Skip to main content
Knox has achieved our 16th federal sponsor, FEMA for Fed High authorization.

FedRAMP ConMon Deliverables: What You're Required to Submit and When

Written by: 
Team Knox
Published on: 
April 29, 2026

FedRAMP authorization gets you onto the FedRAMP Marketplace and into agency procurement conversations, but maintaining that authorization is what protects your federal revenue.

The moment you receive an Authority to Operate (ATO), you enter FedRAMP Continuous Monitoring (ConMon), a permanent compliance program with monthly deliverables, fixed vulnerability remediation timelines, and an enforcement mechanism that can suspend or revoke your authorization for non-compliance. Few SaaS companies entering the federal market plan adequately for that ongoing obligation.

This article covers every required ConMon deliverable, the exact cadence for each, the vulnerability service-level agreements (SLAs) embedded in the program, what happens when you miss deadlines, and what it takes to run ConMon independently.

Key Takeaways

  • ConMon is a permanent compliance program, not a post-authorization formality. Monthly deliverables are due every 30 days, with annual assessments, penetration testing, and red team exercises layered on top.
  • Vulnerability remediation runs on enforceable SLAs. Critical and High findings receive 30 days; Moderate, 90 days; and Low, 180 days, with escalation from Corrective Action Plans to suspension to revocation.
  • The operational cost is ongoing. Annual 3PAO assessments, security tooling, dedicated compliance staffing, and monthly reporting create a recurring spend most SaaS teams underestimate.
  • A shared boundary model can absorb most of the burden. Deploying under Knox's FedRAMP-authorized boundary lets you inherit 60% to 80% of required security controls, including continuous monitoring, rather than staffing an independent program.

ConMon Obligations Are Statutory, and Two Documents Govern the Program

Your ConMon obligations are backed by the FedRAMP Authorization Act, which directs GSA to implement oversight of continuous monitoring, and OMB Circular A-130, which mandates non-discretionary security control assessments on a periodic basis.

Once your ATO is issued, you enter an ongoing cycle of monthly submissions, annual assessments, and vulnerability remediation on fixed timelines. The ConMon Playbook consolidates nine prior standalone FedRAMP continuous monitoring documents and should be treated as the authoritative source for current guidance.

If you serve multiple agencies, the burden compounds. The Performance Playbook states that agency Authorizing Officials (AO) and their teams review your ConMon activities, and that Cloud Service Providers (CSPs) with multiple agency customers must use a collaborative ConMon approach intended to simplify the process and minimize duplicative effort.

Those governance documents translate into a concrete set of recurring deliverables, each with its own submission cadence and control mapping.

Every Required ConMon Deliverable and Its Submission Cadence

The FedRAMP ConMon program defines deliverables across four cadences: monthly, annual, triennial, and event-driven. Each ties to specific National Institute of Standards and Technology (NIST) 800-53 Rev 5 controls.

Monthly Deliverables

The monthly ConMon package includes required deliverables that are submitted every 30 days to the authorizing agency:

  1. Updated Plan of Action and Milestones (POA&M): Tracks past-due findings as part of continuous monitoring (control CA-5).
  2. Updated system inventory: A complete inventory of all assets within the authorization boundary, maintained under control CM-8 and updated whenever assets change.
  3. Raw vulnerability scan files: When agency agreements specify, must be in a structured, machine-readable format such as .XML, .CSV or JSON (control RA-5). FedRAMP requires authenticated vulnerability scans across all inventory within the authorization boundary.
  4. Monthly ConMon summary report: Uploaded alongside other deliverables (control CA-7).
  5. Service configuration scans (CSP-performed): Benchmark-based configuration scans required as a monthly deliverable.
  6. Deviation Requests (DRs): Included when applicable.
  7. Significant Change Requests (SCRs): Included when applicable, with separate event-driven rules below.

Scanning guidance is mandatory, with the requirement that unauthenticated scans comprising 10% or more of total scan submissions trigger a Corrective Action Plan (CAP) on the second or subsequent occurrence. This is an enforcement trigger, not a warning.

Multi-agency CSPs must implement Collaborative ConMon, uploading deliverables on the same date each month and holding a one-hour monthly ConMon meeting approximately one week after the upload, usually Tuesday through Thursday in the early afternoon Eastern time.

Annual Deliverables

The annual assessment cycle carries hard deadlines with direct enforcement consequences. Plan the cycle at least six months out:

  • Annual Security Assessment Plan (SAP): Must be submitted 60 days before the ATO anniversary date as part of the annual reassessment process.
  • Annual Security Assessment Report (SAR) and full assessment package: Due by the P-ATO anniversary date (controls CA-2, CA-7). This includes service configuration scans.
  • Penetration testing: Required at least every 12 months (controls CA-8, CA-8(1)).
  • Red Team: Required annually for Moderate and High systems under FedRAMP Rev. 5 as part of CA-8(2) assessment activities.
  • System Security Plan (SSP) and appendices review and update: Completed annually as part of the assessment cycle.

The 60-day SAP deadline is the one most commonly missed; plan your full assessment timeline backward from the ATO anniversary date.

Triennial Deliverables

Specific controls identified in Column J of the controls baseline follow a three-year assessment rotation. Download the current version directly from fedramp.gov; third-party copies may be outdated.

Event-Driven Deliverables

Operational events trigger these submissions and carry their own enforcement timelines:

  • Significant Change Request (SCR): Must be submitted at least 30 days before a planned change. Submitting an SCR fewer than 30 days before a planned significant change may lead to FedRAMP performance management actions, potentially including a Corrective Action Plan. Plan accordingly, as review timelines can vary.
  • Emergency changes are subject to change management requirements.
  • Incident response notifications: Required within one hour of incident identification. The ConMon Playbook v1.0 explicitly states that reporting incidents doesn't result in punitive actions against the CSP, but failure to report will result in escalation.
  • Inventory updates: Required as part of the monthly baseline but must also reflect changes as they occur.

With an AO agreement, significant changes can be bundled with the annual assessment, allowing the SAP and SAR to cover both simultaneously. This is explicitly documented in the ConMon Playbook and can reduce both cost and review burden.

Vulnerability Remediation SLAs and How Unresolved Findings Must Be Tracked

FedRAMP enforces remediation timelines tied to vulnerability severity, though the available evidence doesn't confirm that they're measured from the date of discovery. Vulnerabilities use CVSS v3 scoring when available to determine the original risk rating:

Severity CVSS v3 Range Remediation SLA
Critical 30 days
High 7.0 to 8.9 30 days
Moderate 90 days
Low 180 days

These are enforceable timelines with documented escalation thresholds. The JAB P-ATO rule requires all High and Critical findings to be remediated before receiving a JAB P-ATO; they can't be deferred into the ConMon period.

Tracking Findings When Remediation Is Not Possible

FedRAMP recognizes three deviation categories for vulnerabilities that can't be remediated within the SLA window:

Vendor Dependency (VD): The vendor hasn't released a patch. VDs don't require AO approval and aren't treated as deviation requests. You must document recent vendor check-in dates in the POA&M, and once the vendor releases a fix, the SLA clock restarts.

Operational Requirement (OR): The system can't function if remediation is applied or the vendor explicitly refuses to fix the issue. ORs require 3PAO validation or AO approval and remain on the POA&M Open tab as accepted risks. One absolute prohibition: FedRAMP won't approve an OR for a High vulnerability under any circumstances.

False Positive (FP): The vulnerability doesn't actually exist on the system. You must submit evidence to the AO; if approved, the finding may be closed.

FedRAMP requires the use of the official FedRAMP POA&M template and generally expects vulnerabilities to be tracked individually.

However, related vulnerabilities that share the same remediation plan may be grouped under a single POA&M entry, and publicly available guidance doesn't state that every POA&M entry must pair with an AR finding or ConMon activity, use a scanning tool's unique vulnerability reference ID, or require CVSSv3 scoring.

Accurate tracking matters because the same thresholds that define an acceptable POA&M also define when enforcement begins.

How Enforcement Escalates When Deliverables Are Missed

Missing deliverables or letting findings age past their SLA windows triggers a three-stage escalation model that can move faster than many organizations expect. Each stage carries increasing consequences for your authorization status and federal revenue.

1. Corrective Action Plan (CAP). Triggered by specific volume and age thresholds. Five or more unique High vulnerabilities aged over 30 days past due trigger a Detailed Finding Review (DFR), the warning step. If those same findings aren't resolved within the agreed-upon timeframe, the DFR may escalate to a CAP.

Ten or more Moderate findings aged over 90 days trigger a DFR; past 120 days, a CAP. Additional triggers include unauthenticated scans comprising 10% or more of submissions. In all cases, your system owner must perform root-cause analysis and submit a remediation plan. If you don't resolve the CAP within the agreed timeframe, the process escalates.

2. Suspension. The agency AO temporarily suspends your ATO. The agency may suspend the product's operational use, meaning it can stop using it. The FedRAMP Marketplace status is publicly updated and visible to all current and prospective agency customers. There's no quiet way to be suspended.

3. Revocation. The agency AO revokes your ATO, and the authorization process must restart. The agency may need to assess alternative options for maintaining compliant cloud services, and the Marketplace listing is updated accordingly. For JAB P-ATOs, revocation is permanent; the only path back is re-entering the JAB authorization process from scratch.

Under RFC-0026, FedRAMP has proposed automating revocation for CSPs with five ConMon failures within 12 months. This isn't yet finalized, but it signals where enforcement is heading.

Meeting that enforcement bar consistently is what drives the operating cost of running ConMon in-house.

The Cost of Running ConMon Independently

Operating ConMon independently is a substantial, recurring expense that most SaaS teams underestimate. The annual spend spans four categories:

  • Annual 3PAO assessment: Annual reassessment is a recurring operating cost, and post-assessment remediation can add further expense.
  • Security tooling: SIEM, file integrity monitoring, and vulnerability scanning renewals create an ongoing tooling budget.
  • Staffing: The largest single cost driver. Maintaining ConMon typically requires dedicated compliance and security personnel, whether in-house or outsourced.
  • Documentation maintenance and monthly reporting: POA&M upkeep, monthly reporting packages, and stakeholder documentation are recurring operating tasks that continue for the life of the authorization.

A FedRAMP Moderate ConMon program can represent a substantial annual operating cost once all four categories are accounted for, especially staffing. Organizations with complex multi-agency footprints and great change velocity will generally feel that burden more acutely.

How Knox's FedRAMP Boundary Reduces Your ConMon Scope

That cost picture is what changes the build-versus-buy decision. Knox Systems, a FedRAMP-as-a-Service platform that helps SaaS companies achieve federal authorization in approximately 90 days at roughly 90% less cost than traditional methods, manages ConMon across its Knox FedRAMP boundary and reports holding Authorizations to Operate across 15 federal civilian and defense agencies.

If you operate under the Knox FedRAMP boundary, you inherit a running ConMon program rather than building one from scratch. The infrastructure-layer obligations (SIEM, scanning, incident response, and continuous monitoring) are covered by the Knox FedRAMP boundary, while you retain responsibility for the application layer.

The ConMon burden is permanent, becoming more demanding and expensive to run independently. With FedRAMP's proposed VDR standard requiring higher-frequency automated scanning and faster remediation timelines, the operational bar is only rising. For a SaaS company whose core competency is building a product, every dollar and engineering hour diverted to compliance infrastructure is time not spent winning agency contracts.

Book a meeting to see what the full ConMon picture looks like under a shared boundary model, including what your team would still own, what Knox would absorb, and how the annual cost compares to staffing and tooling for an independent program.

Book a Meeting