The MUCH awaited improved GovRamp ConMon matrix is here!!!!!!!!!

I KNOW you are as excited as I am. Well, okay maybe not but I’ll be excited for the lot of us. (I’m excited…whee!!! 🙂 )

Tips from an Excel Aficionado 

Here is a list of items I had sent to GovRamp to request an improvement on. Unfortunately, my list was late and they had already made a lot of improvements and were in the stage of finalizing. So some of my suggestions were not able to be considered. Here is the list of my asks and what they fixed from the old version:  Moderate Impact templates GovRamp-Continuous Monitoring-Matrix_Rev5_V1.2

What are the most important changes needed in the current version?

   Remove existing formula errors on the Executive Summary. THIS IS FIXED!

Protect the Stats summary sheet so it isn’t modified. Not changed but that was just a preference and can lead to complex issues. I get why they didn’t change it.

   Remove the excessive formula count on the Open POA&M tab. THIS IS FIXED! They significantly reduced the number of formulas…BUT didn’t do it with adding tables. I have a better way (in my opinion). If you remove the filtering on this page…and add a table, you get the best of excel built in functions. You can still filter AND when the table expands, the new rows automatically have new completion date formulas added. There is still the chance when a row is cut the formula will get deleted. That is going to happen. So I do think being able to find a spare formula to add back in is a good idea. I will show you later.

   Ensure that stated drop downs exist. THIS IS FIXED!

What improvements can be made to assist S.P.s?

Add popup explanations for each column that match the Continuous Monitoring Guide. This will help alleviate common completion errors because the S.P. will get in-cell feedback. Not changed but there is an instruction sheet and the ConMon instructions are added into the package folders. Plus many explanations are added into each cell. So that is a GREAT improvement. I can still instruct those who want to know how to do this.

Add formulas to auto calculate the Executive Summary sheet ( to the extent possible) Not changed but I will show you later how.

  Identify if Critical findings need to have a R.A. to reduce to a High? The guidance given is they are part of the “High” vulnerability bucket, but they are clearly considered separate based on the data on the Stats Summary page.  Not really addressed. I only mention because there is a tolerance of 1 Critical per month. It gets the same resolution timeframe and honestly it isn’t clear what to do with these. Keep in mind all CVEs are published only with base scores. If your system is a low or moderate data system, many “Criticals” are actually high. I will discuss this concept in a different area. Disclaimer, modification of published CVE scores is not done willy-nilly. It requires accurate understanding of both the CVSS scoring system and your own system. Also Risk and severity are 2 different things, though frequently lumped to gather.( This will get a whole separate lesson in the future.)

  Add a “spare” formula over the Scheduled Completion Date in the Open POA &M sheet in case the formulas are deleted or overwritten with just the date and no formula. I just mentioned this….will show you later.

    Add an Instructions tab with explanations of the excel formulas, and link to the Continuous Monitoring Guidance.  This could reduce having to explain how to use excel to novices and reduce “paperwork” errors. DONE! Yay GovRamp!

Super Fancy features…Nice to Haves.

Add a calculation in the D.R. tab that will allow for auto calculation of the CVSS score.  I have development one for v3.1. Super nice would to be to have the ability to select the CVSS score calculation or go beyond the base score to show the entire calculation including environmental score based on the impact level of the system. ( In development )

 Add a configuration findings tab to show open STIGs and instructions on how to include those in the POA& M counts. Not done yet. I bet this is because S.P. use a few different tools to monitor their configuration management. Per FedRamp, this needs to be done with DISA STIGs. (See the DOD site. Since the Department of Defense has been renamed to the Department of War I do not know how long this link will function, apologies.) For us non-federal government service providers, the only real tool available from the Federal Government is the STIG Viewer. It is a manual process, but produces a list that most Feds are used to seeing. YOU can also use Open SCAP and their OVAL reports. However the most important feature of the DISA STIGS, is being able to explain exceptions to the recommended configurations for the PMO to review. I have noticed that FedRamp has added a New Configuration sheet to their POA&M sheet to manage the new requirement that NIST CM-6 be monitored monthly just as RA-5 vulnerabilities are. That new sheet looks just like an Open POAM sheet and it provides an area to mark non-conforming configurations. So just keep that in mind. There is no reason for GovRamp to finalize their treatment of Configuration management, until all changes to FedRamp have been completed. See

Add a section on the executive summary that just addresses configuration management counts.  I didn’t get this to GovRamp in time to make the latest update cut.

 Add a section that auto calculate current counts that can be copied and pasted into the Executive Summary by month. Again not seen by the GovRamp board of directors, but I will show you how in a bit.

  Add a chart to track progress over the last 12 months. ( In development )

 Add a sheet to automate milestones generation per SP specifications. I had not show this to anyone yet. It was in development. I will show you what I’m talking about soon….this is cool!