Continuous monitoring is the monthly security status check of the provider. It begins once a product achieves a StateRAMP milestone status of Ready, Provisional or Authorized.
Why is continuous monitoring important?
Continuous monitoring ensures a service provider’s solution is progressing with its security requirements and maintaining a secure state of system. It gives insights into a solution’s vulnerabilities, and monthly checks allow service providers to close out items and align with StateRAMP requirements. Continuous monitoring helps identify areas of risk so service providers can take action to protect the system as soon as possible. If there are vulnerabilities, governments can make informed decisions.
What is the continuous monitoring process?
On a monthly basis, providers must complete their plans of actions and milestones document and executive summary as well as update their scans and inventory worksheet. The StateRAMP Program Management Office (PMO) reviews this information monthly on behalf of the governments they serve.
If items are creeping out of scope, the StateRAMP PMO will follow up with additional questions or concerns. A service provider has 30 days to remediate high POA&M items, 90 days to remediate moderate POA&M items, and 180 days to remediate low POA&M items. Critical vulnerabilities must be remediated immediately.
Annually, service providers must submit a new audit conducted by a Third-Party Assessment Organization (3PAO) for the StateRAMP PMO to review.
What is the escalation process?
The purpose of continuous monitoring is to ensure providers are meeting StateRAMP requirements for continuous monitoring performance. If a service provider has any issues or concerns, our team wants to work with them to resolve the issue before having to defer to the Continuous Monitoring Escalation Process, which includes a Corrective Action Plan or Detailed Findings Review.
Where do we store documents?
Today, documents are stored in a platform that is authorized at the FedRAMP Moderate Level. Our security team at the StateRAMP Program Management Office has access to review the documentation and with the approval of a service provider, they can grant access to government partners.
What are the differences between FedRAMP and StateRAMP continuous monitoring?
StateRAMP requires continuous monitoring for providers with Ready status as well. StateRAMP requires continuous monitoring so we can do our due diligence on behalf of the government to ensure the security state of the system is continuous. We verify there are no gaps or issues that aren’t being remediated. StateRAMP’s goal is to keep government data secure after the initial authorization.