FedRAMP Releases Updated OSCAL Template & Tools
In June 2021, FedRAMP announced NIST’s release of OSCAL 1.0.0 on GitHub for CSPs, 3PAOs, and agencies to begin exploring for future use. In collaboration with NIST, FedRAMP updated OSCAL resources, including the comprehensive set of guides and conversion tools.
New and Revised Resources Are Available!
FedRAMP has published resources to aid stakeholders and vendors in the digitization of FedRAMP authorization package content. Located on the FedRAMP Automation GitHub Repository, these include:
- Revised - FedRAMP Baselines (XML, JSON, and YAML formats) Updated for the OSCAL 1.0.0 format, the baselines now also include a “CORE” property, enabling tools to identify the FedRAMP core controls; as well as the assessment objectives and methods (Examine, Interview, Test) found in a blank test case workbook (TCW).
- Revised - Guide to OSCAL-based FedRAMP Content, with explanations and recommendations for concepts common to all FedRAMP deliverables when using OSCAL.
- Revised - Guide to OSCAL-based FedRAMP System Security Plans (SSP)
- Revised - Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
- Revised - Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR)
- Revised - Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
- Revised - FedRAMP OSCAL Registry The registry was previously expanded to become the authoritative source for FedRAMP extensions to OSCAL in addition to required identifiers and accepted values. Conformity tags and risk metrics are now included in the registry and explained in the relevant guides. The registry covers FedRAMP requirements in OSCAL baselines (profiles), SSP, SAP, SAR, and POA&M content. It is now published in PDF and HTML, and experimental machine-readable copies are provided in XML and JSON.s
- OSCAL - based FedRAMP Samples. Updated to reflect OSCAL 1.0.0 for the SSP, SAP, SAR, and POA&M. These exist in both XML and JSON formats.
- Revised - OSCAL Conversion Tools FedRAMP updated OSCAL conversion tools for several authorization package materials, to include: SSP, SAR, and SAP.
Together, these resources enable FedRAMP stakeholders and tool vendors to develop OSCAL-enabled FedRAMP authorization packages. OSCAL is not currently a requirement, but we expect the benefits to spur adoption and FedRAMP is ready to start receiving information in OSCAL as a pilot.
We Want Your Feedback!
All development efforts have been performed openly and we are seeking your feedback on our progress to date. Will these machine-readable formats and guidance aid your organization in going through the authorization process efficiently? Do you have any further ideas to enhance the work? Let us know!
The FedRAMP PMO looks forward to receiving your comments and sharing additional progress.