Evidence Collection at Machine Scale
Continuous monitoring in FedRAMP is meant to be continuous. In practice, for years, it has been batch. A team ran a report, took a screenshot, dropped it in a folder, and moved on until next quarter. The artifact was accepted because there was no economical way to demand more, and auditors were sympathetic to the reality that evidence collection was manual work.
That era is ending. When automation can collect evidence every hour against every control, the quarterly screenshot stops being an accommodation and starts looking like a choice. The auditors have noticed.
What changed
Two things changed at roughly the same time.
First, the infrastructure stopped making evidence collection hard. Cloud control planes expose their state through APIs. Configuration management systems keep structured records of what they deployed and when. Identity providers produce detailed access logs. Network controls publish policy state. The raw material for evidence is available in queryable form, continuously, without human effort.
Second, the expectation caught up. FedRAMP 20x and the broader continuous-ATO push are explicit that the target is machine-readable, continuous evidence. Not "we can generate evidence when an auditor asks." Continuous, flowing evidence, captured as the system operates, available for query at any point.
In this world, the question is no longer "how do we produce the artifact." It is "why is there a gap between what the artifact says and what the control is doing."
Where the gap shows up
In manual evidence collection, there was a lot of room for the artifact to paper over the reality. A screenshot of a configuration at a specific moment did not reveal the drift that happened two weeks later. A spreadsheet of access reviews did not reveal the accounts that had been added mid-cycle. The evidence was right for its moment and wrong most of the time.
Automated evidence collection eliminates this cover. If the monitoring system is reading the actual configuration every hour and the actual configuration has drifted, the drift shows up in the evidence. If an account was added and not reviewed, the review gap is visible. The evidence starts telling the truth at a resolution the artifact never did.
For most organizations, the first six months of running automated evidence collection are a period of discovering how much of their compliance posture was aspirational. This is uncomfortable. It is also exactly the point. The gap between "we have a control" and "the control is operating" was always there. Automation makes it visible. What was previously a once-a-year scramble to close becomes a weekly reality to address.
What this requires of the tooling
Evidence collection at machine scale requires tooling that was not designed against the assumption that evidence is a quarterly artifact.
The tooling has to read the running infrastructure, not ask humans to self-report. It has to produce structured evidence that maps cleanly to controls, not unstructured artifacts that a human later labels. It has to store evidence in a form that is queryable over time, not archived as a set of point-in-time captures. It has to surface control drift as soon as the drift occurs, not six weeks later when someone runs the next report.
This is the work the FedRAMP Management Engine is built for. It reads the infrastructure state directly, produces evidence mapped to the control catalog, and makes drift visible as it happens. The point is not to produce prettier artifacts. The point is to produce evidence that reflects the control, continuously, so that compliance becomes a property of the running system rather than a periodic artifact-generation exercise.
The reorientation
The shift from artifact-centric to evidence-centric compliance is not finished. Most organizations are still partway through it. The ones that finish will be the ones that treated the artifact as a consequence of the control rather than as the deliverable. The artifact was always meant to be evidence. The industry is finally building toward that meaning.