Collaborative Continuous Monitoring¶

Agencies MUST review each Ongoing Certification Report to understand how changes to the cloud service offering may impact the previously agreed-upon risk tolerance documented in the agency's Authorization to Operate of a federal information system that includes the cloud service offering in its boundary.

Note: This is required by 44 USC § 35, OMB A-130, FIPS-200, and M-24-15.

Terms: Cloud Service Offering, Ongoing Certification, Ongoing Certification Report (OCR)

Agencies MUST notify FedRAMP by sending an email to info@fedramp.gov if the information presented in an Ongoing Certification Report, Quarterly Review, or other ongoing FedRAMP Certification Data causes significant concerns that may lead the agency to stop operation of the cloud service offering.

Note: Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a).

Terms: Certification Data, Cloud Service Offering, Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review

Agencies MUST notify FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending an email to info@fedramp.gov.

Note: Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a).

Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about FedRAMP Certification Data.

Note: This is a statutory requirement in 44 USC § 3613 (e) related to the Presumption of Adequacy for a FedRAMP Certification.

Terms: Certification Data, FedRAMP Certified

Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the cloud service offering in its boundary and assign appropriate information security resources for reviewing Ongoing Certification Reports, attending Quarterly Reviews, and other ongoing FedRAMP Certification Data.

Terms: Certification Data, Cloud Service Offering, Ongoing Certification, Quarterly Review, Security Category

Agencies SHOULD formally notify the provider if the information presented in an Ongoing Certification Report, Quarterly Review, or other ongoing FedRAMP Certification Data causes significant concerns that may lead the agency to remove the cloud service offering from operation.

Terms: Certification Data, Cloud Service Offering, Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review

Providers MUST supply an Ongoing Certification Report to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:

1. Changes to FedRAMP Certification Data
2. Planned changes to FedRAMP Certification Data during at least the next 3 months
3. Accepted vulnerabilities
4. Transformative changes
5. Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering
6. A list of all agencies that are directly using the product
7. FedRAMP Reportable Incidents or an attestation that no such incidents occurred
8. Lessons learned and changes planned or made as a result of FedRAMP Reportable Incidents (if such occurred)

Terms: Accepted Vulnerability, All Necessary Parties, Certification Data, Cloud Service Offering, FedRAMP Reportable Incident, Incident, Ongoing Certification, Ongoing Certification Report (OCR), Transformative Change, Vulnerability

Providers MUST supply the target date for their next Ongoing Certification Report with other public FedRAMP Certification Data.

Terms: Certification Data, Ongoing Certification, Ongoing Certification Report (OCR)

Providers MUST supply an asynchronous mechanism for all necessary parties to provide feedback or ask questions about each Ongoing Certification Report.

Note: This could be email by default but providers are encouraged to consider something more interactive as appropriate.

Terms: All Necessary Parties, Ongoing Certification, Ongoing Certification Report (OCR)

Providers MUST supply an anonymized and desensitized summary of the feedback, questions, and answers about each Ongoing Certification Report as an addendum to the Ongoing Certification Report.

Note: This is intended to encourage sharing of information and decrease the burden on the cloud service provider - providing this summary will reduce duplicate questions from agencies and ensure FedRAMP has access to this information. It is generally in the provider's interest to update this addendum frequently throughout the quarter.

Terms: Ongoing Certification, Ongoing Certification Report (OCR)

Providers MUST NOT irresponsibly disclose sensitive information in an Ongoing Certification Report that would likely have an adverse effect on the cloud service offering.

Terms: Cloud Service Offering, Likely, Ongoing Certification, Ongoing Certification Report (OCR)

Providers SHOULD establish a regular 3 month cycle for Ongoing Certification Reports that is spread out from the beginning, middle, or end of each quarter.

Note: This recommendation is intended to discourage hundreds of cloud service providers from releasing their Ongoing Certification Reports during the first or last week of each quarter because that is the easiest way for a single provider to track this deliverable; the result would overwhelm agencies with many cloud services. Widely used cloud service providers are encouraged to work with their customers to identify ideal timeframes for this cycle.

Terms: Ongoing Certification, Regularly

Providers MAY responsibly supply some or all of the information an Ongoing Certification Report to the public or other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.

Terms: Cloud Service Offering, Likely, Ongoing Certification, Ongoing Certification Report (OCR), Responsibly

Terms: All Necessary Parties, Ongoing Certification, Quarterly Review

Providers MUST supply either a registration link or a downloadable calendar file with meeting information for Quarterly Reviews to all necessary parties.

Terms: All Necessary Parties, Quarterly Review

Providers MUST publicly supply the target date for their next Quarterly Review with other public FedRAMP Certification Data.

Terms: Certification Data, Quarterly Review

Providers MUST NOT irresponsibly disclose sensitive information in a Quarterly Review that would likely have an adverse effect on the cloud service offering.

Terms: Cloud Service Offering, Likely, Quarterly Review

Providers SHOULD regularly schedule Quarterly Reviews to occur at least 3 business days after releasing an Ongoing Certification Report AND within 10 business days of such release.

Terms: Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review, Regularly

Providers SHOULD supply additional information in Quarterly Reviews that the provider determines is of interest, use, or otherwise relevant to agencies.

Terms: Quarterly Review

Providers SHOULD record or transcribe Quarterly Reviews and supply them to all necessary parties.

Terms: All Necessary Parties, Quarterly Review

Providers SHOULD NOT invite third parties to attend Quarterly Reviews intended for agencies unless they have specific relevance.

Note: This is because agencies are less likely to actively participate in meetings with third parties; the cloud service provider's independent assessor should be considered relevant by default.

Terms: Likely, Quarterly Review

Providers MAY responsibly supply recordings or transcriptions of Quarterly Reviews to the public or other parties ONLY if the provider removes all agency information (comments, questions, names, etc.) AND determines doing so will NOT likely have an adverse effect on the cloud service offering.

Terms: Cloud Service Offering, Likely, Quarterly Review, Responsibly

Providers MAY responsibly supply content prepared for a Quarterly Review to the public or other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.

Terms: Cloud Service Offering, Likely, Quarterly Review, Responsibly