* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Government](https://origin-researchcenter.paloaltonetworks.com/blog/category/government/)
* Proactively Addressing Fe...

# Proactively Addressing FedRAMP Continuous Monitoring Requirements

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcloud-fedramp-continuous-monitoring-requirements%2F)  
[](https://twitter.com/share?text=Proactively+Addressing+FedRAMP+Continuous+Monitoring+Requirements&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcloud-fedramp-continuous-monitoring-requirements%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2020%2F06%2Fcloud-fedramp-continuous-monitoring-requirements%2F&title=Proactively+Addressing+FedRAMP+Continuous+Monitoring+Requirements&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2020/06/cloud-fedramp-continuous-monitoring-requirements/&ts=markdown)  
\[\](mailto:?subject=Proactively Addressing FedRAMP Continuous Monitoring Requirements)  
Link copied  
By [Matthew Chiodi](https://www.paloaltonetworks.com/blog/author/matthew-chiodi/?ts=markdown "Posts by Matthew Chiodi")  
Jun 03, 2020  
6 minutes  
[Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown)  
[Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Cloud compliance](https://www.paloaltonetworks.com/blog/tag/cloud-compliance/?ts=markdown)  
[Compliance](https://www.paloaltonetworks.com/blog/tag/compliance/?ts=markdown)  
[FedRAMP](https://www.paloaltonetworks.com/blog/tag/fedramp/?ts=markdown)  
[Government](https://www.paloaltonetworks.com/blog/tag/government2/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)

Gaining a continuous understanding of the state of cloud security, for most organizations, is downright painful. Security teams feel constantly behind the eight ball. Why? Because cloud service providers (CSPs) and cloud environments are in a greater state of flux than on-premises or private clouds.

This rapid pace of change presents an obstacle for any business. But it is a unique challenge for organizations seeking compliance with Federal Risk and Authorization Management Program ([FedRAMP](https://www.fedramp.gov/faqs/)) authority to operate (ATO).

Given that Gartner found [81% of enterprises have a multi-cloud strategy](https://www.gartner.com/smarterwithgartner/why-organizations-choose-a-multicloud-strategy/), addressing this challenge requires a combination of tools and processes that are specifically designed for highly dynamic cloud environments. Here I present potential solutions tailored for FedRAMP seekers, but still applicable to any business

## The Shift to FedRAMP Continuous Monitoring Requirements

As early as 2010, the Office of Management and Budget (OMB) had allowed static, point-in-time security assessments. But after an in-depth review, OMB changed course and required a move to "Ongoing Assessment and Authorization throughout the system development lifecycle."

This radical shift was a wise first step toward acknowledging that security works best when it's organically embedded into the entire application lifecycle. Without knowing it, this was an early nod toward components of what we now call [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops). FedRAMP quickly followed suit and developed a continuous monitoring framework based on the National Institute of Standards and Technology (NIST) special publication [800-137](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf). This framework is what CSPs must follow and regularly report on to maintain their authorization for a service.

## High Velocity Plus Scale = Challenging FedRAMP ATOs

The high velocity of change in cloud computing environments makes achieving and maintaining FedRAMP ATOs challenging. To put things in perspective, [research indicates](https://redlock.io/blog/what-you-must-know-about-aws-security) that the average lifespan of a cloud resource is 127 minutes. Compare that with a legacy application that could have a lifespan of years. The problem is then further amplified in large cloud computing environments with thousands of resources. The end result is weak security and compliance postures across public cloud computing environments.

## A Four-Step Approach

Building on NIST 800-137, we've developed a simplified four-step approach that could be helpful in achieving a multi-cloud ATO.

#### **1. Collaborate and define the vision![Cloud continuous monitoring (including the monitoring needed to meet FedRAMP continuous monitoring requirements) involves a cycle of steps, shown here, including: 1) Collaborate and define the vision, 2) Execute the plan, 3) Investigate and respond, and 4) Iterate continuously](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/Iterate.png)**

It is easy to jump directly into the technology side of security without first considering what your organization and leadership are trying to achieve. Step back and look at the bigger picture. In this first step, you'll work across your organization to understand requirements from the likes of development teams, as well as FedRAMP. Many teams will need to be involved to make this a success so remember to [work broadly](https://thenewstack.io/case-studies-how-security-drives-business-acceleration/). The clearest path to an ATO is a well-defined strategy that includes vision, goals, milestones and resources.

Organizations need to keep in mind that FedRAMP requires evidence of a continuous monitoring program collected, at a minimum, monthly, annually, every three years and on an as-needed basis after an ATO is granted. Make sure your strategy encapsulates all cloud accounts and systems in scope for the FedRAMP ATO.

#### **2. Execute the plan**

You've created the vision, discussed it amongst your peers and the organization is aligned behind it. Now it's game time. In this critical step, you'll likely get down to the nuts and bolts of *how* your organization is going to carry out the FedRAMP continuous monitoring requirement.

A typical decision made in this step will include the mountain of tools that can be utilized to carry out the automated monitoring requirement. Engineers love to build, and when it comes to cloud security, some DevOps teams try to cobble together their own solution from a combination of cloud-provided and disparate open source products.

[Before your team spends too much time and too many resources on a DIY security project](https://www.paloaltonetworks.com/blog/2019/09/cloud-security-tool/), be sure to factor in cost, time, long-term support and maintenance, and multi-cloud support. Be realistic about your continuous monitoring goals. Cloud service providers offer an appealing menu of services that can, with enough time and resources, be woven together into a fairly comprehensive security solution. But does your organization have the time, expertise and desire to essentially create and sustain your own multi-cloud security tool?

#### **3. Investigate and respond**

The good thing about continuous monitoring programs is that, if done correctly, they will unearth security issues you were likely completely unaware of. This is why, as part of your strategy, you must have a well-defined process for investigating and responding to bugs found as part of your continuous monitoring program.

Organizations looking to minimize manual efforts will want to investigate [security orchestration, automation and response (SOAR) platforms](https://www.paloaltonetworks.com/cortex/soar). These platforms take much of the burden off security operations centers (SOC). They can help automatically remediate issues where possible by acting as the intermediary between security controls, both third party and CSP-provided. They can also act as the workflow monitor between different teams that each may have partial ownership in resolving a security issue.

#### **4. Iterate continuously**

The systems that are in scope for your FedRAMP ATO will no doubt change over time -- and so should your continuous monitoring program. CSPs will add new functionality, and your development teams will want to take advantage of them. Depending upon the scale of your cloud usage, your organization should consider a regular review process of any continuous monitoring program. Review the attack surface of the in-scope systems and make the determination if what's being monitored still meets FedRAMP requirements. Discovering what's running in a multi-cloud environment can be challenging, but thanks to [cloud native security platforms](https://www.paloaltonetworks.com/blog/2019/12/cloud-native-security-platform-age/) that leverage cloud provider APIs as well as their embedded security tools, this is not as challenging as it used to be.

## What Versus How

Organizations contemplating their FedRAMP certification need to strongly consider their continuous monitoring approach, including people, process and technology. Although FedRAMP requirements are clear, *how* this is actually carried out will largely be dependent upon your organization and your third party assessor (3PAO).

Prisma Cloud is a [comprehensive cloud-native security platform](https://www.paloaltonetworks.com/blog/2020/03/cloud-native-security-platform-2/) with broad security and compliance coverage throughout the development lifecycle and across multi- and hybrid cloud deployments. The Prisma Cloud integrated approach enables security operations and DevOps teams to stay agile, collaborate effectively and [accelerate secure, cloud native application development and deployment](https://www.paloaltonetworks.com/blog/2020/03/cloud-devops-plugins/).

Prisma Cloud also helps simplify compliance for organizations by utilizing a comprehensive library of industry compliance standards and policies, including NIST 800-53, ISO 27000, SOC 2, NIST CSF and many others. To learn more about how Prisma Cloud can support your journey toward FedRAMP ATO, view our page on [comprehensive cloud native security](https://www.paloaltonetworks.com/prisma/cloud).

*** ** * ** ***

## Related Blogs

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Navigating Federal Data Protection Compliance Requirements in the Cloud](https://origin-researchcenter.paloaltonetworks.com/blog/2020/01/cloud-federal-data-protection/)

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### New FedRAMP Authorization Secures Remote Access for Federal Agencies](https://origin-researchcenter.paloaltonetworks.com/blog/sase/2021-fedramp-secure-remote-access/)

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Palo Alto Networks Extends ISO 27001 Certifications](https://origin-researchcenter.paloaltonetworks.com/blog/2020/09/policy-iso-27001-certifications/)

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/sase/category/use-cases/?ts=markdown)

[#### Securing US Federal Agency Remote Workers and Branch Offices](https://origin-researchcenter.paloaltonetworks.com/blog/2020/04/network-federal-agency-remote-workers/)

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Getting Cloud Smart: Security for Hybrid and Public Federal Clouds](https://origin-researchcenter.paloaltonetworks.com/blog/2020/01/cloud-federal-clouds/)

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Advantages of Cloud-Delivered Security for U.S. Govt Agencies](https://origin-researchcenter.paloaltonetworks.com/blog/2019/07/cloud-delivered-security-benefits-govt-agencies/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language