Moving to Continuous Cloud Security Visibility

Original broadcast 8/19/25

Presented by Project Hosts & Carahsoft

For years, government agencies have relied on point-in-time security assessments — annual or periodic reviews that produce a compliance report but may not reflect the day-to-day reality of a system’s security posture. Josh Krueger, Chief Information Security Officer at Project Hosts, says that model is changing quickly. Agencies increasingly want real-time insight into the health of their cloud environments, and industry is stepping up to deliver it.

“We’re starting to get away from point-in-time, annual assessments,” Krueger explains. “Agencies want continuous visibility into the security posture of their systems. They want to know if their database suddenly became unencrypted or if a new exploitable vulnerability appeared — not a month later when the next report is due.”

This shift is closely aligned with initiatives like FedRAMP 20x and the Department of Defense’s Software Fast Track, both of which emphasize faster, more agile security processes. The idea is to move from static compliance documentation to ongoing, automated monitoring that can detect issues as they occur.

At Project Hosts, Krueger says his team is already collecting a wealth of security data from the systems they manage. The next step is making that data immediately accessible to agencies through dashboards and automated alerts. That way, instead of waiting for a monthly meeting to review vulnerabilities, agencies can see and act on them in near-real time.

But making continuous visibility a reality requires more than just technology — it also demands closer collaboration between government and industry. Krueger urges security practitioners to join working groups, participate in requests for comment, and engage early in the policy-making process. Waiting until guidance is finalized, he says, is often too late to make meaningful changes.

“There are too many people waiting for the rules to come out and then just following them,” he says. “If you want to help shape the process, you have to get involved from the start.”

Measuring success in this new model also changes. Instead of focusing solely on passing an audit or counting compliance findings, agencies and industry can track metrics like how quickly vulnerabilities are detected and mitigated, or whether exploitable weaknesses are being identified before an attack occurs.

Krueger believes automation is central to this approach. By automating as much of the monitoring, detection, and reporting process as possible, security teams can spend more time verifying that the automation works and responding to real threats — and less time on manual checks.

For agencies, the benefits are clear: faster response times, better visibility, and a stronger overall security posture. For industry, it’s an opportunity to deliver higher-value services and strengthen partnerships with government customers.

Key Takeaways:

• Agencies are moving from point-in-time assessments to continuous monitoring of cloud systems.

• Early participation in working groups and policy discussions helps shape effective security practices.

• Automation is essential for real-time detection, reporting, and mitigation of vulnerabilities.

Watch the full program at InnovationInGov.com