Skip to main content


New ConMon Documents Available

January 31 | 2018

New ConMon Documents Available

As FedRAMP continues to enhance its continuous monitoring (ConMon) processes, we solicited feedback on how we could improve the overall processes. Over the past few months, we gathered input from stakeholders - including Cloud Service Providers (CSPs) and the Joint Authorization Board (JAB) Review Teams - and we identified several areas to streamline, clarify, and improve. As a result, we’ve made updates to existing documents and created new documents to:

  • Improve the overall process and clarify certain elements or expectations
  • Make it easier to reference aspects of the process that previously were not documented
  • Create structure in parts of the process that may have been interpreted differently by CSPs and JAB Reviewers

These documents listed below were recently posted to the FedRAMP website. Some of these are updated versions of existing documents and others are entirely new documents.

Updates to existing documents and templates include:

Continuous Monitoring Strategy Guide

  • Developed to provide guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements

Continuous Monitoring Performance Management Guide

  • Replaces the Provisional Authority to Operate (P-ATO) Management and Revocation Guide and explains the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program
  • Lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to meet the requirements of the P-ATO
  • Specifically addresses FedRAMP P-ATOs maintained by the JAB and enables FedRAMP to provide effective oversight of the CSP Continuous Monitoring programs

Vulnerability Deviation Request Form

  • Updated version of the current deviation request (DR) form
  • Provides a standardized method to document deviation requests
  • Used to document Risk Adjustments, False Positives, and Operational Requirements

Plan of Action and Milestones (POA&M) Template Completion Guide

  • Updated version of an existing document that now includes new guidance on how to complete the POA&M
  • Provides guidance when completing the POA&M to ensure that the CSP is meeting POA&M requirements

Plan of Action and Milestones (POA&M) Template

  • Provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts
  • Intended to be used as a tracking tool for risk mitigation in accordance with CSP priorities
  • Added additional column to provide visibility into which DRs have been auto-approved versus manually approved

Significant Change Form Template

  • Developed to capture the type(s) of system changes requested and the supporting details surrounding requested system changes, including FIPS 199
  • Can be used to request a significant change within an existing ATO

New FedRAMP documents and templates include:

Digital Identity Requirements

  • Developed to provide guidance on Digital Identity requirements in support of achieving and maintaining a security authorization that meets the FedRAMP requirements. FedRAMP is following the NIST guidance and this document describes how FedRAMP intends to implement it

Transport Layer Security (TLS) Requirements

  • Summarizes the National Institute of Standards and Technology (NIST) and Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-01 requirements to implement current Transport Layer Security (TLS) protocols and restrict the use of older protocols. FedRAMP is following the NIST guidance and this document describes how FedRAMP intends to implement it

Continuous Monitoring Monthly Executive Summary Template

  • This form provides the JAB reviewers and PMO with an executive summary of the monthly continuous monitoring submission from a CSP. It should detail all files that should be reviewed with that submission. It should be filled out and submitted with every monthly continuous monitoring submission by the CSP or their 3PAO

In addition, the following documents are still in development with plans to release early this year:

CVSS Framework Guidance

  • Developed to provide CSPs with a known vulnerability severity scoring framework Used to enable CSPs to create and use an automated, CVSS-based, vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools

Vulnerability Scan Requirements for CSPs Requesting to Do Sampling/Representative Scans

  • Developed based on requests from CSPs to scan samples of system components instead of the entire system
  • Provides guidance for CSPs on sampling system components rather than 100% scanning in continuous monitoring and also specifies which CSPs are eligible for doing sampling

We appreciate all the feedback and input we received from our stakeholders and partners to help improve the program. If you have any questions or additional input, please reach out to

Back to Blogs