Additional FedRAMP OSCAL Resources and Templates
In June 2020, FedRAMP announced the release of OSCAL resources and templates on GitHub for CSPs, 3PAOs, and agencies to begin exploring for future use. In collaboration with NIST, FedRAMP updated OSCAL resources to include a comprehensive set of guides for additional deliverables, including the SAP, SAR, and POA&M.
New and Revised Resources Are Available
FedRAMP has published resources to aid stakeholders and vendors in the digitization of FedRAMP authorization package content. Located on the FedRAMP Automation GitHub Repository, these include:
- New - Guide to OSCAL-based FedRAMP Content. Guidance and concepts common to all FedRAMP deliverables when using OSCAL.
- Revised - Guide to OSCAL-based FedRAMP System Security Plans (SSP).
- New - Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP).
- New - Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR).
- New - Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M).
- Revised - Updated FedRAMP OSCAL Registry.
The registry is now expanded to become the authoritative source for FedRAMP extensions to OSCAL in addition to required identifiers and accepted values. Conformity tags and risk metrics are now included in the registry and explained in the relevant guides. The registry covers FedRAMP requirements in OSCAL baselines (profiles), SSP, SAP, SAR, and POA&M content.
- Revised - OSCAL-based FedRAMP SSP Templates/Samples.
FedRAMP SSP Template in both XML and JSON formats.
- New - OSCAL-based FedRAMP Templates/Samples.
There are now three additional templates/samples covering the SAP, SAR, and POA&M. These exist in both XML and JSON formats.
- Revised - FedRAMP Baselines. (XML and JSON formats)
The baselines now include a “CORE” property, enabling tools to identify the FedRAMP core controls; as well as the assessment objectives and methods (Examine, Interview, Test) found in a blank test case workbook (TCW).
- New - Experimental Resources.
FedRAMP is offering additional support files to aid tool developers. These provide content in XML and JSON that is relevant to FedRAMP authorization packages, yet does not fit in the official OSCAL syntax.
Together, these resources enable FedRAMP stakeholders and tool vendors to develop OSCAL-enabled FedRAMP authorization packages. OSCAL is not currently a requirement, but we expect the benefits to spur adoption and FedRAMP is ready to start receiving information in OSCAL as a pilot.
We Want Your Feedback!
All development efforts have been performed in the open and we are seeking your feedback on our progress to date before we finalize this guidance. Will these machine-readable formats and guidance aid your organization in going through the authorization process efficiently? Do you have any further ideas to enhance the work? Let us know!
The FedRAMP PMO looks forward to receiving your comments and sharing additional progress.