FedRAMP Announces NIST’s OSCAL 1.0.0 Release
NIST released version 1.0.0 of OSCAL . The FedRAMP PMO, in collaboration with NIST, is working to standardize authorization packages and streamline their review with a common machine-readable language, also known as the Open Security Controls Assessment Language (OSCAL).
Benefits of OSCAL
With OSCAL, activities associated with preparing, authorizing, and reusing services will require less time and resources. As a result of a machine-readable authorization package, we anticipate several impacts, such as:
Cloud Service Providers (CSPs)
Will be able to create their System Security Plans (SSPs) more rapidly and accurately, validating much of their content before submission to the government for review.
Will be able to expedite their reviews of the FedRAMP security authorization packages.
Third Party Assessment Organizations (3PAOs)
Will be able to automate the planning, execution, and reporting of cloud assessment activities.
OSCAL 1.0.0 includes:
- Updated stable versions of catalog and profile models which provide a structured representation of control catalogs and baselines or overlays.
- Updated stable version of the System Security Plan model which provides a structured representation of a system’s control-based implementation.
- Updated stable version of the component definition model which provides a stand-alone structured representation of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
- Updated stable versions of the assessment plan, assessment results, plan of action and milestones (POA&M) models, which support the structured representation of information used for planning for and documenting the results of an information system assessment or continuous monitoring activity.
- Updated tools to convert between OSCAL, XML, and JSON formats, and to upconvert content from previous releases to RC2.
To stay updated on NIST’s OSCAL releases, we encourage you to visit NIST’s OSCAL resource page .
FedRAMP’s OSCAL Resources
To access the FedRAMP PMO templates and resources, please visit the FedRAMP Automation resources on GitHub .
We Want Your Feedback!
All development efforts have been performed openly and we are seeking your feedback on our progress to date. Will these machine-readable formats and guidance aid your organization in going through the authorization process efficiently? Do you have any further ideas to enhance the work? Let us know!
The FedRAMP PMO looks forward to receiving your comments and sharing additional progress.