Understanding Continuous Monitoring

Simply put, continuous monitoring is the means of maintaining Authorization To Operate (ATO) by demonstrating the effectiveness of security controls over time.

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to continuous monitoring (ConMon) for Cloud Service Offerings (CSO). Through continuous monitoring, the security posture of a cloud system is regularly assessed and maintained. Monthly deliverables provide insight into current risks, while annual assessments validate the system’s overall security within the accreditation boundary, ensuring continued compliance with FedRAMP requirements.

To understand how Xacta® is designed to help Cloud Service Providers (CSPs) maintain their authorization, it is important to first understand the FedRAMP requirements. 

Implementing a FedRAMP-Compliant Continuous Monitoring Strategy

Implementing a FedRAMP-compliant continuous monitoring strategy requires a structured approach. Here are some steps to consider:

• Know the deliverables: Make sure that your team understands the requirements for monthly ConMon submission vs assessments.  This is especially important as FedRAMP requirements continue to evolve.  The dissolution of the JAB has not stopped the clock on deliverables. Instead, it has made it apparent that CSPs must get it right the first time or risk delays in package acceptance.  If the ATO is sponsored by an agency, confirm that the core FedRAMP monthly and annual deliverables are sufficient. Finally, your team will need to work with the authorizing official (AO) to identify key agency requirements for submission. 
• Scope Assessments with Third Party Assessment Organization (3PAO):  FedRAMP has predefined a set of Core Controls that must be assessed annually as part of the continuous monitoring process. CSPs are also responsible for selecting an additional subset of controls—typically one-third of their control baseline—so that all controls are reviewed within the three-year authorization cycle. This ensures comprehensive security oversight and ongoing compliance with FedRAMP requirements.
• Execute: The continuous monitoring strategy, Confirmation Management, and Incident Response plans and procedures are deliverables when submitting an SSP for initial authorization.  Ensure the personnel selected within these documents is ready to tackle the challenges and executes these plans and procedures flawlessly.  Leverage retrospectives where possible to refine the processes to ensure compliance with FedRAMP and/or agency requirements. 

FedRAMP assesses compliance with their continuous monitoring requirements. Failure to meet requirements could result in penalties to the CSP, up to and including revocation of ATO. Here are the criteria that FedRAMP is looking for: 

• Operational Visibility: A cycle of reporting and remediation to ensure the risk level never exceeds what was reported in the original ATO.  This includes compliance and vulnerability scanning.  Failure to meet the FedRAMP remediation requirements (30 days for high findings, 90 days for moderate, 180 days for low) could result in escalation up to and including revocation of ATO. 
• Change Control: All changes, as defined in the Configuration Management Plan, are documented, the results of the change verified, and the impact of the change confirmed.  Change control is critical for risk reduction but also demonstrates a commitment to transparency.   
• Incident Response: Is the CSP following FedRAMP’s Incident Communication procedures?  How many incidents have there been in the last six months, and has there been a reoccurrence of incidents? 

It’s important to note that continuous monitoring is not a one-time event. Rather, it’s an ongoing process requiring regular assessments and evaluations.

Xacta: A Proven Solution for FedRAMP-Compliant Continuous Monitoring

Xacta is a cyber governance, risk, and compliance (GRC) solution with a proven track record supporting FedRAMP-compliant continuous monitoring. Xacta’s platform provides a range of features and functionality that support the key components of a FedRAMP-compliant continuous monitoring strategy.

The Xacta suite is designed to handle the challenges of both the FedRAMP authorization process and continuous monitoring. Here are some examples of how Xacta simplifies both FedRAMP processes for risk and compliance teams:

• Xacta automatically reviews package information to calculate and select the appropriate FedRAMP baseline.
• Control selection and assessment scoping can be performed in Xacta or through the API, allowing for on-the-fly adjustments to scope security requirements for assessment.    
• Xacta’s extensible publishing tool is ready to create continuous monitoring deliverables from FedRAMP-provided document templates, making what would have otherwise been several weeks’ worth of effort take just minutes.
• Dashboards and reports created in Xacta MetriX™ provide visibility of the CSO’s security posture, allowing CSPs to visualize and act on POA&Ms and prevent missing FedRAMP remediation requirements. 
• With Xacta, compliance and vulnerability results are translated into actionable intelligence, making continuous assessment and compliance within reach. With a click of a button, Xacta updates pre-existing POA&Ms with new finding details, identifies findings ready for closure, and creates new POA&Ms.  Additionally, Xacta can help you build out the FedRAMP SSP Appendix M with inventory collected from scan files. 
• Xacta Bridge™, our data conversion service designed to convert information in Xacta into OSCAL packages, leverages the FedRAMP OSCAL CLI to identify gaps in the package before submission and where to fix them in Xacta. The Xacta team monitors and addresses updates to OSCAL as they are released by FedRAMP and NIST, with enhancements to the FedRAMP template, allowing CSPs to focus on their package while Xacta focuses on OSCAL.

Xacta is ready for the July 2026 deadline for machine-readable package submissions…is your organization? 

Interested in learning more about Xacta and how it can be used to further your organization’s continuous monitoring goals? Please reach out for a demo and to learn more.