Continuous Monitoring Plan

FedRAMP Continuous Monitoring Plan Template

CSP: (cloud service provider name) Original ATO Date: MM/DD/YYYY Last Updated: MM/DD/YYYY

Agency if
CSO: (cloud service offering name) Completed by: (main POC name) (agency name)
applicable:

Impact Deployment
(select) Service Model: (select) (select)
Level: Model:

No. Control Name Control ID Description Frequency Responsible? Deliverable

1 Information System Monitoring SI-4 Monitors the system in accordance with Continuous/ Ongoing CSP Evidence
SI-4 control requirements.
2 Auditable Events AU-2d Monitor required events Continuous/ Ongoing CSP Evidence
3 Information System Component CM-8(3)a Automated detection of new assets Continuous/ Ongoing CSP Evidence
Inventory
4a Incident Reporting IR-6 Incident reporting and tracking Continuous/ Ongoing CSP Evidence
4b Incident Reporting IR-6 Incident reporting and tracking As Required CSP Report
5 Temperature & Humidity Controls PE-14(b) Monitor Continuous/ Ongoing CSP Evidence
6 Vulnerability Scanning RA-5(2) Update list of vulnerabilities scanned Continuous/ Ongoing CSP Evidence
before each scan
7 Wireless Intrusion Detection SI-4(14) Monitors for unauthorized wireless Continuous/ Ongoing CSP Evidence
connection points
8 Contingency Planning CP-3(a) Evidence 10 Days CSP Evidence
9 Audit Review, Analysis, & Reporting Au-6a Review/analyze audit records and report Weekly CSP Evidence
findings of anomalies
10 Vulnerability Scanning RA-5d Provide artifacts to ISSO showing high- Monthly CSP Report
risk vulnerabilities have been mitigated
in 30 days and moderate risk-
vulnerabilities within 90 days
11 Continuous Monitoring Security State CA-7g Report security state of the system to Monthly CSP Evidence
own organization
12 Access Records PE-8b Review visitor access records Monthly CSP Evidence
13 Least Functionality CM-7(1)a Identify and eliminate unnecessary Monthly CSP Evidence
functions, ports, protocols, and/or
services
14 Vulnerability Scanning RA-5a OS/infrastructure/web Monthly CSP Report
application/database scans

15 Flaw Remediation SI-2c Install security-relevant software and Monthly CSP Evidence
firmware updates within 30 days of the
release of the updates.
16 Flaw Remediation SI-2(2) Automated look for system flaws Monthly CSP Evidence
17 Software & Information Integrity SI-7(1) Perform integrity scans Monthly CSP Evidence
18 Account Management AC-2(2) Automatic termination of temporary and Monthly CSP Evidence
emergency accounts after no more than
30 days. Automatic termination of
temporary and emergency accounts after
no more than 30 days
19 Security Functionality Verification SI-6 Verify correct operation of security Monthly CSP Evidence
functions
20 Plan of Action & Milestones CA-5 Update as monthly and submit to ISSO Monthly CSP Report

21 Monitoring Physical Access PE-6b Review physical access logs and record Monthly CSP Evidence
date in SSP
22 Authenticator Management IA-5g Change/refresh authenticators at least 60 Days CSP Evidence
every sixty days
23 Account Management AC-2(3) Disable user IDs after 90 days inactivity 90 Days CSP Evidence

24 Identifier Management IA-4e Disables user IDs after 90 days of 90 Days CSP Evidence
inactivity.
25 Publicly Accessible Content AC-22d Review content on publicly accessible 90 Days CSP Evidence
system and look for non-public
information.
26 Access Restrictions for Change CM-5(5)b Review and reevaluate their information 90 Days CSP Evidence
system developer/integrator privileges
quarterly.

27 Information Security Policies All “-1” Controls Review and update Annually CSP Evidence
28 Account Management AC-2j Review and re-certify user accounts and Annually CSP Evidence
record date in SSP
29 Security Awareness AT-2 Provide basic security awareness training Annually CSP Evidence
and record date in SSP
30 Auditable Events AU-2(3) Review and update auditable events and Annually CSP Evidence
record changes and date in SSP
31 Security Assessments CA-2b Assess subset of security controls Annually 3PAO Report

File: 810230118.xlsx Page 1 Print Date: 11/03/2024

 Continuous Monitoring Plan

32 Security Assessments CA-2 Plan for the annual assessment and Annually 3PAO Report
conduct the assessment
33 Security Assessments - Specialized CA-2(20 Testing in accordance with FedRAMP Annually 3PAO Report
Assessments specific requirements as part of annual
assessment
34a Penetration Testing CA-8, CA-8 (1) CSP at least annually and as needed and Annually CSP Report
3PAO penetration testing as part of
annual assessment
34b Penetration Testing CA-8, CA-8 (1) CSP at least annually and as needed and Annually 3PAO Report
3PAO penetration testing as part of
annual assessment
35 Baseline Configuration and System CM-2(1)a Reviews and update baseline Annually CSP Evidence
Component Inventory configuration annually or during
installations and updates
36 Configuration Management Plan CM-9 Review and update Annually CSP Evidence
37 IT Contingency Plan CP-2d Review and update Annually CSP Evidence
38 IT Contingency Training CP-3 Train personnel in contingency roles and Annually CSP Evidence
responsibilities and record date in SSP

39 IT Contingency Plan Testing & CP-4a Test and exercise IT Contingency Plan - Annually CSP Report
Exercises (Moderate Systems) Insert into Appendix F of IT
Contingency Plan
40 Information System Backup CP-9(1) Test backups to verify integrity and Annually CSP Evidence
reliability and record date in SSP
41 Incident Response Training IR-2c Conduct incident response training and Annually CSP Evidence
record date, training materials and
participants in SSP
42 Incident Response Testing IR-3 Perform incident response testing -and Annually CSP Report
date, results, and participants in SSP
43 Incident Response Plan IR-8 Review and update Annually CSP Evidence
44 Physical Access Authorizations PE-2c Review physical access authorization Annually CSP Evidence
credential and record date and who
performed it in SSP
45 Physical Access Control PE-3f Inventory physical access devices Annually CSP Evidence
annually and record date in SSP
46 Physical Access Control PE-3g Change combinations and keys annually Annually CSP Evidence
and record date and name of responsible
person in SSP
47 System Security Plan PL-2c Review and update Annually CSP Evidence
48 Access Agreements PS-6b, PS-6c Review and update and record date in Annually CSP Evidence
SSP
49 Vulnerability Scan RA-5a Scan OS/infrastructure, web Annually 3PAO Report
applications, and databases
50 Boundary Protection SC-7(4)e Remove traffic flow that is no longer Annually CSP Evidence
supported by business/mission need
51 Security Training AT-3b, Annual role-based training Annually CSP Evidence
AT-3c
52 Security Awareness Training Records AT-4b Archive training records Annually CSP Evidence

53 Identifier Management IA-4d Prevent reuse of user and device Every Two Years CSP Evidence
identifiers every 2 years
54 Security Authorization CA-6c Record date of any reauthorization in Every Three Years CSP Evidence
SSSP
55 IT Contingency Plan Testing & CP-4a Test and exercise the IT Contingency Every Three Years CSP Report
Exercises (Low Systems) Plan
56 Position Categorization PS-2c Review position categorizations and Every Three Years CSP Evidence
record date in SSP
57 Risk Assessment RA-3c, e Review and update security assessments Every Three Years CSP Evidence
and record date in SSP
58 Personnel Screening PS-3b Law enforcement must undergo Every Five Years CSP Evidence
personnel screening every 5 years -
record date and names in SSP

File: 810230118.xlsx Page 2 Print Date: 11/03/2024

 Planned Dates for Delivery/Completion
No. Control Name Control ID Description Dates
Monthly
10 Vulnerability Scanning RA-5a OS/infrastructure/web
application/database scans

20 Plan of Action & Milestones CA-5 Update as needed and

submit to ISSO

Annually
31 Security Assessments CA-2b Assess subset of security
controls - see Core Control
List
32 Security Assessments Plan CA-2 Plan for assessment
33 Security Assessments - CA-2(20 Specialized assessments
Specialized Assessments
34 Penetration Testing CA-8, CA-8 (1) Penetration test

39 IT Contingency Plan Testing & CP-4a Test and exercise IT

Exercises (Moderate Systems) Contingency Plan - Insert into
Appendix F of IT Contingency
Plan

42 Incident Response Testing IR-3 esults, and participants in SSP

49 Vulnerability Scan RA-5a Scan OS/infrastructure, web
applications, and databases
by 3PAO