While I appreciate vendors have to eat, I'm not sure what the policy is on explicit adverts?that said, let's discuss at face value the topic as practioners…FedRAMP, CMMC, CSA are very different beasts. Sure there are common attributes and design forces, but that's about where the utility of combining these in a pitch ends. any sort of one-size-fits-all approach is likely to come up very short, especially in regards to the updated materials Michael posted and the GSA comments on the recent FedRAMP survey.
agencies invest a LOT in sponsoring a F/R or even reusing one (thus the Agency Liaison program) so adequately preparing not only the technical controls but the people and process controls is extremely important to success. Ignore these at your great peril.if the community has interest in open source (e.g. OSCAL), vendor/commercial, and DIY/in-house approaches to the updated guidance, And in particular how it relates to CSA controls and programs, I would be happy to host a discussion either under the appropriate CSA forum, or in the CNCF security TAG call (CSA and CNCF are working on more collaboration efforts). +1 here or slack me on CNCFEDIT: and would wholeheartedly invite vendors and consultants to join and share their advice and experiences to the benefit of all!Robert FiccagliaCo-Chair Kubernetes Policy WGKubernetes SIG SecurityCNCF Security TAG, Lead Assessor