Revising FedRAMP Continuous Monitoring with the New OMB Memo

The draft memo released by the OMB signals many potential changes for the FedRAMP program, especially for the continuous monitoring process. Continuous monitoring is a crucial part of FedRAMP that ensures that CSPs maintain compliance. 

However, this process can also prove complicated and costly for cloud providers, especially small or unique companies offering innovative solutions. With that in mind, the new OMB memo addresses this by rethinking continuous monitoring. 

What Is FedRAMP Continuous Monitoring?

Continuous Monitoring within the FedRAMP framework is a critical process that ensures the security of cloud services used by federal agencies remains robust after the initial FedRAMP authorization. This practice is the cornerstone of authentic, fair, and bias-free compliance management that ensures the highest levels of compliance.

Some of the critical aspects of FedRAMP continuous monitoring include:

• Third-Party Assessment Organization (3PAO): Annual Assessments must be performed by a 3PAO, which can be the same organization that conducted the initial assessment or a different one if desired. Changing 3PAOs may affect the cost and quality of the assessment, which could impact the Authority to Operate (ATO) status.
• FedRAMP Annual Assessment Controls: The Annual Assessment has a reduced scope compared to the initial assessment, focusing on a core set of 129 controls each year, plus about a third of the remaining controls, ensuring that all baseline controls are assessed by the end of the third year. Specific controls related to overlays like ITAR, CJIS, or HIPAA may need annual assessment, and DoD Impact Levels have additional controls.
• Plan of Action & Milestones (POA&M): This document must be maintained monthly and submitted for review. It includes validation of closed POA&M items and confirmation of remediation of vulnerabilities within specific timeframes depending on the risk level.
• Assessment Cost: The Annual Assessment is typically about 80% of the initial assessment due to the reduced scope, though the exact cost can vary based on complexity, overlays, and other factors.
• Significant Change Request (SCR): SCRs are part of assessments to handle security and architecture changes affecting the system’s security controls. They require a scope of controls review and a penetration test for affected attack vectors.
• Agency Review: The agency sponsor reviews all follow-on Security Assessment Reports (SARs). During continuous monitoring, the review process is generally more expedient than the initial assessment.

Continuous monitoring is essential to maintain compliance and address the evolving threats in cloud security.

What Changes Are On Deck for Continuous Monitoring in the FedRAMP 2023 Draft Memo?

The new FedRAMP draft guidance document for 2023 indicates several potential changes in continuous monitoring:

• FedRAMP aims to incentivize security through agility, allowing federal agencies to use the latest and most innovative cloud products and services without requiring advance government approval while maintaining the necessary visibility and information to ensure ongoing trust in the system.
  
• A framework will be established to support automation and DevSecOps practices, enable CSPs to provide advance notice of changes without needing government pre-approval, and provide technical data to detect threats.
  
• The FedRAMP Program Management Office (PMO) will provide a standard level of continuous monitoring support and may conduct special reviews of existing authorizations, suggesting changes to maintain authorization.
  
• It will also establish procedures for responding to vulnerabilities, including escalation pathways, and collaborate with CISA, OMB, and the FedRAMP Board to respond to directives and enhance monitoring efforts using government-wide tools and best practices.

More specifically, this memo signals that some basic expectations are coming down the pipeline. These include:

• Agility and Innovation: The new framework will encourage cloud service providers to rapidly develop and deploy secure cloud solutions without waiting for government pre-approval, thus promoting cutting-edge technologies in federal agencies while retaining oversight. This is accomplished via prior approval practices.
• Unified Cloud Services: As part of assessment processes, FedRAMP will discourage segregating cloud services into separate streams for commercial and government use, ensuring that federal agencies benefit from the same robust infrastructure as retail customers.
• Monitoring Support Standardization: The FedRAMP PMO will establish a baseline level of continuous monitoring support for all authorizing agencies, identifying and focusing on the highest-impact security controls.
• Special Reviews: The PMO may initiate special reviews of CSPs’ FedRAMP authorizations to ensure compliance, with the FedRAMP Board approving the scope and deadlines for these reviews
• Vulnerability Management: The memo states that there should be procedures for prompt communication of vulnerabilities to CSPs and agencies, with defined escalation processes for issues not addressed quickly, which could include public notification.
• Program Integrity: Along with new automation solutions, the expectation is that there will be new government-wide tools and best practices to improve the integrity and trustworthiness of the FedRAMP program’s monitoring efforts.

These changes are intended to make the continuous monitoring process more dynamic and responsive, enabling the government to benefit from rapid technological advancements while maintaining a high security and compliance standard.

Why Is Continuous Monitoring So Critical to Cybersecurity?

Continuous monitoring is a critical part of cybersecurity frameworks for several reasons:

• Real-Time Threat Detection: Cyber threats constantly evolve, and new vulnerabilities emerge regularly. Continuous monitoring helps detect these threats in real-time, allowing for immediate response to mitigate risks.
• Compliance Assurance: It ensures that organizations remain compliant with the established standards and regulations over time. Compliance is not a one-time event; continuous monitoring verifies that security controls are effective and that compliance is maintained.
• Risk Management: Continuous monitoring provides an ongoing assessment of security controls, which is vital for dynamic risk management. It allows organizations to understand their security posture at any given moment and make informed decisions on risk acceptance, mitigation, or transfer.
• Incident Response: It aids in rapidly detecting security incidents, which is crucial for timely and effective incident response. The quicker an organization can detect and respond to an incident, the lower the potential impact.
• Security Posture Improvement: By providing continuous insights into the security environment, organizations can prioritize actions to improve their security posture, like patching vulnerabilities, updating defenses, or enhancing security policies.
• Resource Optimization: It helps organizations allocate their resources more effectively. Organizations can optimize their security investments and efforts by identifying the most critical issues that need attention.
• Trust and Confidence: For federal agencies and contractors, maintaining the trust of stakeholders and the public is crucial. Continuous monitoring demonstrates a commitment to security and builds confidence in the agency’s or contractor’s ability to protect sensitive information.

The inclusion of continuous monitoring in these frameworks reflects the recognition that cybersecurity is not a static field; threats are continually changing, and the security landscape evolves. Therefore, the frameworks mandate continuous monitoring to create a dynamic and adaptive security environment that can respond to new challenges as they arise.

Where Is Continous Monitoring Required in Federal Standards and Frameworks?

Continuous monitoring plays a vital role in the cybersecurity strategies for federal government agencies and contractors. Here’s how it is utilized across various frameworks and regulations:

• NIST SP 800-137: NIST’s guidelines for continuous monitoring focus on defining a strategy that can allow organizational officials to make ongoing risk management decisions. Continuous monitoring programs involve observing security controls and the organizational environment to detect changes and potentially harmful configurations or activities.
• FISMA: FISMA requires federal agencies to develop, document, and implement an agency-wide program to provide security for the information systems that support their operations and assets. This includes an information security continuous monitoring (ISCM) strategy to maintain an awareness of threats and vulnerabilities, assess the effectiveness of security controls, and support risk response actions.
• DFARS: Applicable to defense contractors, DFARS mandates safeguarding covered defense information (CDI) and reporting cybersecurity incidents. It requires continuous monitoring to detect and respond to threats, ensuring the protection of sensitive defense information within the contractor’s information system.

For each framework, continuous monitoring is about maintaining situational awareness and responding promptly and effectively to potential threats. It is not merely about compliance but ensuring federal information systems’ ongoing confidentiality, integrity, and availability.

Support Your Continuous Monitoring With Lazarus Alliance

As we’ve discussed, continuous monitoring is critical to many federal security frameworks. If you’re looking to excel in this area and ensure that your security infrastructure is up to the task of regular, ongoing assessment for some of the more rigorous security standards on the market, work with Lazarus Alliance.

Thinking ahead to your responsibilities under the evolving FedRAMP standard? Work with Lazarus Alliance to stay up-to-date.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→