13 May 2024

10 Essential Questions to Ask When Outsourcing FedRAMP Continuous Monitoring (ConMon)

Unlock the key to selecting the right service provider for your FedRAMP ConMon needs. Explore the 10 essential questions to ask, empowering you to evaluate effectiveness and ensure compliance.

Nathalie Baker
Nathalie Baker GRC Manager LinkedIn
Allie DiPietro
Allie DiPietro Principal GRC Specialist LinkedIn
Mario Lunato
Mario Lunato Principal Cloud Infrastructure Architect LinkedIn

Continuing on the journey to maintain your FedRAMP Authority to Operate (ATO) is a significant undertaking for any cloud service provider (CSP). Amidst the complexities of security assessments, risk management, and documentation requirements, outsourcing continuous monitoring (ConMon) to a trusted service provider can offer invaluable support. However, selecting the right continuous monitoring provider requires careful consideration and thorough evaluation. As CSPs seek to align their cloud offerings with FedRAMP standards, they must pose critical questions to potential ConMon service providers. From documentation processes to data security measures, the following questions serve as essential checkpoints in ensuring a seamless and compliant partnership:

10 Essential FedRAMP ConMon Questions

In this blog post, we’ll delve into these key questions and explore why they are vital considerations for CSPs outsourcing their FedRAMP continuous monitoring. By understanding the importance of each inquiry and its implications for compliance and security, CSPs can make informed decisions when selecting a continuous monitoring provider.

1. What compliance framework do you adhere to and meet the requirements for?

FedRAMP requires that all third-party contractors are evaluated from a risk perspective. As part of a Moderate or High assessment, you need to be able to provide artifacts showing you’ve done your due diligence on each company you contract with, and give access to your environment, which includes completing a risk assessment of that company for your organization’s own internal records. It’s important to note that most contractors and third-party service providers will not adhere to FedRAMP requirements themselves. Since FedRAMP isn’t geared towards that niche of the industry. Instead you’ll hear frameworks like ISO 27001, SOC 2 Type 2, and NIST SP 800-171.

Those compliance frameworks provide a standard set of guidelines and requirements for data security and privacy of a corporate boundary, rather than a system boundary. By adhering to these frameworks, third-party contractors demonstrate their commitment to meeting industry-specific standards, ensuring alignment with your organization’s requirements. Implementing a compliance framework sets clear expectations for security and privacy practices, which fosters trust and transparency between the third-party organization and your organization. Demonstrating compliance with industry-recognized standards instills confidence in the third-party’s ability to handle sensitive data responsibly, and strengthening the partnership through mitigating concerns about security risks.

When evaluating a provider, getting a sense of their own company’s commitment and approach to security can be extremely valuable and telling. For example, Aquia currently adheres to NIST SP 800-171 and we are working to reach ISO 27001 standards. Given that cloud and cybersecurity are our primary focus areas as an organization, we have many ConMon aspects already in place.

2. What is your experience with FedRAMP ConMon?

When considering a ConMon provider for your FedRAMP journey, it’s crucial to delve into their track record and expertise in handling continuous monitoring processes. You’ll want to hear about their experiences, the challenges they’ve faced, and how they’ve overcome them. Look for providers who can speak confidently about their understanding of FedRAMP’s requirements and regulations, and who can articulate how they’ve tailored their strategies to meet these standards. It’s not just about compliance; it’s about finding a partner who can navigate the complexities of ConMon while keeping your specific needs and goals of your organization in mind.

Additionally, don’t hesitate to ask for specific examples of successful ConMon engagements with other CSPs. These stories can provide valuable insights into how the provider operates in real-world scenarios and how they’ve helped other organizations achieve their compliance and security objectives. Look for providers who can share stories of proactive monitoring and swift response to incidents, as these are indicators of their effectiveness in safeguarding systems and data. Ultimately, you want to partner with a ConMon provider who not only has the expertise but also the proven track record of delivering results and supporting their clients every step of the way.

3. How do you stay up to date on and ensure compliance with evolving FedRAMP requirements?

The compliance landscape is ever-changing. Even if your goal is FedRAMP ConMon, there’s more to consider than just updates to the FedRAMP controls themselves. So many publications influence FedRAMP that it’s no surprise that requirements frequently change. Sometimes, these updates are massive, like the transition from NIST 800-53 revision 4 to 5 (the basis of FedRAMP controls). But what about changes to lesser-known publications, like NIST 800-63? Just one altered control can have a massive impact on your system and your ConMon’s success.

You will want your ConMon provider to confirm that they follow the compliance industry holistically, watching closely for any signs of change across multiple frameworks and institutions — both public and private sector. This can help you anticipate future updates and develop a plan to make updating and complying to them less disruptive for your business. Whether this means large uplifts to account for revision 5 or “keeping an ear to the ground” for smaller, anticipated updates, your provider should help you make sure your ConMon practice is built with the future in mind.

4. What tools and technologies do you use for automated monitoring?

The tools and technologies used in your cloud environment are the “eyes and ears” of your ConMon efforts; they help proactively identify and resolve issues before they disrupt services, and also provide the necessary documentation to support your annual FedRAMP assessment. If you already have tools selected, make sure your provider has hands-on, ConMon-specific experience with them. If you’re looking into different tools, finding a provider that can provide unbiased, vendor-neutral expertise is critical in implementing solutions that fit your organization’s unique needs.

Tool selection and use can be daunting, time intensive, and expensive. You’ll want to work with a provider that can help you navigate ConMon by optimizing existing tools and offering assessments when choosing new ones. By developing a cohesive tooling strategy, you can achieve smoother assessments with readily available documentation throughout the year — no matter what tools you use.

5. Are you able to generate artifacts for continuous monitoring in the FedRAMP templates on demand?

FedRAMP templates serve as the standardized framework for documenting security controls and assessment results. FedRAMP requires CSPs to submit various artifacts in specific templates to ensure consistency and compatibility with federal guidelines and requirements. Manually creating FedRAMP artifacts can be time-consuming and error-prone. Leveraging automated processes to generate artifacts on-demand allows for streamlining documentation efforts, reducing the risk of inaccuracies, and maintaining compliance more efficiently. In the event of an audit, having the FedRAMP-compliant artifacts readily available demonstrates a CSP’s commitment to security and compliance. As your organization scales, the ability to generate these artifacts on demand becomes more critical. A lot of clients will ask for updated documentation before they agree to any contract, so it’s important for your artifact generation capability to scale with your organization and the frameworks as well. Ideally, your ConMon provider offers a GRC tools that allow for FedRAMP artifacts to be readily provided with the click of a button — saving you time and helping ensure you don’t miss a deadline for gathering artifacts.

6. How will your team evaluate and enhance our organization’s approach to continuous monitoring?

Understanding the methodology a company will take to evaluate your organization’s current approach to continuous monitoring is essential for optimizing security effectiveness, maintaining compliance, and fostering a collaborative partnership based on trust and accountability. By asking probing questions about evaluation methodologies, you can ensure that your ConMon provider is equipped to meet your organization’s unique needs and deliver value-added security solutions that support your business objectives. A tailored evaluation methodology enables customization and ensures that ConMon strategies are optimized to address your organization’s risks and priorities effectively. Additionally, understanding how a provider evaluates risks allows you to gauge their thoroughness and ensure that critical issues are addressed promptly. ConMon is not a static process. By understanding how a provider assesses the effectiveness of monitoring activities and implements enhancements, you can ensure that your organization remains agile and responsive to emerging threats.

Compliance requirements often dictate the frequency and scope of ConMon activities, however, there are times when organizations implement compensating controls to mitigate a factor that they cannot automate. Those compensating controls often implement a manual process that requires the need for a more targeted or customized continuous monitoring strategy. A provider’s methodology for evaluating and enhancing continuous monitoring should be transparent and well-documented, allowing for clear communication and consistency. Through understanding the evaluation process, an organization can foster trust and confidence in the provider’s capabilities, ensuring that you can collaborate effectively and efficiently.

7. How do you integrate with my company’s existing processes and tools?

It is important to understand whether a ConMon service provider can seamlessly integrate with your existing architecture and processes. Seamless integration will allow for continuous monitoring to fit into existing workflows, saving time and resources by avoiding the need to manually transfer data between systems. Proper integration also allows for access to real-time data of your organization’s compliance and security posture, improving the accuracy and timeliness of monitoring, which allows for more informed decision-making. Integration provides a comprehensive view of your security posture by consolidating data from various sources, which enhances visibility to allow for better prioritization of security risks. As your organization grows or evolves, integrated monitoring processes can easily scale to accommodate changes, providing flexibility that your continuous monitoring efforts remain effective and adaptable over time.

You will want to see that your ConMon provider has taken the integration aspect into account and offers a tool that will integrate with various data sources. If you change your tooling stack in the future, their governance, risk, and compliance (GRC) tool should be able to provide the integrations necessary to meet your organization’s needs. You’ll also want to ensure the provider integrates within your organization’s team to ensure risks are analyzed appropriately and accurately. This ensures that your organization can make the most informed decisions pertaining to its unique risk tolerance needs.

8. What level of visibility and reporting can we expect?

When considering ConMon services, it’s imperative to delve into the level of visibility and reporting you can anticipate from your chosen provider. Look for transparency in their approach to reporting and communication channels. You’ll want to ascertain not only the frequency but also the comprehensiveness of the updates you’ll receive regarding your compliance posture. Providers who offer real-time visibility into your security and compliance status can prove invaluable, enabling you to proactively address potential vulnerabilities and maintain regulatory adherence. Additionally, inquire about their capacity to provide executive-level reports that offer a panoramic view of your continuous monitoring strategy’s success. These reports serve as more than just snapshots; they are vital tools for decision-makers, offering strategic insights that inform crucial business directions and resource allocations.

Furthermore, consider the depth and breadth of reporting that the provider can furnish. Beyond mere compliance metrics, seek partners who can deliver comprehensive insights into your security posture, encompassing vulnerability assessments, incident response metrics, and trend analysis. A robust reporting framework not only enhances your understanding of current risks but also facilitates proactive risk mitigation and future-proofing strategies. By partnering with a ConMon provider equipped with such robust visibility and reporting capabilities, you’re not just ensuring regulatory compliance; you’re empowering your organization with the actionable intelligence needed to navigate the ever-evolving cybersecurity landscape confidently.

9. How do you ensure the security and confidentiality of our data?

You’ll want to dig a little deeper into the provider’s protocols for safeguarding sensitive information and maintaining security standards. You may want to ask about their experience working with the government to deliver best-in-class security and compliance services and what approach they take to ensuring the confidentiality, integrity, and availability of your systems. For example, regardless of industry, we take the same Zero Trust approach — which assumes no user or device is trusted by default, granting all access to resources on a need-to-know basis. Given the rapidly evolving nature of cloud and cybersecurity, you will also want to ensure the provider prioritizes learning and development in areas like security-first architecture best practices and social engineering awareness.

10. What metrics do you use to evaluate the effectiveness of monitoring efforts?

In evaluating the effectiveness of monitoring efforts, it’s crucial to align metrics with the objectives outlined by FedRAMP for continuous monitoring. Key metrics typically include the frequency and thoroughness of system scans, the percentage of vulnerabilities remediated within specified timeframes, and the accuracy of incident detection and response times. These metrics not only gauge the proactive stance of your organization in identifying and addressing potential security risks but also ensure compliance with FedRAMP requirements for continuous monitoring. Furthermore, measuring the alignment of your ConMon efforts with established benchmarks and standards provides insight into your preparedness for the ongoing assessment demands set by FedRAMP. By regularly reviewing these metrics and adapting monitoring strategies accordingly, organizations can maintain a robust security posture and confidently navigate the complexities of FedRAMP compliance.

Additionally, a critical aspect of evaluating the success of ConMon efforts lies in the timely collection and submission of the monthly and yearly artifacts mandated by FedRAMP. These artifacts, which include security control assessments, vulnerability scans, and incident response reports, serve as tangible evidence of your organization’s adherence to FedRAMP requirements over time. By meticulously documenting and submitting these artifacts, you not only demonstrate compliance but also showcase the effectiveness of your monitoring processes in maintaining a secure environment. Moreover, regular review and analysis of these artifacts enable organizations to identify trends, address recurring issues, and continuously improve their ConMon strategies to meet evolving regulatory standards and security challenges. Thus, the consistent and accurate submission of required artifacts serves as a cornerstone in the broader assessment of ConMon effectiveness.


These questions serve as essential checkpoints in evaluating potential service providers, allowing you to make informed decisions that uphold your commitment to FedRAMP compliance and data security. By prioritizing alignment with compliance frameworks, transparency in documentation processes, and a shared dedication to continuous improvement, you can forge partnerships that not only meet your immediate needs but also lay the foundation for long-term success..

Are you interested in learning more about how Aquia’s GRC experts can help you streamline your FedRAMP ConMon efforts? Contact us to request a consultation. We’d love to chat!

If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.


FedRAMP Compliance ConMon