Cross- and Multi-Agency Continuous Monitoring
There are frequently cases where you may be working with another CSP, as your own contractors or suppliers, or as partners. You may also be working with more than one federal agency or agency contractor. You are not isolated in the world of cybersecurity, nor are you left to your own devices when dealing with continuous monitoring. Working with cross-agency systems and multi-agency communication is common.
Any change that would change the security controls that apply to your organization will generally fall under the category of a Significant Change. Anything that constitutes a Significant Change will need to be identified, evaluated, and approved before being implemented. This process uses the Significant Change Request Form, found here, to provide relevant information and gain approval for the change. This typically also requires detailed testing and review, including penetration testing for your changed systems.
Choosing the Right Scanning and Monitoring Tools
Continuous monitoring may sound like an immense burden based on everything we’ve written above. Make no mistake; it’s taken very seriously, and failure to maintain awareness and submit appropriate reports can eventually result in penalties, including the loss of your ATO. However, it’s not something you’re forced to do alone, from the ground up. There are numerous tools, companies, and systems available to help you with various aspects of continuous monitoring. These tools and services provide options for:
- Vulnerability scanning to continuously and periodically review existing systems, databases, web applications, and containers for known vulnerabilities to validate that those vulnerabilities do not exist and have not been introduced to your systems.
- Issue tracking, status tracking, and report tracking. A centralized monitoring and tracking dashboard can make it significantly easier to provide continuous monitoring overviews and, in the case where a vulnerability is detected, progress toward remediation.
- Reporting. FedRAMP allows for much of your continuous monitoring to be performed through automated systems, as long as there’s enough review to ensure that those systems work properly and are comprehensive in design. Generating reports can even be done automatically, though they must be reviewed and signed off on by the CSP and their 3PAO.
At Ignyte, one of our primary services is a platform that can help you with all of the above and more.
By helping to remove siloed software, eliminate sources of human error, aggregate ongoing data tracking and reporting, and make everything available both centrally and through compliant formats, we can help.
So, if you’re seeing FedRAMP compliance and an ATO audit for the first time, or if you’re already operating and want a new platform to help improve, streamline, and speed up your continuous monitoring, we’re here to help. To learn more about our services, you can click right here, reach out to talk to us directly, or schedule a demo right away. We’re standing by and are looking forward to working with you!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.