The vulnerability scanning requirements are part of the FedRAMP Continuous Monitoring Strategy Guide and the appropriate FedRAMP Low, Moderate, or High security control baselines, specifically in control RA-5.
The ConMon scanning requirements move FedRAMP ConMon activities toward efficiencies, advance the quality of ConMon information provided to FedRAMP, and better position FedRAMP to perform robust analysis in the near future. These changes also better enable FedRAMP to scale up as the volume of FedRAMP Authorized systems continues to increase.
Further, FedRAMP has an obligation to determine and enforce CSP compliance with such security requirements.