ConMon: FedRAMP Continuous Monitoring and How It Works

Obtaining a software approval  with the federal government and its agencies as a contractor and obtaining an Authority to Operate (ATO) is not a one-time process. We’re not just referring to the need to recertify annually and pass occasional audits. We’re talking about an additional part of the process, the final part of the NIST Risk Management Framework: Monitoring.

Monitoring, also referred to as Continuous Monitoring or ConMon, is the process of watching and reviewing your systems and processes to ensure that security doesn’t slip and, in the event of a breach, that said breach is detected and addressed as soon as possible.

We’ll break down what you need to know and do, but if you want to dig into the documentation directly from the source, some useful resources include:

• The National Institute of Standards and Technology Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations
• The FedRAMP Continuous Monitoring Strategy Guide
• The FedRAMP Continuous Monitoring Performance Management Guide

Many other documents are available as well to explain and expound upon specific questions you may have. If you have a need for a specific resource, you can often find it on FedRAMP.gov, the NIST website, or linked within another publication. We’ll also provide what resources we have if you ask.

A Six-Step Process

Broadly, continuous monitoring is divided into six steps or phases. Five of them are intimately linked with the overall process of establishing your security and acquiring your ATO. The sixth is the final state of established continuous monitoring and response.

Step 1: Define

The first step is defining your overall security posture at each relevant level and the requirements and minimums you must uphold for each relevant security control.

This is partially determined by your overall integration with government information and Covered Defense Information (CDI) and partially by your defined impact level as determined by addressing the Federal Information Processing Standard (FIPS) 199 guidelines (for more information see our guide on FIPS (here). In general, most guides and reviews will consider your impact level to be Moderate, as the vast majority of Cloud Service Providers (CSPs) working for FedRAMP Authorization will fall into that category.

Step 2: Establish

The second step is to take your defined security posture and awareness of controls and set up a technical framework for monitoring those security controls. This includes defining how each control must be monitored and how often those controls are checked. This would also include guidance and procedures on how to respond to anomalies in the metrics, or how to respond if defined thresholds are breached for monitored items.

Some controls aren’t necessarily frequently accessed, changed, or used, and so can be allowed to be checked less often than others with greater import.

Step 3: Implement

The third step is the implementation of your monitoring system. Here, you will collect, organize, and review the information on each security control, including status updates and reports.

FedRAMP recommends automating as much of this as possible, both to eliminate human error and to ensure compliance with timing and logging policies.

Step 4: Analyze and Report

Once data has been gathered through the implemented monitoring system, reports must be created, reviewed, and analyzed. It does you no good to simply file these logs away with no attention, after all. These logs must be analyzed to determine if your security posture is still appropriate, if any changes need to be made, if any signs of a breach or intrusion have been detected, and if there are any other oddities that need attention.

This is occasionally a multi-part process. If a situation arises, you may need to perform a more detailed audit and gather more data to perform further analysis.

This step ends with a report of your findings, distilled from technical logs into tangible, readable, and actionable information. For many organizations, reporting – while less strenuous and thorough than the auditing required for annual authentication – is a monthly requirement.

Step 5: Respond

The second to last step in the defined continuous monitoring process is responding if anything unusual is discovered in the previous analysis. Responses come in three axis: technical responses, managerial responses, and operational responses.

An incident can be anything from an actual data breach, to the failed results of a penetration test, to a third-party report of a zero-day exploit, to a change in security standards you previously upheld. Your target is frequently a moving one and a response is necessary to maintain an ongoing security posture. In other words, you can’t simply rest on your laurels even if no serious incidents occur.

Step 6: Review and Update

The final phase is to review the results of your analysis and response and see what changes may need to be applied to step 1’s definition and step 2’s establishment of your continuous monitoring system. Implement any changes that need to be made to maintain the appropriate level of security and begin again.

Overall, while the six steps are defined and laid out in FedRAMP documentation, the core concept is simple. You are implementing a system of ongoing monitoring, along with incident response and reporting, to make sure that you maintain your security. Everything else is the details of how you go about it.

Concerns and Details for Continuous Monitoring

When you’re implementing continuous monitoring, there are many questions and concerns that may come up. We’ve answered the most common questions here, but if you have another we haven’t addressed, feel free to ask us directly, and we’ll help shed light on the situation for you.

Working with a 3PAO

When you seek FedRAMP ATO, you will need to work with a certified third-party assessment organization (such as ourselves) for a thorough audit and review of your systems and security. You will also need to work with a 3PAO to perform your annual assessments as required according to your impact level.

There is no rule, however, that says that you must continue working with the same 3PAO indefinitely. If you didn’t like or had issues with the service of the 3PAO you initially worked with, you can change your 3PAO at any time. Some are better than others in terms of being thorough, proactive, or reasonably priced.

If you’re interested to see how we can help you as both a continuous monitoring platform and a certified 3PAO, click here to learn more.

Additional Security Requirements

There are a variety of situations where your business as a CSP, the information you handle as a government contractor, the industry in which you work, or your defined federal impact level will alter the requirements for continuous monitoring.

Your Impact Level. Impact levels have been simplified to just three levels: low, moderate, and high. The majority of CSPs will fall into the moderate category, but those in the high category will have more stringent requirements and additional reporting requirements and audits to pass as befitting the information they handle.

The class of information you handle. FedRAMP, in general, is about Controlled Unclassified Information, but there are additional frameworks that layer on top of or supplant basic FedRAMP requirements. These can include regulations such as the International Traffic in Arms Regulation (ITAR) and the Criminal Justice Information Services requirements.

Your industry. The biggest example of this is healthcare; any CSP working in the healthcare and health information space is likely required to also adhere to the Health Insurance Portability and Accountability Act, or HIPAA.

Some of these will adjust the level of controls or the level of monitoring of those controls that are required. Others will require more comprehensive and regular auditing than your basic FedRAMP ongoing monitoring.

Working with a POAM

Another confounding variable for continuous monitoring is when your certification is reliant upon a Plan of Action and M/ilestones document, or POAM. We’ve discussed POAMs in greater detail here, but the short version is this:

When you’re certifying for a FedRAMP ATO, the government acknowledges that you may not be able to have every security control implemented perfectly by the time your audit rolls around, especially if you’re applying to work with agencies and contracts on a tight timeline. It’s reasonable, then, that you be allowed some leeway as long as all of the most important baselines are covered.

A POAM is a plan to go from, say, 90% of the way to compliance to 100% of the way to compliance over a specified timeframe. Low-impact CSPs have a greater amount of time to go through their POAM, while high-impact CSPs have the shortest window.

However, you don’t wait until your POAM is complete to begin continuous monitoring. ConMon begins as soon as you receive your ATO.

This is covered in the original six phases of continuous monitoring. Each cycle, as your POAM progresses, any new controls or interactions you make must be accounted for and added to your monitoring. The two fit together naturally.

Cross- and Multi-Agency Continuous Monitoring

There are frequently cases where you may be working with another CSP, as your own contractors or suppliers, or as partners. You may also be working with more than one federal agency or agency contractor. You are not isolated in the world of cybersecurity, nor are you left to your own devices when dealing with continuous monitoring. Working with cross-agency systems and multi-agency communication is common.

FedRAMP also provides detailed guidance and rules for working in collaboration with others, particularly when it comes to ConMon. For example, here is their page containing their recommended best practices. Every CSP’s situation is different, but the end goal is always the same: secure systems.

Making Significant Changes

Sometimes, there’s a reason why something above and beyond a basic change in security standards needs to be implemented.

We’re not talking about something like upgrading a minor patch to a software application in use or upgrading door locks on your facility. We’re talking about larger changes to your overall infrastructure or to significant security controls.

Any change that would change the security controls that apply to your organization will generally fall under the category of a Significant Change. Anything that constitutes a Significant Change will need to be identified, evaluated, and approved before being implemented. This process uses the Significant Change Request Form, found here, to provide relevant information and gain approval for the change. This typically also requires detailed testing and review, including penetration testing for your changed systems.

Choosing the Right Scanning and Monitoring Tools

Continuous monitoring may sound like an immense burden based on everything we’ve written above. Make no mistake; it’s taken very seriously, and failure to maintain awareness and submit appropriate reports can eventually result in penalties, including the loss of your ATO. However, it’s not something you’re forced to do alone, from the ground up. There are numerous tools, companies, and systems available to help you with various aspects of continuous monitoring. These tools and services provide options for:

• Vulnerability scanning to continuously and periodically review existing systems, databases, web applications, and containers for known vulnerabilities to validate that those vulnerabilities do not exist and have not been introduced to your systems.
• Issue tracking, status tracking, and report tracking. A centralized monitoring and tracking dashboard can make it significantly easier to provide continuous monitoring overviews and, in the case where a vulnerability is detected, progress toward remediation.
• Reporting. FedRAMP allows for much of your continuous monitoring to be performed through automated systems, as long as there’s enough review to ensure that those systems work properly and are comprehensive in design. Generating reports can even be done automatically, though they must be reviewed and signed off on by the CSP and their 3PAO.

At Ignyte, one of our primary services is a platform that can help you with all of the above and more.

By helping to remove siloed software, eliminate sources of human error, aggregate ongoing data tracking and reporting, and make everything available both centrally and through compliant formats, we can help.

So, if you’re seeing FedRAMP compliance and an ATO audit for the first time, or if you’re already operating and want a new platform to help improve, streamline, and speed up your continuous monitoring, we’re here to help. To learn more about our services, you can click right here, reach out to talk to us directly, or schedule a demo right away. We’re standing by and are looking forward to working with you!

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Ignyte Team. Read the original post at: https://www.ignyteplatform.com/blog/supplier-risk/conmon-fedramp-continuous-monitoring-and-how-it-works/