FedRAMP Moves to Automate the Authorization Process
FedRAMP is excited to announce that the program has reached an important automation milestone. FedRAMP has worked closely with NIST and industry to develop the Open Security Controls Assessment Language (OSCAL), a standard that can be applied to the publication, implementation, and assessment of security controls.
FedRAMP expects OSCAL will offer a number of benefits to streamlining and automating components of the authorization process. Below are just a few examples:
- Cloud Service Providers (CSPs) will be able to create their System Security Plans (SSPs) more rapidly and accurately, validating much of their content before submission to the government for review.
- Third Party Assessment Organizations (3PAOs) will be able to automate the planning, execution, and reporting of cloud assessment activities.
- Agencies will be able to expedite their reviews of the FedRAMP security authorization packages.
- The FedRAMP Program Management Office (PMO) expects to be able to build tooling to further reduce the cost and improve the quality of security reviews.
NIST and FedRAMP just released OSCAL Milestone 2 for public comment, which offers:
- A new System Security Plan (SSP) model that lets organizations automate the documentation of security and privacy control implementation using OSCAL
- Published draft FedRAMP baselines (High, Moderate, Low, and Tailored) in OSCAL XML and JSON formats
- Published content for the three NIST baselines and the NIST SP 800-53 revision 4 catalog in OSCAL XML, JSON, and YAML formats
- Stable versions of the OSCAL catalog and profile models and associated XML and JSON schemas
- Tools to convert the OSCAL catalog, profile, and SSP content between XML and JSON
- A registry of FedRAMP-specific extensions, FedRAMP-defined identifiers, and a draft list of acceptable values when using OSCAL
- An OSCAL-based FedRAMP SSP template, available in both XML and JSON formats.
- A guidance document to aid tool developers in generating fully compliant OSCAL-based FedRAMP SSP content.
The FedRAMP Automation resources on GitHub include the following:
- FedRAMP OSCAL Registry
- Guide to OSCAL-based FedRAMP System Security Plans
- OSCAL-based FedRAMP SSP Template
- FedRAMP Baselines: High, Moderate, Low, and Tailored for LI-SaaS in XML and JSON Formats
FedRAMP is looking for comment on any of these items. If you have feedback, please provide comments either via email to firstname.lastname@example.org, as a comment to an existing issue, or as a new issue within the FedRAMP Automation repository.
FedRAMP’s work is based on NIST’s OSCAL 1.0.0-Milestone2 release, and may require an understanding of the core OSCAL syntax, as well as NIST-provided resources to function correctly. A complete package containing the NIST OSCAL converters, syntax validation tools, 800-53 and FedRAMP baseline content is available for download in both ZIP and BZ2 formats.
We Want Your Feedback!
All development efforts have been performed in the open and we are seeking your feedback on our progress to date. Will these machine-readable formats and guidance aid your organization in going through the authorization process efficiently? Do you have any further ideas to enhance the work? Let us know!
The FedRAMP PMO looks forward to receiving your comments and sharing additional progress.