Ongoing Assessment & Authorization
Ongoing assessment and authorization, often referred to as continuous monitoring, is the third and final process for cloud services in FedRAMP. Ongoing A&A ensures that the security controls implemented during the security authorization remain effective.
There are three key areas associated with Ongoing A&A detailed below:
| Step | Description |
|---|---|
|
Operational Visibility |
Operational visibility provides visibility in to the security control implementations through (1) automated data feeds, (2) periodically submitted specific control evidentiary artifacts, and (3) annual self-attestation reports. |
|
Change Control Process |
Change control relates to (1) any changes or proposed changes that significantly impact the CSP’s ability to meet FedRAMP requirements as well as the oversight of a CSPs management it’s Plan of Action and Milestone’s (POA&Ms). |
|
Incident Response |
Incident response focuses on new risks and vulnerabilities that affect authorized system and all response and mitigation activities needed to maintain the security of a system. |
Please review the FedRAMP Concept of Operations document for more information.
