FedRAMP Receives First OSCAL System Security Plan
FedRAMP is excited to announce that the first Open Security Controls Assessment Language (OSCAL) formatted System Security Plan (SSP) was accepted from a FedRAMP authorized Cloud Service Provider (CSP). This is a milestone achievement for the program and kickstarts FedRAMPs ability to apply automated validations.
FedRAMP encourages CSPs and 3PAOs to begin using automated validation rules to self-test prior to submitting a package to FedRAMP. As the automated validations process progresses, FedRAMP will release more rules for industry to use. You can find more information using the following resources:
- August 2020 FedRAMP blog: OSCAL resources and templates
- NIST’s OSCAL resource page: NIST’s OSCAL releases and updated
- August 2021 FedRAMP Blog: OSCAL Validation Rules
How Did We Get Here?
The FedRAMP PMO, in collaboration with NIST, has been working to standardize authorization packages and streamline their review with a common machine-readable language, also known as OSCAL. In June 2021, NIST released version 1.0.0 of OSCAL and in August 2021, FedRAMP released the first set of validation rules via GitHub.
What’s the Big Deal?
As CSPs continue to adopt the OSCAL format, FedRAMP anticipates a more efficient use of time and resources for processing package submissions. To further leverage OSCAL, FedRAMP developed a set of validation rules to enable automated initial reviews. These automated reviews will:
- Expedite the time it takes to review packages and complete initial checks for completeness and common errors
- Allow FedRAMP reviewers to focus on more complex elements of the review
- Provide consistent feedback with structured markup, just like FedRAMP reviewers do today. FedRAMP will continuously update validation rules to automate increasingly complex review checks
- Allow FedRAMP to notify CSPs earlier when a package does not meet initial requirements
- Enable CSPs and 3PAOs to conduct self-tests prior to submitting a package
FedRAMP is currently accepting all authorization deliverables submitted in the OSCAL format and hopes to receive more deliverables as CSPs adopt this machine-readable formatting language. FedRAMP will also continue to accept authorization deliverables in Word format and final versions can be submitted in PDF, after a FedRAMP Authorized designation is achieved.
If you have any questions, please reach out to firstname.lastname@example.org.
FedRAMP completed this work in partnership with GSA’s 10x program. For more information about 10x, please visit 10x.gsa.gov.