1. Home
  2. FedRAMP
  3. CA-7

BRACKETOLOGY | FEDRAMP

CA-7: CONTINUOUS MONITORING

  • FedRAMP Baseline Membership CA-7:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

    • a. Establishment of [Assignment: organization-defined metrics] to be monitored;
    • b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
    • c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
    • d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
    • e. Correlation and analysis of security-related information generated by assessments and monitoring;
    • f. Response actions to address results of the analysis of security-related information; and
    • g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

  • a. Establishment of organization-defined metrics to be monitored;
  • b. Establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring;
  • c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
  • d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
  • e. Correlation and analysis of security-related information generated by assessments and monitoring;
  • f. Response actions to address results of the analysis of security-related information; and
  • g. Reporting the security status of organization and the information system to organization-defined personnel or roles organization-defined frequency.

FedRAMP REQUIREMENT:

  1. Operating System Scans: at least monthly
  2. Database and Web Application Scans: at least monthly
  3. All scans performed by Independent Assessor: at least annually

FedRAMP GUIDANCE:

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

  • a. Establishment of organization-defined metrics to be monitored;
  • b. Establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring;
  • c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
  • d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
  • e. Correlation and analysis of security-related information generated by assessments and monitoring;
  • f. Response actions to address results of the analysis of security-related information; and
  • g. Reporting the security status of organization and the information system to organization-defined personnel or roles organization-defined frequency.

FedRAMP REQUIREMENT:

  1. Operating System Scans: at least monthly
  2. Database and Web Application Scans: at least monthly
  3. All scans performed by Independent Assessor: at least annually

FedRAMP GUIDANCE:

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

  • a. Establishment of organization-defined metrics to be monitored;
  • b. Establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring;
  • c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
  • d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
  • e. Correlation and analysis of security-related information generated by assessments and monitoring;
  • f. Response actions to address results of the analysis of security-related information; and
  • g. Reporting the security status of organization and the information system to organization-defined personnel or roles organization-defined frequency.

FedRAMP REQUIREMENT:

  1. Operating System Scans: at least monthly
  2. Database and Web Application Scans: at least monthly
  3. All scans performed by Independent Assessor: at least annually

FedRAMP GUIDANCE:

CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates.

SUPPLEMENTAL GUIDANCE

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.

CONTROL ENHANCEMENTS

CA-7 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT
  • FedRAMP Baseline Membership CA-7 (1):
  • MODERATE
  • HIGH

The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.

Supplemental Guidance:

Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services.

CA-7 (2) CONTINUOUS MONITORING | TYPES OF ASSESSMENTS

[Withdrawn: Incorporated into CA-2].

CA-7 (3) CONTINUOUS MONITORING | TREND ANALYSES
  • FedRAMP Baseline Membership CA-7 (3):
  • HIGH

The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

Supplemental Guidance:

Trend analyses can include, for example, examining recent threat information regarding the types of threat events that have occurred within the organization or across the federal government, success rates of certain types of cyber attacks, emerging vulnerabilities in information technologies, evolving social engineering techniques, results from multiple security control assessments, the effectiveness of configuration settings, and findings from Inspectors General or auditors.

REFERENCES:

  • DoD Information Assurance Vulnerability Alerts
  • NIST Special Publication 800-115
  • NIST Special Publication 800-137
  • NIST Special Publication 800-37
  • NIST Special Publication 800-39
  • NIST Special Publication 800-53A
  • OMB Memorandum 11-33
  • US-CERT Technical Cyber Security Alerts