ConMon is a critical component in understanding evolving risks associated with an IT system. CSPs are required to follow stringent ConMon requirements and provide agencies with the information they need on a periodic basis, to ensure their data remains secure to include, but not limited to: monthly Plan of Action and Milestones (POA&M), monthly database, operating system, and web application raw scan files, ad-hoc (as appropriate) incident response notifications, major system change requests, and annual assessments. These deliverables are required, regardless of authorization type (JAB or Agency) and are located within the FedRAMP Secure Repository on OMB MAX.
Each Agency should review these materials, regularly, to ensure their ATO remains valid and the risk remains acceptable. The FedRAMP PMO does not have a dedicated ISSO that supports each Agency Authorization; but, provides the structure and access to each CSP’s ConMon materials in OMB MAX. As always, if any agency has questions regarding specific ConMon vulnerabilities or is unable to obtain the information they need pertaining to ConMon for any given CSP; the FedRAMP PMO will be there to help.