RFC-0026 Clarifying CA-7 Continuous Monitoring Expectations for Rev5 Providers

Summary

This RFC outlines FedRAMP Consolidated Rules 2026 clarifications and updates to the CA-7 Continuous Monitoring control for all FedRAMP Rev5 baselines to ensure cloud service providers with multiple agency customers provide sufficient information to support ongoing authorization to all agency customers. These updates are summarized as follows:

• Remove outdated references to the JAB
• Instruct 3PAOs to treat gaps in meeting this requirement as high impact findings
• Document corrective actions
• Provide guidance on the intersection with the Collaborative Continuous Monitoring BIR

Motivation

FedRAMP is not simply a security program - it is a government-wide program established to provide a standardized, reusable approach to security assessment and authorization for cloud services used by agencies. FedRAMP’s primary responsibility is ensuring agencies have the information they need to make ongoing authorization decisions about the cloud services they are already using. Any agency that issued an authorization to operate a cloud service based on the information provided in a FedRAMP authorization package must also have access to ongoing authorization data (including all continuous monitoring and annual assessment artifacts) to support their authorization to operate.

The Additional FedRAMP Requirements and Guidance for CA-7 Continuous Monitoring in their current form have a confusing reference to the JAB path that was rescinded by OMB Memorandum M-24-15. This guidance currently reads as follows:

“Requirement: CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (ConMon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSOs authorized via the Agency path as each agency customer is responsible for performing ConMon oversight. It does not apply to CSOs authorized via the JAB path because the JAB performs ConMon oversight.”

The implementation of a continuous monitoring program that shares necessary information with all agency customers is a critical component for the presumption of adequacy provided by a FedRAMP Certification; if these materials are not available to all agency customers then the cloud service provider is not sharing adequate information for use in an agency authorization and corrective action is required.

FedRAMP acknowledges that these requirements changed unexpectedly and abruptly in July 2024 with the rescission of the previous FedRAMP memorandum and establishment of a new vision for FedRAMP by OMB Memorandum M-24-15; this RFC proposes a structured timeline, clear next steps, and predictable corrective action to ensure that all cloud service providers can continue to meet ongoing FedRAMP Certification requirements without further surprise.

The section below, “CA-7 Additional FedRAMP Requirements and Guidance,” would entirely replace the existing guidance for CA-7.

CA-7 Additional FedRAMP Requirements and Guidance

Guidance: The optional Collaborative Continuous Monitoring Balance Improvement Release for Rev5 includes a detailed blueprint for maintaining a healthy modern continuous monitoring program.

FedRAMP does not provide a template for the Continuous Monitoring Plan. Providers should reference the FedRAMP Collaborative Continuous Monitoring Balance Improvement Release or the Rev5 Continuous Monitoring Playbook when developing the Continuous Monitoring Plan.

Requirement RV5-CA07-VLN (Vulnerability Reporting)

Providers MUST share vulnerability information with all agency customers and FedRAMP using one of the following two processes:

1. Implementing the Vulnerability Detection and Response Balance Improvement Release for Rev5 (either in Beta or Wide Release); or

2. Sharing Operating System, Database, Web Application, Container, and Service Configuration Scans, at least monthly; AND sharing updated Plans of Action and Milestones (POA&Ms), at least monthly; AND sharing all scans performed by an Independent Assessor, at least annually.

NOTES:

• Providers implementing the Vulnerability Detection and Response Balance Improvement Release do not maintain Plans of Action & Milestones.
• Plans of Action and Milestones have a required FedRAMP Template and if you are leveraging the FedRAMP Managed Repository (Connect.gov) there is a required folder for POA&M placement. Ensure you are placing your POA&Ms within the correct folder in their native format and have either POAM or POA&M in the naming convention.

Requirement RV5-CA07-CCM (Collaborative Continuous Monitoring)

Providers MUST provide recurring monitoring information (including meetings) to all agency customers and FedRAMP using one of the following two collaborative continuous monitoring processes:

1. Implement the Collaborative Continuous Monitoring Balance Improvement Release for Rev5 (either in Beta or Wide Release); or

2. Implement the traditional collaborative continuous monitoring approach as described in the FedRAMP Rev5 Continuous Monitoring Playbook or successor materials.

Effective Date for All RV5-CA07 Requirements

These requirements will be effective immediately for gradual adoption when published with the FedRAMP Consolidated Rules for 2026 by the end of June 2026. There will be an initial grace period without any corrective action until December 31, 2026.

Enforcement with corrective action will begin on January 1, 2027.

Failure Measures for All RV5-CA07 Requirements

These failure measures and corrective actions apply only to providers that are NOT following the Collaborative Continuous Monitoring Balance Improvement Release process (because that process has separate failure measures and corrective actions).

Failure measures that will trigger corrective action include:

1. Failure to host a traditional monthly ConMon meeting open to all agency customers (RV5-CA07-CCM) and FedRAMP during any given month.

2. Failure to share the required information (RV5-CA07-VLN), following the required process, with all agency customers and FedRAMP during any given month.

NOTE: Providers implementing the Vulnerability Detection and Response Balance Improvement Release do not maintain Plans of Action & Milestones.

Corrective Actions for All RV5-CV07 Requirements

These requirements will be enforced over a 12-month period that resets after each failure (meaning a provider must go 12 months without failures to clear the corrective actions) as follows:

1. First failure:

   1. FedRAMP will notify the provider and request a Corrective Action Plan.

   2. FedRAMP will notify all agencies.

   3. Providers will be granted a one month grace period for implementation after submitting the initial Corrective Action Plan.

2. Second failure:

   1. FedRAMP will notify the provider and request an updated Corrective Action Plan.

   2. FedRAMP will notify all agencies that the provider has failed 2 times.

3. Third failure:

   1. FedRAMP will notify the provider and request an updated Corrective Action Plan.

   2. FedRAMP will notify all agencies that the provider has failed 3 times.

   3. FedRAMP will move the cloud service offering into the “Remediation” status on the FedRAMP Marketplace and publicly summarize the failures leading to corrective action.

4. Fourth failure:

   1. FedRAMP will notify the provider and request an updated Corrective Action Plan.

   2. FedRAMP will notify all agencies that the provider has failed 4 times and is pending revocation of FedRAMP Certification.

   3. FedRAMP will maintain the cloud service offering in the “Remediation” status on the FedRAMP Marketplace with a public summary of the failures.

5. Fifth failure:

   1. FedRAMP will notify the provider and revoke their FedRAMP Certification.

   2. FedRAMP will notify all agencies that the provider failed 5 times in 12 months and their FedRAMP Certification has been revoked.

   3. The cloud service offering will be removed from the FedRAMP Marketplace for a period of at least 6 months, after which the cloud service offering may undergo a full new assessment for FedRAMP Certification.