The Federal Risk and Authorization Management Program is requesting public feedback on proposed updates to continuous monitoring requirements for cloud service providers under its Rev5 security baselines.
The request for comments, open through April 22, focuses on clarifying expectations for how cloud service providers share continuous monitoring data — including vulnerabilities, assessment results and remediation activities — with all federal agency customers, FedRAMP said Thursday.
Table of Contents
What Changes Is FedRAMP Proposing?
The draft updates revise the CA-7 continuous monitoring control to standardize reporting and coordination requirements across providers with multiple agency authorizations.
Key changes include removing outdated references to the Joint Authorization Board, requiring independent assessors to flag gaps in meeting the continuous monitoring requirement as high-impact findings and outlining clearer expectations for documenting corrective actions.
The proposal also introduces a detailed blueprint to guide providers in implementing collaborative continuous monitoring.
Why Is FedRAMP Updating the Guidance?
FedRAMP said the revisions are intended to ensure agencies have consistent access to the information needed to maintain ongoing authorizations for cloud services already in use.
The update follows changes introduced under OMB Memorandum M-24-15, which shifted FedRAMP’s operating model and eliminated prior authorization pathways, necessitating alignment of existing guidance with the new framework.
When Would the Changes Take Effect?
FedRAMP plans to integrate these updates into its 2026 consolidated rules by late June. While initial adoption begins upon publication, enforcement will be phased in through the end of the year. Full compliance is expected by 2027, at which point providers failing to meet requirements will face formal remediation.
Related Articles
Stacy Bostjanick, chief of defense industrial base cybersecurity in the Department of War’s Office of the Chief Information Officer, will retire from federal service on April 30 after a 37-year career, Federal News Network reported Thursday. Bostjanick has led DOW’s Cybersecurity Maturity Model Certification program in the past six years and helped guide the initiative from its early development through multiple iterations to its current implementation phase. As the Pentagon prepares for a leadership transition in its CMMC program, attention is turning to what comes next for defense industrial base cybersecurity. Industry and government leaders will explore these evolving priorities
U.S. President Donald Trump and Japanese Prime Minister Sanae Takaichi have announced a series of economic, energy, defense and technology initiatives to strengthen the U.S.-Japan alliance and enhance economic security and deterrence in the Indo-Pacific region. The White House said Thursday the initiatives are aimed at expanding market access for U.S. agriculture, accelerating Japanese investment in U.S. industry and enhancing bilateral cooperation across critical supply chains, energy, emerging technologies and defense. What Are the US Projects Under the 2nd Tranche of Japanese Investments? The second tranche includes up to $40 billion from GE Vernova Hitachi to build small modular reactor
The Defense Logistics Agency is integrating artificial intelligence and machine learning across its operations as part of a broader effort to strengthen supply chain resilience and accelerate digital transformation, according to Adarryl Roberts, DLA’s chief information officer, in an interview published Thursday. How Is DLA Integrating AI/ML Into Operations? Roberts, who was a speaker at the Potomac Officers Club’s 2025 Army Summit, said AI is helping unify disparate data sources, enabling faster, more informed decisions and allowing personnel to shift their focus from data collection to mission execution. Hear defense leaders, including Department of War CIO Kirsten Davies, talk about