I think everyone is missing the real point. In order to achieve an "authority to operate" or ATO in the federal space, all IT system owners must complete a "system security plan" based on the Privacy and Cybersecurity Framework as defined in NIST 800-53r5.
Now, if a service provider (like any system owner) has built a service using PVM and it has been "ATO'd" and adopted into the FedRAMP catalog following NIST 800-37, then any consumer of that service can inherit the security of the underling service. The question is, what are the requirements detailed in "Federal Information Security Management Act of 2002" or FISMA which drive all of the need for NIST?
Well this is where the conversation concerning foreign ownership and open/closed source code are relevant. There is no reason why PVM can't be a viable solution for hypervisors in US federal environments. But someone needs to build a system with PVM and go through the security assessment process to see what the issues are and find solutions for them. This has been the case for thousands of software and hardware products over the last couple of decades; with those products worth their merit surviving the assessment. Usually, much better for it.