Once a FedRAMP authorization has been granted, the security posture of a CSO is monitored according to the assessment and authorization process. Performing ongoing security assessments determines whether the set of deployed security controls in a CSO remains effective in lieu of new exploits and attacks, as well as planned and unplanned changes that occur in the system environment over the life of the system. To maintain a FedRAMP authorization, the CSP must monitor their security control environment, assess that control environment on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable.
Ongoing assessment of security controls results in greater control over the security posture of the CSO and enables timely risk-management decisions. Security-related information collected through continuous monitoring is used to make recurring updates to the system security package. Ongoing due diligence and review of security controls enables the security authorization package to remain current, allowing agencies to make informed risk-based decisions as they use cloud services.