This Community Working Group will launch on:
Thursday, April 10, 2025.
Details on how to participate will be posted shortly.
What You’ll Work On
This working group will focus on a future where ongoing risk monitoring is enforced, validated and reported continuously. In this future, CSPs will have a transparent, effective methodology for reporting overall risk posture and incident status via standard customer channels without FedRAMP in the middle.
Continuous reporting consists of the following areas:
- Data generation: data is automatically generated from system components (CI/CD, monitoring agents, vulnerability scans, configurations, etc.)
- Data analysis: data is normalized and aggregated to transform into information in the form of Key Security Indicators (KSIs) that represent system risk
- Reporting: Information is presented to customers in consolidated reports that reflect near-real time risk posture, enabling informed, risk based decision making
The Reporting Continuously CWG will create a methodology that addresses the who, what, when, where and how for the above steps.
Target Audience
- security, compliance, and governance practitioners
- engineers
- cybersecurity experts and advisors
- agency risk decision makers
- 3PAO assessors
