- Continuous monitoring ensures a service offering maintains an appropriate security posture for the life of the system.
- For JAB-authorized CSPs, we will initially transition continuous monitoring to one of the former JAB agencies – the General Services Administration (GSA), the Department of Defense (DOD), the Department of Homeland Security (DHS) – or the FedRAMP team. For cloud service providers that are initially transitioned to either GSA, DOD, or DHS, the agency that they are transitioning to will be their designated lead, who takes a lead role on continuous monitoring responsibility for that CSO. Designated leads will be formally identified in a designation letter that enumerates post-authorization activities. Designated leads will be responsible for establishing multi-agency continuous monitoring with interested agencies. They will formalize authorization governance through a multi-agency continuous monitoring charter, including the details around decisions for all post-authorization activities. Agencies must reach out to the designated lead to participate in multi-agency continuous monitoring.
- For cloud service providers that are initially transitioned to the FedRAMP team, we expect to eventually migrate continuous monitoring to another agency customer to act as the CSO’s designated lead agency. We are coordinating with the agencies using these CSOs to identify designated lead agencies who can take the lead on continuous monitoring activities, including monthly reviews of open POA&Ms, adjudication of pending deviation requests, review and approval of significant change requests, and approval of annual assessments.
- GSA’s FedRAMP team will continue to generate the automated monthly summaries of service risk posture and provide those to agency customers via USDA Connect or a CSP-provided High repository.
Comments
0 comments
Please sign in to leave a comment.