What is Continuous Monitoring for StateRAMP Cloud Service Providers?
Part of StateRAMP compliance certification is the practice of continuous monitoring, where Cloud Service Providers (CSPs) and Third-Party Assessment Organizations (3PAOs) work together to ensure secure cloud environments that meet requirements for data protection.
Continuing monitoring is a necessary and well-structured process that all certified CSPs must meet. Here, we’ll discuss the process of monitoring, what it means for CSPs and 3PAOs, and how you can start thinking about your plan for continued compliance in the years to come.
What is Continuing Monitoring?
Part of StateRAMP and FedRAMP compliance is ensuring that cloud platforms used by local, state, and federal agencies are always secure against breaches. With the rapid evolution and innovation of cybersecurity threats, both the StateRAMP and FedRAMP Program Management Offices (PMOs) require continuous monitoring on the part of CSPs.
What is continuous monitoring? It is a recurring set of reporting, audits, and risk management outlined by NIST Special Publication 800-137 to continually assess the health and compliance of a security system over time. As security threats change, and as requirements for compliance evolve, CSPs must keep a high level of security in place. This means that the CSP must continuously:
- Determine current StateRAMP compliance requirements,
- Monitor and assess existing security controls, and
- Demonstrate that their security posture is adequate for current and future compliance.
Within the continuous monitoring process, there are specific roles in place to ensure smooth operation and assessment:
- The Cloud Service Provider undergoing the continuing assessment
- The StateRAMP PMO, who oversees continuing monitoring processes and determines fitness for continued certification
- The government agency using products or services from the CSP who reviews the continued reporting and maintenance efforts
- The Third-Party Assessment Organization (3PAO) who verifies and validates the findings of the provider, assess their security controls, performs annual penetration tests, and other assessments for the CSP, and presents them to the StateRAMP PMO
When Does Continuous Monitoring Start?
Continuous monitoring starts once the CSP has reached Authorized status.
The StateRAMP process works through several stages, including:
- Active: When the CSP begins their work with a 3PAO and government agency, registers for StateRAMP certification, and begins the process.
- Pending: At this stage, the 3PAO works with the CSP to assess their readiness for the process and provides any support, if necessary, to get them ready.
- Ready: Once they are prepared, the 3PAO submits a report attesting to the provider’s readiness for the process. Once readiness is ascertained, the CSP is given the Ready status and moves into certification.
- In Process: Here, the CSP works with the 3PAO to develop their Security Package, which includes a Security System Plan, a Security Assessment Plan, and a Security Assessment Report. This is where the 3PAO will conduct testing on the CSPs system to ensure compliance.
- Authorized: Once the tests are complete and the 3PAO believes the CSP complies, the Security Package is given to the StateRAMP PMO and certified. At this point, the CSP is Authorized within the StateRAMP framework.
Once the “Authorized” status is reached, the CSP enters a period of continuous monitoring that extends for the life of their certification.
What is the Continuous Monitoring Workflow?
Much like other steps in the certification process, continuous monitoring includes a series of recurring requirements, including:
- The creation of a Continuous Monitoring Plan that will foreground potential vulnerabilities and risks over time.
- Implementing a program of data collection, analysis, and reporting that reflects the plan and provides insight into the operation of a CSP’s security system.
- Developing and executing responses to any findings that would threaten the security of data or break compliance with regulations.
- Reviews of incidents and responses to inform future security and risk assessments.
- Adapting new requirements and tools to enhance security.
This is, per the name of the process, a continuous affair of auditing, reporting, responding, and integrating findings into the system. Sample workflow will then look something like the following:
- Continuous monitoring begins upon the awarding of Authorized status to a CSP by the StateRAMP PMO.
- The CSP partners with their 3PAO to create their Continuing Monitoring Plan that speaks to StateRAMP requirements and the unique arrangement of the CSPs security controls.
- The CSP implements the Continuous Monitoring Plan,
- The CSP and 3PAO send results from continuous monitoring to StateRAMP authorities at regular intervals (determined by the activity).
- The StateRAMP PMO analyzes the results of the reporting and creates an executive summary, which they provide to the state or local agency with commentary.
- The agency reviews the summary and, if they are satisfied, give the OK. If they are not satisfied, or the CSP is failing to meet their obligations, the agency and the PMO can work together to determine corrective actions and further requirements.
- The PMO, upon agency approval, updates the CSPs profile online to demonstrate their most recent approval.
Continuous Monitoring Timeframes
While that process seems straightforward, there are several layers of testing, auditing, and document creation required to keep up with continuous monitoring. Adding to the complexity of that process, different monitoring and testing activities are undertaken by different parties at different times and have different reporting frequencies.
Here are the common monitoring activity frequencies that StateRAMP lays out for CSPs and 3PAOs:
Monthly Activities: CSPs must report all mitigation activities at least monthly. This includes the mitigation of outstanding vulnerabilities based on their severity (high-risk vulnerabilities must be mitigated in 30 days, moderate-risk in 90 days, and low-risk in 180 days).
Quarterly Activities: CSPs must update their Plan of Action and Milestones (POA&M) quarterly and resubmit to the StateRAMP PMO.
Annual Activities: These are perhaps the most involved activities required for continuous monitoring, and break down into provider and 3PAO responsibilities:
- Review and update Information Security Policies and Procedures, including adding the updated document as an attachment to their standing System Security Plan (SR-SSP).
- Contract with 3PAO to assess a subset (roughly ⅓) of their entire security controls.
- Conduct penetration testing with the 3PAO, with additional testing required for new products or significant changes to existing products.
- Review and update Configuration Management Plan.
- Review and update IT Contingency Plan.
- Review and update Incident Response Plan after conducting an annual response plan test.
- Review and update the SR-SSP.
- Develop an annual security assessment plan that outlines the assessed controls, procedures used to test those controls, and the team, environment, and responsibilities of parties involved with the assessment.
- Conduct an assessment of the controls outlined in the assessment plan.
- Provide the StateRAMP PMO with a report of vulnerability and compliance scanning from the CSP’s systems, including an assessment summary and the results of the performed assessment.
StateRAMP certification isn’t a one-time effort. It calls for continuing adherence to rigorous security standards that can evolve to meet the challenges of also-evolving threats. That’s why CSPs should rely on the expertise and tools of their 3PAO partners to streamline and automate continuous monitoring and ensure compliance and security every year.
If you or your CSP partner need an experienced and certified 3PAO to support your ongoing StateRAMP or FedRAMP continuous monitoring, contact Lazarus Alliance at 1-888-896-7580 or contact us through the form below.