This Community Working Group will host biweekly townhalls on Wednesdays from 1:00-1:30 PM ET starting on 4/16/2025:
Register here to attend.
Find us on GitHub
Each working group has a GitHub repository where GitHub Discussions are open for public participation. The Automating Assessment repository can be found here.
What You’ll Work On
FedRAMP 20x is focused on building a cloud-native, automated security assessment process that enables continuous innovation. This means that instead of evidence consisting of screenshots, we want evidence provided continuously based on actual configurations.
The focus of this working group will be on the development of industry standards and tools to automate assessment, reporting, and/or the enforcement of technical controls. The group may also focus on collaborating on the underlying control translations to make this easy, and sharing guidance on implementation. Start small, go big.
This group should focus on outcomes, with multiple objectives. In order of priority, the objectives are to:
-
Explore Key Security Indicators (KSIs).
- Key Security Indicators are straightforward, measurable and comparable translations of traditional controls.
- This task will also include determining KSI implementation guidance, types of evidence, frequency of reporting, etc.
-
Explore building out an open-source, machine-readable data format for communicating the Key Security Indicators (KSIs).
- This will serve as the foundation for future automation
-
Consider building out an open-source, machine readable data format for communicating validations, or responses to the KSIs.
- Preliminary ideas include generating software libraries from this data model to make integration with existing systems seamless and developer-driven.
Target Audience
- Developers
- Security professionals
Participants should be interested in building collaborative approaches to security automation.
