FedRAMP Continuous Monitoring Checklist: Monthly and Annual
FedRAMP ConMon runs on a fixed cadence: every month you submit vulnerability scans of operating systems, web applications, and databases, an updated POA&M, and a current inventory to your secure repository; every year an independent assessor reassesses a subset of controls; and as needed you file significant change requests and deviation requests for your agency AO to approve.
In this article
Main question
What is the FedRAMP continuous monitoring checklist for monthly and annual deliverables?
FedRAMP Continuous Monitoring Checklist: Monthly and Annual
FedRAMP continuous monitoring (ConMon) runs on a fixed cadence: every month you submit updated vulnerability scans of your operating systems, web applications, and databases, an updated Plan of Action and Milestones (POA&M), and a current asset inventory to your secure repository; every year an independent assessor reassesses a subset of your controls; and as needed you file significant change requests and deviation requests for your agency Authorizing Official (AO) to approve. Miss the monthly rhythm and your authorization can be put at risk. This checklist lays out what is due, how often, and who owns each item so the cadence never becomes a fire drill.
Key takeaways
- The three core monthly deliverables are vulnerability scans (OS, web app, database), the POA&M, and the inventory — uploaded to your secure repository for agency AO review.
- Per FedRAMP, ConMon deliverables are provided on four cadences: monthly, annually, every three years, and as-needed.
- Vulnerability scans must cover operating systems, web applications, and databases at least monthly.
- Remediation timelines are SLA-driven: Critical 30 days, High 90 days, Moderate 180 days, Low 365 days from detection.
- The annual assessment is a fresh, independent assessment of a control subset — not a paperwork refresh — and is required every year.
- Significant changes require a security impact analysis up front and AO approval before (or, by agreement, around) the change; deviation requests for false positives, risk adjustments, and operational requirements also need AO sign-off.
- This is a companion to our deeper narrative on continuous monitoring after ATO — use that for the "why," and this checklist for the "what and when."
What is FedRAMP continuous monitoring?
FedRAMP continuous monitoring is the ongoing program of scanning, reporting, assessment, and change management that keeps an authorized cloud service offering (CSO) trustworthy after it goes live. FedRAMP bases ConMon on NIST SP 800-137, and the program defines three goals: operational visibility, managed change control, and incident response. The CSP produces a recurring stream of deliverables that agency AOs review to confirm the system's risk posture is still acceptable.
Two points matter. First, ConMon is not optional or back-loaded; it begins the moment you are authorized and never ends while you hold an authorization. Second, under the 2026 terminology changes (NTC-0004), the program now uses a single FedRAMP Certified label and four Certification Classes (A, B, C, D) in place of the old Low / Moderate / High level names. The ConMon obligations below apply across baselines; the class labels describe the depth of your assessment package, not a change to the monitoring cadence itself.
What are the monthly ConMon deliverables?
Every month, you upload a refreshed package to your secure repository so agency AOs can review your current risk posture. The three load-bearing items are vulnerability scans, the POA&M, and the inventory.
- Vulnerability scans must cover your operating systems, web applications, and databases, run at least monthly. Raw scan files are provided when required by your agreements with agency customers, along with summary reports.
- POA&M is your living record of every known weakness — driven by NIST control CA-5 — with the risk rating, owner, remediation plan, and milestone dates for each open finding. It must show active progress month over month.
- Inventory is required by control CM-8 at least monthly or whenever it changes, so the boundary the AO is reviewing matches the system actually running.
Where do these go? CSPs at LI-SaaS, Low, or Moderate (Class B/C) post deliverables to the FedRAMP secure repository on USDA Connect.gov; CSPs at High (Class D) use their own secure repository. A monthly ConMon report and review meeting wrap these artifacts together so the agency team can ask questions and approve any pending requests.
Source: FedRAMP Continuous Monitoring Overview — fedramp.gov
The FedRAMP ConMon checklist (monthly, annual, as-needed)
This table is the checklist. Cadence reflects FedRAMP's four reporting frequencies; the "owner / output" column names who typically drives the task and what lands in the repository.
| ConMon task | Cadence | Owner / output |
|---|---|---|
| Vulnerability scans — OS, web applications, and databases | Monthly | CSP security/ops → raw scan files + summary |
| Update POA&M (CA-5) with new/closed findings and milestones | Monthly | ISSO/compliance lead → updated POA&M |
| Update system inventory (CM-8) | Monthly (or on change) | CSP ops → current asset inventory |
| Monthly ConMon report + AO review meeting | Monthly | ISSO → executive summary; agency AO reviews |
| Remediate findings within SLA (Crit 30 / High 90 / Mod 180 / Low 365 days) | Continuous, tracked monthly | Remediation owners → closed POA&M items + evidence |
| Deviation requests (false positive, risk adjustment, operational requirement) | As needed | CSP → request; agency AO approves |
| Significant change request + security impact analysis | As needed | CSP → SCR; AO approves; assessor may re-test |
| Incident reporting per agreed timelines | As needed (per incident) | CSP → notification to AO/CISA |
| Annual security assessment of a control subset | Annually | Independent assessor (3PAO) → annual SAR |
| Update SSP and appendices; test IRP and Contingency Plan | Annually | CSP → updated SSP, test results |
| Full reassessment / re-authorization activities | Every three years | CSP + assessor → updated package |
Source: FedRAMP Continuous Monitoring Strategy Guide — fedramp.gov (PDF)
What is required annually in FedRAMP ConMon?
Each year, an independent assessor performs a fresh assessment of a selected subset of your controls — a real evaluation, not a documentation refresh. Alongside it you keep your authorization package current: update the System Security Plan and its appendices to reflect the system as it actually runs, and test your Incident Response Plan and Contingency Plan so those controls are demonstrably exercised, not just written down.
The annual assessment produces an updated Security Assessment Report (SAR), and every new finding flows into your POA&M under the same SLA clock as any monthly finding. Treat it as the moment your year of monthly hygiene gets graded: if your scans, POA&M, and inventory have been accurate all year, the annual assessment confirms what the AO already knows; if you have let the cadence slip, this is where that debt comes due.
A third cadence sits above the annual one: FedRAMP also defines deliverables on a three-year cycle, where broader reassessment and re-authorization activity lives. Budget for it — the recurring cost of these assessments is a frequent surprise, which we break down in the hidden costs of FedRAMP.
What triggers a significant change request?
A significant change is any change to your authorized system that could materially affect its security posture — adding a new external service, changing your authorization boundary, swapping a core component, or altering how data flows. Before making such a change, FedRAMP requires a security impact analysis, and depending on the change type, you route it through the significant change process for AO review and approval. Material changes may require the assessor to test affected controls out of cycle before the change is fully accepted.
The discipline is front-loading. The security impact analysis is what separates a routine configuration update (handle it under normal change control) from a significant change (file the request). Skipping that analysis, or implementing a boundary-altering change and disclosing it later, is one of the faster ways to put an authorization in jeopardy. Significant changes are also a standing agenda item at the monthly ConMon meeting.
Distinct from significant changes are deviation requests, filed when a scan finding does not warrant straight remediation: a false positive (evidence it is not a real vulnerability), a risk adjustment (real but mitigated to lower risk), or an operational requirement (cannot be remediated without breaking required functionality, so you document compensating controls). All three require agency AO approval before the item is marked as such in the POA&M.
How does automation keep the monthly cadence from becoming a fire drill?
The hard part of ConMon is not any single deliverable — it is producing all of them accurately every month, forever, while still shipping product. The failure mode is predictable: scans run late, the POA&M drifts out of sync with the latest scan results, the inventory stops matching reality, and the team scrambles in the final days before the upload. That scramble is where errors and missed SLAs are born.
This is the case for treating ConMon as a continuous pipeline rather than a monthly project. At Boundera, our AI copilot keeps the three core artifacts in lockstep: scan results feed directly into POA&M entries with the correct control mapping and SLA clock, the inventory reconciles against what is actually deployed in the boundary, and the monthly package assembles from a system of record that is always current. The goal is not to replace your ISSO's judgment on deviation or significant change requests; it is to remove the manual reconciliation that turns a routine upload into a fire drill, so human review happens on clean, complete data. The same automation-first posture underpins the KSI validation cadence on the FedRAMP 20x path, where continuous evidence is the entire model.
Frequently asked questions
What are the monthly FedRAMP ConMon deliverables?
The core monthly deliverables are vulnerability scans of your operating systems, web applications, and databases; an updated POA&M; and an updated inventory, uploaded to your secure repository with a monthly ConMon report. Raw scan files are provided when your agency agreements require them.
How often must FedRAMP vulnerability scans run?
At least monthly, covering operating systems, web applications, and databases across the authorization boundary. Scans missing any of these three categories, or missing components inside the boundary, are a common ConMon finding. New significant changes can trigger additional out-of-cycle scanning.
What are the FedRAMP POA&M remediation SLAs?
Findings must be remediated within FedRAMP's standard timelines from detection: Critical in 30 days, High in 90 days, Moderate in 180 days, and Low in 365 days. Missed milestones must be tracked in the POA&M and can become findings in themselves, so set realistic completion dates.
What is the FedRAMP annual assessment?
It is an independent reassessment of a subset of your controls performed every year by an assessor (typically a 3PAO), producing an updated SAR. You also refresh your SSP and appendices and test your Incident Response and Contingency Plans annually. New findings flow into the POA&M under standard SLAs.
When do I need a significant change request?
When a planned change could materially affect your system's security posture — boundary changes, new external connections, or replacing core components. Perform a security impact analysis first, then route the change for AO review and approval; the assessor may need to test affected controls out of cycle.
What is a FedRAMP deviation request?
A deviation request asks the AO to accept a scan finding without standard remediation. The three types are false positive (not a real vulnerability), risk adjustment (real but lower-risk due to mitigations), and operational requirement (cannot be fixed without breaking functionality). All require AO approval before being recorded as such in the POA&M.
Where do CSPs submit ConMon deliverables?
CSPs categorized at LI-SaaS, Low, or Moderate (Certification Classes B and C) post deliverables to the FedRAMP secure repository on USDA Connect.gov. CSPs at High (Class D) use their own secure repository. Either way, the agency AO reviews the monthly package there.
Does FedRAMP 20x change the ConMon cadence?
The 2026 terminology shift to a single FedRAMP Certified label and Certification Classes A–D changes how baselines are named, not the monthly-scan, POA&M, and inventory rhythm. FedRAMP 20x leans further into continuous, automated evidence, but the underlying expectation — keep risk posture visible and current — is the same.
Sources
- FedRAMP Continuous Monitoring Overview — fedramp.gov
- FedRAMP Continuous Monitoring Strategy Guide (PDF) — fedramp.gov
- Vulnerability Scanning — fedramp.gov
- Annual Assessment — fedramp.gov
- Significant Changes — fedramp.gov
- NTC-0004: FedRAMP Certification labels and Classes — fedramp.gov
- NIST SP 800-137, Information Security Continuous Monitoring — nist.gov
Last updated: June 2026. Written by the Boundera team. Boundera is an AI copilot for FedRAMP that keeps your scans, inventory, and POA&M in lockstep so the monthly ConMon cadence stays routine instead of a fire drill.
Next step
If you want to turn this guidance into an execution plan, the product side handles control mapping, SSP drafting, and evidence collection.
Related articles
The Hidden Costs of FedRAMP (That Wreck Budgets)
The FedRAMP costs teams under-budget: internal engineering, ISSO/security staff, year-over-year ConMon labor, the annual 3PAO reassessment, tooling, and scope creep.
FedRAMP Continuous Monitoring After ATO: Monthly, Quarterly, and Annual Checklist
A practical operating checklist for continuous monitoring after you achieve authorization.
How Much Does FedRAMP Cost in 2026?
A 2026 breakdown of FedRAMP cost by impact level for Rev 5 and 20x, including 3PAO fees, ConMon, staffing, and the hidden costs CSPs miss.