Best Practices for Multi-Agency Continuous Monitoring
Both Cloud Service Providers (CSPs) and Federal Agencies play a role in Continuous Monitoring. FedRAMP Authorized CSPs are required to perform Continuous Monitoring to maintain a sufficient security posture. Federal Agencies are obligated to review a CSP’s Continuous Monitoring artifacts to determine if an Authority-to-Operate (ATO) is appropriate over the life of the system.
Completing Continuous Monitoring and managing multiple ATOs can become challenging when multiple Agencies leverage a common cloud service. In order to help Agencies navigate this process and better perform Continuous Monitoring, FedRAMP published Guidance for Managing Multi-Agency Continuous Monitoring. In this blog post, we walk you through the benefits, best practices, and resources outlined in this guide.
Why Multi-Agency Continuous Monitoring?
Multi-Agency collaboration on Continuous Monitoring benefits participating Agencies by creating a collaborative forum to:
- Enforce a shared responsibility for the security posture of a cloud service
- Shift the evaluation and decision-making regarding a CSP’s security posture from a single leveraging Agency to multiple agencies
- Create a shared understanding of the assessment and evaluation protocol for the ongoing security posture of a cloud service
- Mitigate the inefficiencies of Agencies independently evaluating the ongoing security posture for a commonly leveraged cloud service
What are Best Practices to Conduct Multi-Agency Continuous Monitoring?
1) Establish a Collaboration Group of Agencies Leveraging a Common Cloud Service
Collaboration Groups provide a means for Agencies to join together and support one another in a forum for the performance of Continuous Monitoring with a CSP. These groups should be comprised primarily of Agencies leveraging a common cloud service, as well as the CSP. Including a Third Party Assessment Organization (3PAO) is at the discretion of the CSP, but is encouraged by the FedRAMP Program Management Office (PMO).
Agencies establishing a Collaboration Group should:
- Ratify a charter that specifies the organization, activities, and governance of the Collaboration Group
- Schedule a regular cadence of meetings (e.g., monthly, quarterly) among Collaboration Group members and the CSP
- Formalize a standard agenda and communication channels for sharing questions, meeting minutes, and decision points across member Agencies
- Define mechanisms for determining a majority vote among member Agencies and processes for member protest, arbitration, and dispute resolution
2) Define the Common ‘High Water Mark’ a CSP Must Achieve to Address all Participating Agencies’ Requirements
Collaboration Groups should standardize the Continuous Monitoring requirements that a CSP must meet to streamline the review and approval of a cloud service security posture, including:
- Developing a standard report that summarizes a CSP’s Continuous Monitoring evidence and presents a rolling picture of the service’s security posture
- Defining common nomenclature and taxonomy for communicating Continuous Monitoring evidence that is agreed upon by member Agencies and the CSP
- Defining a governance process for the onboarding of new leveraging Agencies and rationalization of Agency-specific requirements relative to the Collaboration Group’s standardized requirements
- If applicable, identify Agency-specific Continuous Monitoring requirements that specific participating Agencies require per FISMA/FITARA
3) Define a Governance Protocol for the Evaluation, Approval, and Review of Proposed Significant Changes by the CSP
Evaluation and approval of significant changes is often a sticking point in the management of ATOs for a cloud service across multiple Agencies. Collaboration Groups should consider the following to streamline processes for proposed changes to a cloud service:
- Define a ‘lowest common denominator’ for the qualification of a proposed change by a CSP as a significant change. Ask: What does each participating Agency consider to be a significant change?
- Align the group’s significant change protocol to the FedRAMP Significant Change Request Form. Leverage FedRAMP’s Significant Change Policy and Procedures
- Encourage the CSP to clarify the anticipated security impact of a proposed change to current Agency-specific use cases of the cloud service
We hope the above best practices further Multi-Agency collaboration on Continuous Monitoring. For additional resources, see below, or visit our FedRAMP website. Additional questions can be addressed to firstname.lastname@example.org.
- Multi-Agency Continuous Monitoring Guidance
- Continuous Monitoring Strategy Guide
- Continuous Monitoring Performance Management Guide
- Significant Change Policy and Procedures Guidance