We say this just about every time the subject comes up (which is often, given our industry and role in it), but valid information security is not a state of being. It is a moving target and a process. Achieving certification for a certain level of security is a snapshot of a moment in time, but before the hands on the clock swing around again, that snapshot is out of date.
Security frameworks like FedRAMP deal with this reality in a few different ways.
In FedRAMP’s case, there are two processes on cycles that help ensure the ongoing validity of your security implementation.
The first process is the annual assessment. This is a once-a-year evaluation where a C3PAO comes by and checks out your documentation, processes, evidence, and general status. It’s like the final exam at the end of a school year.
The second process is continuous monitoring, or ConMon. Continuous monitoring is like the homework you do on an ongoing basis. Where the assessment is a pass or fail evaluation of your security, continuous monitoring is a snapshot of your state, and an opportunity to identify problems and address them before the exam.
Note: Some people think that FedRAMP has a once-every-three-years full auditing requirement. This used to be true, back many years ago, but the requirement was eliminated in 2016.
Why do people still think it’s relevant, nearly a decade later? It’s likely because of CMMC. CMMC is also a government information security framework and certification process, and it’s even based on the same sort of NIST security controls, but the details differ a lot. CMMC certifications last three years before another thorough review.
The specific differences between ConMon and annual assessments are important to know, so let’s talk about them.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontInformation security is always changing and requires ongoing processes. In FedRAMP, this involves annual assessments and continuous monitoring (ConMon). Annual assessments, conducted by a C3PAO, validate security each year. ConMon is an internal, ongoing review to find and fix issues before they affect annual assessments. Both processes ensure security remains robust. Misunderstandings arise from confusing FedRAMP with CMMC, which has a different audit cycle. Ignyte offers services and tools to support FedRAMP compliance.
ConMon Vs. Annual Assessments: Who Does the Work
First up is one of the biggest differences between continuous monitoring and annual assessments: the people in charge of them.
Annual assessments are your big make-or-break analysis of your security posture for the year. They validate whether or not you’ve maintained your security appropriately in a changing threat environment, and if you’ve managed to maintain your position or even improve upon where you were a year prior.
These assessments are a critical part of maintaining FedRAMP authority to operate, whether you’re using the new fast-track process or the older, slower process. As such, the government expects an unbiased look at your security. You can’t self-attest past an annual assessment. You need a C3PAO to do the analysis for you.
Continuous monitoring is different. You might think of it as a monthly internal audit, a quarterly review, a weekly task, or even an ongoing, daily reporting process. In fact, since you’ll have a lot of different systems to monitor in a lot of different ways, all of those might be true.
A failure of continuous monitoring is not grounds for immediate loss of FedRAMP authorization; rather, it means there’s a problem, a breach, a gap, or some other issue that you need to fix. If you fix it, you’re good to go; it’s only if you don’t fix it and it’s caught in your annual assessment that it jeopardizes your authorization.
Continuous monitoring, then, doesn’t require the external review of a C3PAO; instead, it’s an internal process handled by your security and compliance teams. It’s less like a team coming in to check your security, and like the list of access logs from your security guards and internal logging systems.
Though we said “who does the work” for this category, don’t get it mixed up; you are responsible for your own security. ConMon is the ongoing work you do to maintain that security and report on it internally; the assessment is your reporting of it to a C3PAO and their evaluation.
ConMon Vs. Annual Assessments: Scope and Scale
Another significant difference between ConMon and the annual assessment is the scope of the analysis.
Continuous monitoring is an ongoing process of watching your security from various perspectives, to make sure that you’re still secure, that you have ways to catch attempts at intrusion or breaches, that you detect and address threats and risks, and that you preemptively improve security as the threat landscape around you changes.
The overall ConMon process is broken down into six steps.
- Defining the security posture you need to maintain, and what controls and requirements need to be maintained to keep that posture.
- Establishing the necessary framework, reporting, awareness, and analysis tools necessary to watch those elements of security, to ensure that they stay implemented and valid.
- Implementation of your monitoring and reporting system, your report analysis processes, and even your assignment of stakeholders.
- Analysis and reporting on the results of the monitoring on an ongoing basis, with whatever frequency is necessary to ensure coverage without wasting time with excessive reporting or risking undetected gaps through infrequent review.
- Response to any issues that arise in the process, be they technical, operational, or managerial.
- Reviewing, updating, and iterating on your security to make sure you’re always as updated as you can be.
A lot of this work is front-loaded. Once you have valid reporting set up, a lot of your ongoing monitoring duties are just watching for alerts and occasionally checking to make sure the systems are functioning as they should.
The annual assessment, meanwhile, is a more thorough, deeper, and less ongoing audit of your security posture. While your chosen C3PAO might not go through every system across every security control, they will spot-check the most relevant or potentially changed implementation, and they will evaluate your reporting. They can dig into incidents, they can check security, and they can even test some elements of your security implementation.
It’s less frequent, but the stakes are higher.
You will have already undergone one of these assessments when you achieved your authority to operate. In fact, the initial assessment is often considered much harder, because it’s a more thorough, higher-stakes analysis. The annual assessments tend to be a little lighter, though, of course, a failure can still jeopardize your authority to operate.
ConMon Vs. Annual Assessments: When it Happens
As the name implies, an annual assessment is just that: annual.
Likewise, as the name implies, continuous monitoring is just that: continuous.
Annual assessments aren’t necessarily exactly one year from the date of the last assessment, but there will be a range and a deadline by which you need the validation reported to the FedRAMP organization. Delaying the assessment beyond the deadline can jeopardize your contracts and your authority to operate.
Continuous monitoring is just your New Normal. Think of it like installing an alarm system in your building; part of your routine becomes locking up and ensuring the alarm is armed for the night when you leave. You don’t do this every now and then, or do it for a while and stop. No, you do it indefinitely, until such time as an alarm is no longer needed.
ConMon Vs. Annual Assessments: Depth of Analysis
A lot of people operate under the impression that continuous monitoring is a lesser process, and the real meat of FedRAMP is in the annual assessments. It’s somewhat reasonable, since a failure in ConMon doesn’t invalidate your contracts, but a failed assessment might. However, the truth is a little different.
Annual assessments are spot checks and samples. In contrast, ConMon is much more thorough.
Here’s an example: If you have 1,000 employees, all of whom have company laptops, those laptops need to be secured. Your C3PAO won’t ask all 1,000 employees to bring in their laptops to evaluate them. They’ll pick a random sampling of a hundred or so of those laptops to validate. However, your continuous monitoring requires you to have some way of validating that all 1,000 of them are secure at any given time.
One thing to be aware of is that part of the assessment is the continuous monitoring. Or, more specifically, the logs and reports from your continuous monitoring. The C3PAO that performs your assessment will begin by reviewing your documentation, logging, and reporting. They can then use that information to guide their further assessment, determine if there are areas where they should focus more of their attention, and so forth.
In that sense, ConMon and the annual assessment are two parts of the same whole.
ConMon Vs. Annual Assessments: The Stakes
On one hand, you can consider the stakes to be different, but on the other, they kind of aren’t.
The annual assessment is critically important. If you pass it, great! You’re good to go for another year, barring a significant incident.
If you fail the assessment, however, you’re in for a rough time. You aren’t denied your authority to operate immediately, though some contracts might be put on hold temporarily depending on the terms of the contracts themselves.
Instead, you’re put on a corrective action plan. This plan is sort of like a POA&M, but for stuff you should have had implemented and maintained, but let lapse or slip. This is a plan of what you need to fix, and a relatively tight deadline to get the work done and validated.
If you succeed, you undergo a reassessment, and if you pass, great. If you fail, then you face stiffer consequences, including a revocation of your authority to operate, a cancellation of your ongoing contracts, and possibly even fines.
Note that the severe penalties might apply immediately if the scale of your lapse is significant enough.
ConMon, on the other hand, feels not quite so serious. If your monitoring is insufficient or lapses, or there’s a bug in your logging you don’t notice, or some other problem, you aren’t immediately put into jeopardy the way you are with a failed assessment.
However, a flaw in your continuous monitoring is a flaw in your security, and that flaw can and will be part of the reporting for your assessment. If you don’t have it all fixed appropriately by the time the assessment rolls around, it becomes one of the reasons why you then fail the assessment.
So, while a lapse in ConMon doesn’t immediately cancel your contracts, it’s not actually any lower stakes, just a longer timeline for the consequences.
ConMon Vs. Annual Assessments: How Ignyte Can Help
At Ignyte, we’re deeply experienced in providing support and assessments as part of the FedRAMP ecosystem. We’ve worked with many clients and have achieved over 100 full authority to operate acceptances for the clients we work with. We’ve also performed over a thousand audits, including mock audits, full certification audits, and annual assessment audits.
With all of that experience, we’re well-positioned to help you achieve your goals with FedRAMP as well. We can also help beyond being a C3PAO ourselves.
- If you want consulting and advice, you can reach out and contact us; we can help provide that information or point you in the direction of a firm that can help. Since you can’t have the same firm as a consultant and an auditor, be sure to know which role you want us to take.
- If you need auditing services, whether it’s for the initial validation and certification audit or for your annual assessments, we’re more than happy to help. Our auditing services are thorough and fair, and guaranteed to help achieve your goals.
- If you want to have a trusted partner to help you with the reporting elements of your continuous monitoring, you’re in luck. The Ignyte Assurance Platform is a centralized and collaborative tool you can use to accumulate and monitor the results of your continuous monitoring, where individuals and teams can collaborate to ensure the best possible security posture.
- If you have more general questions, our blog and our podcast are both full of excellent resources, insight, and opinions that can help guide your journey through FedRAMP, CMMC, ISO 27001, or any other security framework you need to achieve.
All of this is available, whether you want to book a demo of our platform or reach out for other services. We’d love to hear from you!
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.