This Community Working Group will host biweekly townhalls on Thursdays from 1:00-1:30 PM ET starting on 4/24/2025:
Register here to attend.
Find us on GitHub
Each working group has a GitHub repository where GitHub Discussions are open for public participation. The Continuous Reporting repository can be found here.
What You’ll Work On
This working group will focus on a future where ongoing risk monitoring is enforced, validated and reported continuously. In this future, CSPs will have a transparent, effective methodology for reporting overall risk posture and incident status via standard customer channels without FedRAMP in the middle.
Continuous reporting may involve the following areas:
- Data generation: data is automatically generated from system components (CI/CD, monitoring agents, vulnerability scans, configurations, etc.)
- Data analysis: data is normalized and aggregated to transform into information in the form of Key Security Indicators (KSIs) that represent system risk
- Reporting: Information is presented to customers in consolidated reports that reflect near-real time risk posture, enabling informed, risk based decision making
The Reporting Continuously CWG may explore developing a methodology that addresses the who, what, when, where and how for the above steps.
Target Audience
- security, compliance, and governance practitioners
- engineers
- cybersecurity experts and advisors
- agency risk decision makers
- 3PAO assessors
