Skip to main content

Focus on FedRAMP

Three Additional ConMon Documents Released

On January 31st, FedRAMP released several new or revised Continuous Monitoring (ConMon) documents and templates with the goal of:

  • Improving the overall ConMon process by clarifying certain elements and expectations
  • Making it easier to reference aspects of the process that previously were not documented
  • Creating structure in parts of the process that may have been interpreted differently by CSPs and JAB Reviewers

We shared detailed information on these documents in a previous blog post, then conducted a webinar in which the FedRAMP PMO walked through each document individually.

Today, we’ve added three additional new documents on the FedRAMP.gov website:

  1. DRAFT Automated Vulnerability Risk Adjustment Framework Guidance
    • Provides CSPs with a framework to create and deploy an automated, CVSS-based vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools
    • Goal is to maintain or increase security rigor while reducing the LOE for scanner-related risk reductions
    • Document is in DRAFT form while FedRAMP pilots this process with CSPs over the next year or so
  2. Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans
    • Developed based on requests from CSPs looking to scan representative samples of system components instead of the entire system
    • Provides guidance for CSPs on sampling representative system components rather than scanning every component
    • CSPs with currently approved sampling methodologies have six months to comply with new guidance
  3. Vulnerability Scanning Requirements
    • Provides CSPs with a known vulnerability severity scoring framework to enable them to create and use an automated, CVSS-based vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools
    • Lays out guidance about the requirements (i.e. requiring authentication data, CVE/CVSS information, configuration settings) in a “scanner agnostic” manner
    • Further automates the ConMon process, such as auto-CVSS downgrading, cross-CSP correlative analysis, and metrics around commonly found risks across all systems with FedRAMP JAB P-ATOs

We appreciate the thoughtful feedback and input we received from our stakeholders and partners. Your input is crucial in helping us further improve the FedRAMP program. If you have any questions or additional input, please reach out to info@fedramp.gov.