Evolving Secure Development through FedRAMP Continuous Monitoring Trends
CVE/FIRST VulnCon 2025 · Main Stage
This talk by Stephanie Harris and Christopher Lusk from Red Hat delves into the intricate world of **FedRAMP (Federal Risk and Authorization Management Program)** continuous monitoring and its profound impact on evolving secure development practices within a large enterprise. The speakers, both principal product security engineers deeply embedded in Red Hat's FedRAMP program, share their journey of navigating stringent government compliance requirements, particularly for a **FedRAMP High** categorized system. Their presentation highlights how the continuous, data-intensive nature of FedRAMP compliance can be leveraged not just to meet regulatory obligations, but to drive significant, measurable improvements in an organization's overall security posture and development lifecycle.
AI review
Harris and Lusk deliver a competent, honest practitioner case study on what it actually looks like to run FedRAMP High continuous monitoring at scale inside a major open-source vendor. The talk lives in the case-study/war-story lane, and judged there it does a reasonable job: the data is real (1,500 CVEs, 220 components, a year of scan output), the pain points are specific enough to be credible, and the FIPS-vs-remediation tightrope is a genuinely underappreciated operational tension they explain well. It won't redefine anyone's thinking, and the 'suggestions' section lands closer to…