📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / CA

CA-7 Continuous Monitoring

Family CA
Baselines moderate
Mapped KSIs 3

Control statement

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
    a. Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};
    b. Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;
    c. Ongoing control assessments in accordance with the continuous monitoring strategy;
    d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
    e. Correlation and analysis of information generated by control assessments and monitoring;
    f. Response actions to address results of the analysis of control assessment and monitoring information; and
    g. Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}.
        Requirement: Operating System, Database, Web Application, Container, and Service Configuration Scans: at least monthly. All scans performed by Independent Assessor: at least annually.
        Requirement: CSOs with more than one agency ATO must implement a collaborative Continuous Monitoring (Con Mon) approach described in the FedRAMP Guide for Multi-Agency Continuous Monitoring. This requirement applies to CSPs authorized via the Agency path as each agency customer is responsible for performing Con Mon oversight. It does not apply to CSPs authorized via the JAB path because the JAB performs Con Mon oversight.
        Guidance: FedRAMP does not provide a template for the Continuous Monitoring Plan. CSPs should reference the FedRAMP Continuous Monitoring Strategy Guide when developing the Continuous Monitoring Plan.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-AFR-04Vulnerability Detection and Response
Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-AFR-05Significant Change Notifications
Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-MLA-05Evaluate Configuration
_Persistently_ evaluate and test the configuration of _machine-based_ _information resources_, especially infrastructure as code.
Monitoring, Logging, and Auditing