This Community Working Group will host biweekly townhalls on Mondays from 1:00-1:30 PM ET starting on 4/14/2025:
Register here to attend.
Find us on GitHub
Each working group has a GitHub repository where GitHub Discussions are open for public participation. The Rev5 Continuous Monitoring repository can be found here.
What You’ll Work On
In the new FedRAMP, the PMO will no longer force industry cloud service providers to upload raw vulnerability scan logs to a central FedRAMP service, and then process log files to generate reports manually. Cloud service providers will instead generate reports directly using their own automation systems against a simple standard, and then make those reports available to customers via normal channels.
The focus of this working group will be on exploring standards for continuous monitoring reporting by cloud service providers with FedRAMP Rev 5 (and those on legacy Rev 4) authorizations that may meet the needs of agency security professionals to validate the risk posture of the CSO. Topics for discussion could include approaches where providers no longer need to upload scan logs to a central service, and could instead develop simple standard reports to make directly available to customers via their partner portals
Target Audience
- Cloud Service Providers who are currently FedRAMP Authorized under Rev5 or are in the review pipeline
- Agency Security Teams who are currently performing continuous monitoring under Rev5
- Third-Party Assessment Organizations (3PAOs)
- FedRAMP Advisors/Consultants
