The Federal Risk and Authorization Management Program is requesting public feedback on proposed updates to continuous monitoring requirements for cloud service providers under its Rev5 security baselines.
The request for comments, open through April 22, focuses on clarifying expectations for how cloud service providers share continuous monitoring data — including vulnerabilities, assessment results and remediation activities — with all federal agency customers, FedRAMP said Thursday.
Table of Contents
What Changes Is FedRAMP Proposing?
The draft updates revise the CA-7 continuous monitoring control to standardize reporting and coordination requirements across providers with multiple agency authorizations.
Key changes include removing outdated references to the Joint Authorization Board, requiring independent assessors to flag gaps in meeting the continuous monitoring requirement as high-impact findings and outlining clearer expectations for documenting corrective actions.
The proposal also introduces a detailed blueprint to guide providers in implementing collaborative continuous monitoring.
Why Is FedRAMP Updating the Guidance?
FedRAMP said the revisions are intended to ensure agencies have consistent access to the information needed to maintain ongoing authorizations for cloud services already in use.
The update follows changes introduced under OMB Memorandum M-24-15, which shifted FedRAMP’s operating model and eliminated prior authorization pathways, necessitating alignment of existing guidance with the new framework.
When Would the Changes Take Effect?
FedRAMP plans to integrate these updates into its 2026 consolidated rules by late June. While initial adoption begins upon publication, enforcement will be phased in through the end of the year. Full compliance is expected by 2027, at which point providers failing to meet requirements will face formal remediation.
