🎫 Rev5 Community Update Special Event: GRC Engineering with Rev5

Monthly Rev5 Community Update that took place on Wednesday, March 4, 2026, included guest speakers: Fritz Kunstler (Amazon Web Services), Kenny Scott (Paramify), Ethan Troy (Fortreum), and David Waltermire (RegScale). =========================================================== Video highlights: FedRAMP Communications and CISA Directive ED 26-03 Discussed the issuance of a CISA Directive (26-03) for Cisco SD-WAN and the response rate from participants to FedRAMP's communication regarding this directive, noting that FedRAMP reached out to about 630 people and received over 530 responses as of the preceding Monday. FedRAMP Security Inbox FedRAMP Security Inbox is still planned for the next few weeks in March. RFC-0024: FedRAMP Rev5 Machine-Readable Packages FedRAMP released RFC-0024 to drive cloud services toward maintaining packages in an automated way using streamlined tools, rather than relying on Word documents and Excel spreadsheets. The public comment period ends on March 11, 2026. Service-Specific System Security Plans (SSPs) A sleeper requirement in RFC-0024, LMR-GEN-SDS (service-based data separation), was introduced. This requirement proposes that Cloud Service Providers (CSPs) offering different services should provide full System Security Plans (SSPs) for each service (e.g., separate SSPs for a "gold service" and a "platinum service") instead of a single, monolithic document. The Future of SSPs and Machine-Readable Formats Discussion revolved around moving away from static documents (like DOCX SSPs) to living, machine-readable documents. This shift would allow AI agents or tools to ingest the information, compare offerings, and enable a marketplace where consumers can pull information like an API. Service Information and Secure Configuration Guidance It was proposed that if an SSP is in a machine-readable format, it should link to the secure configuration, making the information easily discoverable. But a major challenge is the lack of easily accessible and service-specific secure configuration guidance for the federal version of a service, compared to its commercial counterpart. Updating After Significant Changes (LMR-GEN-USC) A major complaint from government customers is that new, FedRAMP-hyped services are not reflected in a CSP's SSP until the next annual assessment. The proposed requirement LMR-GEN-USC (updating after significant changes) would require CSPs to update their package by the end of the next month after a significant change. Mindset and Business Investment The discussion touched on the cultural shift required, moving from "DevSecOps" to "DevSecComplianceOps" to integrate compliance into the entire development pipeline. It was suggested that organizations must start viewing investments in their GRC program as something that builds a more secure and competitive business, rather than just a cost of entry. =========================================================== Links shared during this session: https://www.fedramp.gov/rfcs/0024/ https://github.com/FedRAMP/community/... =========================================================== Be a part of the CWG discussion on GitHub: https://github.com/FedRAMP/community/... =========================================================== Learn more about the FedRAMP Rev 5 CWG: https://www.fedramp.gov/community/ =========================================================== Stay connected with us! =========================================================== Web: FedRAMP.gov X/Twitter: https://x.com/fedramp LinkedIn:   / about   Email: [email protected] #FedRAMP #cloud #cloudservices #ATO #govtech #saas #iaas #paas #cloudsecurity #GRC #cloudsecuritypodcast #cloudcomputing