Skip to main content

Blog

FedRAMP Releases OSCAL Validations

August 12 | 2021

FedRAMP Releases OSCAL Validations

FedRAMP is excited to announce the development of OSCAL validations rules, which will allow FedRAMP to automate a significant portion of the security package review. Additionally, validation rules will enable CSPs and 3PAOs to conduct self-testing prior to package submissions.

Today’s Challenge: Time to Achieve an ATO

Security assessments and authorizations are often time consuming. FedRAMP’s goal is to reduce end-to-end authorization timelines and the PMO is taking important steps to expedite the review process through reusable automation.

The Solution: OSCAL Enabled Automated Validations

To address the time it takes to review packages, FedRAMP is developing a set of validation rules that will leverage OSCAL to enable automated reviews. These automated reviews will provide consistent feedback with structured markup, just like the FedRAMP reviewers do today. FedRAMP will continuously update validations to address increasingly complex review checks.

Impact and Benefits of Automated Validations

FedRAMP review teams will utilize the automated validation rules to conduct initial package reviews, allowing FedRAMP to notify CSPs earlier when a package does not meet initial requirements. Prior to submitting a package, CSPs and 3PAOs can use automated validation rules to conduct their own self-tests. When both FedRAMP and industry utilize automated validation rules, FedRAMP reviewers will spend less time on packages that do not pass initial criteria, and therefore, are not ready for review.

Our Implementation Plan

We are excited to present our first set of validation rules via GitHub. We encourage CSPs and 3PAOs to begin using this set of automated validation rules to self-test prior to submitting a package to FedRAMP. As the automated validations process progresses, the PMO will release more rules for industry to utilize.

If you have any questions, please reach out to oscal@fedramp.gov

The FedRAMP PMO completed this work in partnership with GSA’s 10x program. For more information about 10x, please visit 10x.gsa.gov.

Back to Blogs