Constant Monitoring [ConMon]

As described in the FedRAMP Continuous Monitoring Strategy Guide (PDF), ConMon involves the CSP monitoring their security controls, assessing them regularly, and demonstrating that the security posture of their service offering is continuously acceptable. CSPs must conduct activities such as Annual Assessments, Penetration Testing, Vulnerability Scanning, Access Reviews, and more; throughout the ConMon phase. All of the activities mentioned are equally important and provides the CSP’s Authorizing Official (AO) the necessary risk-related information to make risk-based decisions. This blog post will focus on ConMon vulnerability scanning and reporting process, outlining many of the challenges to CSPs are working through.