Collaborative Continuous Monitoring¶
The Collaborative Continuous Monitoring rules help agencies use shared, current authorization information from providers as part of each agency's own Information Security Continuous Monitoring strategy. These rules reduce unnecessary manual burden by encouraging automated monitoring and review while allowing each agency to make its own risk-based decisions about ongoing authorization.
Agency Guidance¶
These rules for agencies apply to all agencies using a FedRAMP Certification.
Review Ongoing Reports¶
CCM-AGM-ROR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST review each Ongoing Certification Report to understand how changes to the cloud service offering may impact the previously agreed-upon risk tolerance documented in the agency's Authorization to Operate of a federal information system that includes the cloud service offering in its boundary.
Note: This is required by 44 USC § 35, OMB A-130, FIPS-200, and M-24-15.
Terms: Cloud Service Offering, Ongoing Certification, Ongoing Certification Report (OCR)
Notify FedRAMP of Concerns¶
CCM-AGM-NFR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using info@fedramp.gov.
Agencies MUST notify FedRAMP by sending an email to info@fedramp.gov if the information presented in an Ongoing Certification Report, Quarterly Review, or other ongoing FedRAMP Certification Data causes significant concerns that may lead the agency to stop operation of the cloud service offering.
Note: Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a).
Terms: Certification Data, Cloud Service Offering, Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review
Notify FedRAMP After Requests¶
CCM-AGM-NFA
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using info@fedramp.gov.
Agencies MUST notify FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending an email to info@fedramp.gov.
Note: Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a).
No Additional Requirements¶
CCM-AGM-NAR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about FedRAMP Certification Data.
Note: This is a statutory requirement in 44 USC § 3613 (e) related to the Presumption of Adequacy for a FedRAMP Certification.
Terms: Certification Data, FedRAMP Certified
Consider Security Category¶
CCM-AGM-CSC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the cloud service offering in its boundary and assign appropriate information security resources for reviewing Ongoing Certification Reports, attending Quarterly Reviews, and other ongoing FedRAMP Certification Data.
Terms: Certification Data, Cloud Service Offering, Ongoing Certification, Quarterly Review, Security Category
Notify Provider of Concerns¶
CCM-AGM-NPC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify Provider by email using security-email.
Agencies SHOULD formally notify the provider if the information presented in an Ongoing Certification Report, Quarterly Review, or other ongoing FedRAMP Certification Data causes significant concerns that may lead the agency to remove the cloud service offering from operation.
Terms: Certification Data, Cloud Service Offering, Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review