Skip to main content

Blog

FedRAMP Receives First OSCAL System Security Plan

May 19 | 2022

FedRAMP Receives First OSCAL System Security Plan

FedRAMP is excited to announce that the first Open Security Controls Assessment Language (OSCAL) formatted System Security Plan (SSP) was accepted from a FedRAMP authorized Cloud Service Provider (CSP). This is a milestone achievement for the program and kickstarts FedRAMPs ability to apply automated validations.

FedRAMP encourages CSPs and 3PAOs to begin using automated validation rules to self-test prior to submitting a package to FedRAMP. As the automated validations process progresses, FedRAMP will release more rules for industry to use. You can find more information using the following resources:

How Did We Get Here?

The FedRAMP PMO, in collaboration with NIST, has been working to standardize authorization packages and streamline their review with a common machine-readable language, also known as OSCAL. In June 2021, NIST released version 1.0.0 of OSCAL and in August 2021, FedRAMP released the first set of validation rules via GitHub.

What’s the Big Deal?

As CSPs continue to adopt the OSCAL format, FedRAMP anticipates a more efficient use of time and resources for processing package submissions. To further leverage OSCAL, FedRAMP developed a set of validation rules to enable automated initial reviews. These automated reviews will:

  • Expedite the time it takes to review packages and complete initial checks for completeness and common errors
  • Allow FedRAMP reviewers to focus on more complex elements of the review
  • Provide consistent feedback with structured markup, just like FedRAMP reviewers do today. FedRAMP will continuously update validation rules to automate increasingly complex review checks
  • Allow FedRAMP to notify CSPs earlier when a package does not meet initial requirements
  • Enable CSPs and 3PAOs to conduct self-tests prior to submitting a package

What’s Next?

FedRAMP is currently accepting all authorization deliverables submitted in the OSCAL format and hopes to receive more deliverables as CSPs adopt this machine-readable formatting language. FedRAMP will also continue to accept authorization deliverables in Word format and final versions can be submitted in PDF, after a FedRAMP Authorized designation is achieved.

If you have any questions, please reach out to oscal@fedramp.gov.

FedRAMP completed this work in partnership with GSA’s 10x program. For more information about 10x, please visit 10x.gsa.gov.

Back to Blogs