Skip to main content

Continuous Monitoring (FedRAMP ConMon)

FedRAMP Continuous Monitoring requires cloud service providers and agencies to produce monthly deliverables demonstrating their security posture. Infracast automates the entire workflow — from daily evidence collection to monthly package assembly.

What ConMon Requires

FedRAMP ConMon mandates:

  1. Monthly POA&M updates — Status of every open weakness
  2. Monthly scan results — Vulnerability and configuration assessment outputs
  3. Significant change notifications — When architecture changes require SSP updates
  4. Annual 3PAO assessments — Comprehensive review by an independent assessor
  5. Deviation requests — Formal requests when a control cannot be fully met

Without automation, this is 2–5 days of manual effort per month. Infracast handles it continuously.

Authorization Dashboard

The Authorization Status page (/authorization) provides a real-time posture view:

Control Posture

Controls Fully Implemented:     342 / 350  (97.7%)
Controls Partially Implemented:   6 / 350   (1.7%)
Controls Not Implemented:         2 / 350   (0.6%)

Per-control-family breakdown with drill-down to individual controls, trend charts, and last-assessed timestamps.

Drift Alerts

Real-time alerts when a compliant control degrades:

⚠️  Control AC-6 drifted to PARTIAL (2026-04-15 14:23 UTC)
    Cause: New IAM role with wildcard permissions
    Finding: CRIT-2847 — prod-deploy-role
    Action: Review before next ConMon package

Executive AO Summary

One-page authorization confidence report downloadable as a signed PDF — designed for the Authorizing Official.

Monthly ConMon Package

Infracast assembles the complete monthly ConMon package automatically:

FileContent
poam-YYYY-MM.xlsxPOA&M update (FedRAMP template)
scan-results-YYYY-MM.pdfSigned discovery + compliance summary
evidence-bundle-YYYY-MM.zipAll signed evidence artifacts
significant-changes-YYYY-MM.pdfChange log (if applicable)
manifest.jsonSHA-256 checksums + chain-of-custody
manifest.sigEd25519 signature over the manifest
# Generate via API
POST /api/v1/tenants/{tenantID}/conmon/packages
{ "year": 2026, "month": 4 }

# Download
GET /api/v1/tenants/{tenantID}/conmon/packages/{packageId}/download

Significant Change Detection

Infracast automatically detects FedRAMP-reportable changes between discovery runs:

Change TypeAction Required
New public-facing componentSSP boundary update + FedRAMP notification
New cloud region or VPCSSP boundary update
New external service dependencySSP boundary update
Encryption disabled on data storeImmediate POA&M + deviation request
New privileged IAM roleControl re-assessment (AC-2, AC-6)

Detected changes appear in the significant change log and are included in the monthly ConMon package.

GET /api/v1/tenants/{tenantID}/conmon/significant-changes?from=2026-04-01&to=2026-04-30

3PAO Evidence Bundles

For annual assessments, generate a comprehensive 3PAO bundle:

# CLI
vulcan conmon bundle \
  --tenant acme-corp \
  --from 2026-01-01 \
  --to 2026-04-15 \
  --output 3pao-bundle-q1-2026.zip

# API
POST /api/v1/tenants/{tenantID}/conmon/packages
{ "type": "3pao_annual", "from": "2026-01-01", "to": "2026-04-15" }

The bundle includes all evidence artifacts, full POA&M history, significant change log, discovery scan results, and a VERIFICATION.md with signature verification instructions for the assessor.

cATO / Ongoing Authorization

For programs operating under DoD cATO frameworks:

  • Live authorization dashboard satisfies real-time visibility requirements
  • Automated daily evidence generation replaces periodic snapshots
  • Drift alerts provide immediate notification when posture degrades
  • AO summary report provides current posture view on demand

API Reference

# Current ConMon status
GET /api/v1/tenants/{tenantID}/conmon/status

# List packages
GET /api/v1/tenants/{tenantID}/conmon/packages

# Significant changes
GET /api/v1/tenants/{tenantID}/conmon/significant-changes

Availability

TierAccess
Free / Pro / Business / EnterpriseNot available
Enterprise PlusConMon automation, significant change detection
Gov / FederalFull ConMon + CSAM auto-submit + 3PAO bundles