FedRAMP requires all Authorized Cloud Service Providers (CSP) to perform at least monthly vulnerability scans of their cloud service systems. These vulnerability scans are the cornerstones for the continuous monitoring of CSPs’ cloud service risk postures, enabling authorizing officials to continue to authorize CSP cloud systems for use. CSPs are responsible for ensuring the highest quality vulnerability scans. FedRAMP evaluates all vulnerability scanning reports and provides a summary report to the Joint Authorization Board (JAB). In this way, FedRAMP maintains a current view of the security posture of the CSP systems through scanning and continuous monitoring documentation.
On June 3, 2015, the FedRAMP PMO released the JAB Provisional Authorization (P-ATO) Vulnerability Scan Requirements Guide. This document describes the requirements for all vulnerability scans of FedRAMP CSP products. Consult the guide for a full listing of vulnerability scan requirements.