Skip to content

Collaborative Continuous Monitoring

The Collaborative Continuous Monitoring rules help agencies use shared, current authorization information from providers as part of each agency's own Information Security Continuous Monitoring strategy. These rules reduce unnecessary manual burden by encouraging automated monitoring and review while allowing each agency to make its own risk-based decisions about ongoing authorization.

Effective Date(s) & Overall Applicability for 20x

  • Required (Consolidated Rules for 2026)
  • Optional Adoption: 2026-07-04
  • Obtain: 2026-07-04
  • Maintain: 2027-01-01
  • Grace Ends: On the first FedRAMP independent assessment started after 2027-01-01

Effective Date(s) & Overall Applicability for Rev5

  • Required (Consolidated Rules for 2026)
  • Optional Adoption: 2026-07-04
  • Obtain: 2027-01-01
  • Maintain: 2027-04-02
  • Grace Ends: 2027-10-01

Agency Guidance

These rules for agencies apply to all agencies using a FedRAMP Certification.

Type: 20xRev5
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Agencies

Review Ongoing Reports

CCM-AGM-ROR

Changelog:

  • 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

Agencies MUST review each Ongoing Certification Report to understand how changes to the cloud service offering may impact the previously agreed-upon risk tolerance documented in the agency's Authorization to Operate of a federal information system that includes the cloud service offering in its boundary.


Note: This is required by 44 USC ยง 35, OMB A-130, FIPS-200, and M-24-15.


Terms: Cloud Service Offering, FedRAMP Certification Report, Ongoing Certification, Ongoing Certification Report (OCR)

Consider Security Category

CCM-AGM-CSC

Changelog:

  • 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.

Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the cloud service offering in its boundary and assign appropriate information security resources for reviewing Ongoing Certification Reports, attending Quarterly Reviews, and other ongoing FedRAMP Certification Data.


Terms: Certification Data, Cloud Service Offering, Ongoing Certification, Quarterly Review, Security Category

Comments