FedRAMP® Continuous Monitoring

Deliverables Template

How to Contact Us

Questions about FedRAMP or this document should be directed to info@fedramp.gov. For more information about FedRAMP, visit the web

About This Template and Who Should Use It

This template uses the term authorizing official (AO). For systems with a Joint Authorization Board (JAB) P-ATO, AO
refers to the JAB. For systems with a FedRAMP Agency authorization to operate (ATO), AO refers to each leveraging
Agency’s AO.

This template summarizes what continuous monitoring (ConMon) deliverables must be submitted to the Cloud Service
Offering (CSO) designated document repository for the AO's review. Cloud Service Providers (CSPs) must use this
worksheet to document the schedule and location of CSO ConMon deliverables.

Initial submission
-CSPs in the continuous monitoring phase: Submit this completed worksheet as soon as possible (within a reasonable
timeframe) and coordinate with your AO on the schedule for the initial submission.
-CSPs pending authorization - Complete this worksheet within 10 business days from receipt of the authorization.

Maintaining this worksheet

-Coordinate with your AO(s) on any updates that are needed after the initial submission.
-Update the worksheet when deliverables are completed and annually, by the CSO's Annual Assessment due date.

Where to post this worksheet

-For CSPs using Connect.gov: Post the completed worksheet in the top-level Continuous Monitoring directory.
Coordinate with your JAB POCs to ensure the document is posted to the customer-facing Continuous Monitoring
directory (if applicable).
-For CSPs that do not use Connect.gov and maintain their own document repository: Post the completed worksheet in
the top-level customer-facing Continuous Monitoring directory and in the top-level of the JAB-internal Continuous
Monitoring directory (if applicable).
 Continuous Monitoring Plan

FedRAMP Continuous Monitoring Deliverables Template

(cloud service provider

CSP: CSO: (cloud service offering name)
name)

Impact Level: (select) Service Model: (select) Deployment Model: (select)

FedRAMP Authorized Date: MM/DD/YYYY Last Annual Assessment: MM/DD/YYYY Completed by: (main POC name)

Location of Deliverables
(Link/Path)
Customer-Facing
JAB-Internal (Connect.gov users: Work
Activity Control ID Description Frequency Delivery Dates Responsible?
(if applicable) with your JAB POCs to
identify the location)

Continuous Monitoring CA-05, RA-05a An executive summary of the monthly Monthly CSP
Monthly Executive Summary continuous monitoring (ConMon)
submission, submitted to the AO via the
designated repository.

Collaborative Continuous CA-07g CSOs with more than one (1) agency CSP defined, in accordance CSP
Monitoring (applicable to ATO must implement a collaborative with the FedRAMP
Agency Authorized CSPs ConMon approach described in the Collaborative ConMon Quick
only) FedRAMP Guide for Multi-Agency Guide
Continuous Monitoring. This requirement (https://www.fedramp.gov/docu
applies to CSOs authorized via the ments-templates/)
FedRAMP agency path, as each agency
customer is responsible for performing
ConMon oversight. It does not apply to
CSOs authorized via the FedRAMP JAB
path since the JAB performs ConMon
oversight.

Vulnerability and RA-05a, CA-07, CM-06 OS/infrastructure, web application, Monthly CSP
Configuration Scanning database, container and configuration
scans submitted to the AO via the
designated repository.

Plan of Action & Milestones CA-05 Updated as needed and submitted to the Monthly CSP
(POA&M) AO via the designated repository.
Inventory CM-08 Updated as needed and submitted to the Monthly CSP
AO via the designated repository.
Contingency Plan Test Plan CP-04a Documented plan to perform a test and Moderate and High - CSP
exercise of the IT Contingency Plan; the Functional, at least annually
plan is submitted to the AO via the
designated repository. Low - Classroom exercise/table
top written test, at least every 3
years

Li-SaaS - N/A

Contingency Plan Test CP-04a Perform contingency plan testing; the Moderate and High - CSP
Results results are inserted into Appendix F of the Functional, at least annually
IT Contingency Plan and submitted to the
AO via the designated repository. Test Low - Classroom exercise/table
date, results, and participants must be top written test, at least every 3
noted in the SSP. years

Li-SaaS - N/A

Incident Response Test Plan IR-03 Documented plan to perform incident Moderate - Functional, at least CSP
response testing is submitted to the AO annually
via the designated repository.
High - At least every six (6)
months, including functional at
least annually

Low and Li-SaaS - N/A

Incident Response Test IR-03 Perform incident response testing and Moderate - Functional, at least CSP
Results submit to the AO via the designated annually
repository.
High - At least every six (6)
months, including functional at
least annually

Low and Li-SaaS - N/A

System Security Plan (SSP) PL-02c, PL-02d Update the SSP and supporting Annually CSP
and Supporting Documents documents, and submit to the 3PAO at
Update least thirty (30) days prior to the initiation
of annual assessment activities.

Static Code Analysis SA-11 (01) The service provider must document its Moderate and High - Annually CSP
Methodology methodology for reviewing newly
developed code for the service in its Low and Li-SaaS - N/A
ConMon plan. As with all SSP supporting
documents, the ConMon plan must be
submitted to the 3PAO at least thirty (30)
days prior to the initiation of annual
assessment activities.

Security Assessments Plan CA-02 Plan for the annual assessment Annually 3PAO
(SAP) developed by the 3PAO and submitted to
the AO via the designated repository.
Penetration Testing CA-08, CA-08 (01) Penetration test - For High and Moderate Annually 3PAO
performed by Independent systems, penetration testing is conducted
Assessor (High and by the 3PAO and included in/with the
Moderate) SAR. Submit to the AO via the designated
repository.

Penetration Testing (Low and CA-08 Penetration test. Submit the report to the Annually CSP
Li-SaaS) AO via the designated repository.
Penetration Testing - Red CA-08 (02) Documented plan to perform red team Moderate and High - Annually CSP
Team Test Plan
Penetration Testing - Red CA-08 (02) exercises.
Perform red Submit the report and
team exercises to the AO via Moderate and High - Annually CSP
Team Test Report the designated
document repository.
the results. Submit
Vulnerability and RA-05a, CA-07, CM-06 Scan of OS/infrastructure, webthe report to Annually 3PAO
Configuration Scanningand the AO via the
applications, designated
containers, repository.and
databases,
Security Assessments CA-02c Security assessment, including any Annually 3PAO
Security Alerts,
Assessment Report configurations
specialized conducted directly
assessments, by the
conducted by Ad hoc (in accordance with
Security Advisories, SI-05 Service
3PAO orProviders
with 3PAO must address
oversight the CISA Ad hoc (in accordance with CSP
(SAR)
and Directives the 3PAO. Submit
Emergency the report
and Binding toand
the AO via FedRAMP guidance)
Operational FedRAMP guidance)
the designated
Directives repository.
applicable to their cloud service
offering per FedRAMP guidance. This
includes listing the applicable directives
and stating compliance status.

File: 741361170.xlsx Page 3 Print Date: 04/03/2024

 Added Instructions tab Record of Changes for Template
-Corrected issues with Service Model dropdown
Date Description
-Updated Frequency for "Collaborative Continuous Monitoring (applicable to Version Author
Agency Authorized CSPs only)"
2/15/2024 Initial
-Updatespublication
to clarify Low and Li-SaaS requirements 1.0 FedRAMP PMO
-Integrated CA-07 and CM-06 for configuration scanning. Updated both
3/4/2024 2.0 FedRAMP PMO
instances of "Vulnerability Scanning" to "Vulnerability and Configuration
Scanning"
-Updated "Location of Deliverables" into two columns for specifying JAB-
Internal and Customer-Facing locations.
-Formatting updates
-Added Security Alerts, Advisories, and Directives SI-05