FedRAMP Releases OSCAL Validations
FedRAMP is excited to announce the development of OSCAL validations rules, which will allow FedRAMP to automate a significant portion of the security package review. Additionally, validation rules will enable CSPs and 3PAOs to conduct self-testing prior to package submissions.
Today’s Challenge: Time to Achieve an ATO
Security assessments and authorizations are often time consuming. FedRAMP’s goal is to reduce end-to-end authorization timelines and the PMO is taking important steps to expedite the review process through reusable automation.
The Solution: OSCAL Enabled Automated Validations
To address the time it takes to review packages, FedRAMP is developing a set of validation rules that will leverage OSCAL to enable automated reviews. These automated reviews will provide consistent feedback with structured markup, just like the FedRAMP reviewers do today. FedRAMP will continuously update validations to address increasingly complex review checks.
Impact and Benefits of Automated Validations
FedRAMP review teams will utilize the automated validation rules to conduct initial package reviews, allowing FedRAMP to notify CSPs earlier when a package does not meet initial requirements. Prior to submitting a package, CSPs and 3PAOs can use automated validation rules to conduct their own self-tests. When both FedRAMP and industry utilize automated validation rules, FedRAMP reviewers will spend less time on packages that do not pass initial criteria, and therefore, are not ready for review.
Our Implementation Plan
We are excited to present our first set of validation rules via GitHub. We encourage CSPs and 3PAOs to begin using this set of automated validation rules to self-test prior to submitting a package to FedRAMP. As the automated validations process progresses, the PMO will release more rules for industry to utilize.
If you have any questions, please reach out to email@example.com
The FedRAMP PMO completed this work in partnership with GSA’s 10x program. For more information about 10x, please visit 10x.gsa.gov.