Add details to our Continuous Monitoring strategy

[brittag]

In order for compliance reviewers to understand cloud.gov's Continuous Monitoring strategy, we need a document that explains it in a fair amount of detail. This strategy will be discussed in detail on Wednesday August 10, so this strategy document needs to be fleshed out before then (ideally by Monday).

The latest Word doc version of this is in this folder.

We need to make sure we add specifics related to the continuous monitoring process, such as who is responsible for:

• [x] maintaining the inventory and ensuring that the entire inventory is scanned
• [x] ensuring scan tools are kept up-to-date with the latest plug-ins and configured correctly.
• [x] POA&M management, including vendor check-ins
• [x] ensuring that monthly ConMon deliverables are submitted to FedRAMP on time

Also:

• [x] Describe any aspects of your ConMon process that are automated, and those that are manual.

In general we should just flesh out this document to describe our real processes and how we manage them.

Acceptance criteria:

• [x] There is an updated version of this Word doc (checked by everyone who needs to know about it, including Diego) in this folder.
• [x] We send a link to it to Bridget.

An enhancement to this will be putting this plan into https://docs.cloud.gov/ rather than maintaining it as a Word doc, so that it fits into our team processes better, but for now we should focus on just one place (the Word doc) rather than maintaining both.

[brittag]

Also this strategy doc should include some technical info about:

• [x] The metrics we capture
• [x] How frequently we capture those metrics

[brittag]

A little more context - here's the NIST standard for continuous monitoring strategy (CA-7). This strategy will be checked against that standard, basically.

In our SSP, CA-7 is mostly marked "planned" - but good to also take a look at that. After we update this strategy, we should go update the CA-7 documentation in the SSP.

[dlapiduz]

Couple things from Bridget:

On the title page, change the title to "cloud.gov Continuous Monitoring Strategy" (versus Guide). I suggest replacing each reference to "CSP" in Sections 1 and 2 with "cloud.gov".
I suspect the JAB will want specifics related to your continuous monitoring process. For example, - who is responsible for:

• maintaining the inventory and ensuring that the entire inventory is scanned
• ensuring scan tools are kept up-to-date with the latest plug-ins and configured correctly
• POA&M management, including vendor check-ins
• ensuring that monthly ConMon deliverables are submitted to FedRAMP on time
• Describe any aspects of your ConMon process that are automated, and those that are manual.

[jcscottiii]

@brittag added a new doc which is dated for today (8/4) in the folder!

[brittag]

Thanks @jcscottiii for getting these details together! I reworked this a bit for clarity. I uploaded my version to that folder, and I sent it to Bridget. We may need to do some more work on this, but at least it has some meaty details now. :)

[brittag]

OK, based on feedback, I did a last copyedit and uploaded it to MAX.gov - so I'll consider this done for now.