Skip to main content

Focus on FedRAMP

Best Practices for Multi-Agency Continuous Monitoring

Best Practices for Multi-Agency Continuous Monitoring

Both Cloud Service Providers (CSPs) and Federal Agencies play a role in Continuous Monitoring. FedRAMP Authorized CSPs are required to perform Continuous Monitoring to maintain a sufficient security posture. Federal Agencies are obligated to review a CSP’s Continuous Monitoring artifacts to determine if an Authority-to-Operate (ATO) is appropriate over the life of the system.

Completing Continuous Monitoring and managing multiple ATOs can become challenging when multiple Agencies leverage a common cloud service. In order to help Agencies navigate this process and better perform Continuous Monitoring, FedRAMP published Guidance for Managing Multi-Agency Continuous Monitoring. In this blog post, we walk you through the benefits, best practices, and resources outlined in this guide.

Why Multi-Agency Continuous Monitoring?

Multi-Agency collaboration on Continuous Monitoring benefits participating Agencies by creating a collaborative forum to:

  • Enforce a shared responsibility for the security posture of a cloud service
  • Shift the evaluation and decision-making regarding a CSP’s security posture from a single leveraging Agency to multiple agencies
  • Create a shared understanding of the assessment and evaluation protocol for the ongoing security posture of a cloud service
  • Mitigate the inefficiencies of Agencies independently evaluating the ongoing security posture for a commonly leveraged cloud service

What are Best Practices to Conduct Multi-Agency Continuous Monitoring?

1) Establish a Collaboration Group of Agencies Leveraging a Common Cloud Service

Collaboration Groups provide a means for Agencies to join together and support one another in a forum for the performance of Continuous Monitoring with a CSP. These groups should be comprised primarily of Agencies leveraging a common cloud service, as well as the CSP. Including a Third Party Assessment Organization (3PAO) is at the discretion of the CSP, but is encouraged by the FedRAMP Program Management Office (PMO).

Agencies establishing a Collaboration Group should:

  • Ratify a charter that specifies the organization, activities, and governance of the Collaboration Group
  • Schedule a regular cadence of meetings (e.g., monthly, quarterly) among Collaboration Group members and the CSP
  • Formalize a standard agenda and communication channels for sharing questions, meeting minutes, and decision points across member Agencies
  • Define mechanisms for determining a majority vote among member Agencies and processes for member protest, arbitration, and dispute resolution

2) Define the Common ‘High Water Mark’ a CSP Must Achieve to Address all Participating Agencies’ Requirements

Collaboration Groups should standardize the Continuous Monitoring requirements that a CSP must meet to streamline the review and approval of a cloud service security posture, including:

  • Developing a standard report that summarizes a CSP’s Continuous Monitoring evidence and presents a rolling picture of the service’s security posture
  • Defining common nomenclature and taxonomy for communicating Continuous Monitoring evidence that is agreed upon by member Agencies and the CSP
  • Defining a governance process for the onboarding of new leveraging Agencies and rationalization of Agency-specific requirements relative to the Collaboration Group’s standardized requirements
  • If applicable, identify Agency-specific Continuous Monitoring requirements that specific participating Agencies require per FISMA/FITARA

3) Define a Governance Protocol for the Evaluation, Approval, and Review of Proposed Significant Changes by the CSP

Evaluation and approval of significant changes is often a sticking point in the management of ATOs for a cloud service across multiple Agencies. Collaboration Groups should consider the following to streamline processes for proposed changes to a cloud service:

  • Define a ‘lowest common denominator’ for the qualification of a proposed change by a CSP as a significant change. Ask: What does each participating Agency consider to be a significant change?
  • Align the group’s significant change protocol to the FedRAMP Significant Change Request Form. Leverage FedRAMP’s Significant Change Policy and Procedures
  • Encourage the CSP to clarify the anticipated security impact of a proposed change to current Agency-specific use cases of the cloud service

We hope the above best practices further Multi-Agency collaboration on Continuous Monitoring. For additional resources, see below, or visit our FedRAMP website. Additional questions can be addressed to info@fedramp.gov.

Additional Resources: