Skip to main content

Blog

FedRAMP Announces NIST’s OSCAL 1.0.0 Release

June 8 | 2021

FedRAMP Announces NIST’s OSCAL 1.0.0 Release

NIST released version 1.0.0 of OSCAL . The FedRAMP PMO, in collaboration with NIST, is working to standardize authorization packages and streamline their review with a common machine-readable language, also known as the Open Security Controls Assessment Language (OSCAL).

Benefits of OSCAL

With OSCAL, activities associated with preparing, authorizing, and reusing services will require less time and resources. As a result of a machine-readable authorization package, we anticipate several impacts, such as:

Cloud Service Providers (CSPs)

Will be able to create their System Security Plans (SSPs) more rapidly and accurately, validating much of their content before submission to the government for review.

Agencies

Will be able to expedite their reviews of the FedRAMP security authorization packages.

Third Party Assessment Organizations (3PAOs)

Will be able to automate the planning, execution, and reporting of cloud assessment activities.

OSCAL 1.0.0 includes:

  • Updated stable versions of catalog and profile models which provide a structured representation of control catalogs and baselines or overlays.
  • Updated stable version of the System Security Plan model which provides a structured representation of a system’s control-based implementation.
  • Updated stable version of the component definition model which provides a stand-alone structured representation of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
  • Updated stable versions of the assessment plan, assessment results, plan of action and milestones (POA&M) models, which support the structured representation of information used for planning for and documenting the results of an information system assessment or continuous monitoring activity.
  • Updated tools to convert between OSCAL, XML, and JSON formats, and to upconvert content from previous releases to RC2.

To stay updated on NIST’s OSCAL releases, we encourage you to visit NIST’s OSCAL resource page .

FedRAMP’s OSCAL Resources

To access the FedRAMP PMO templates and resources, please visit the FedRAMP Automation resources on GitHub .

We Want Your Feedback!

All development efforts have been performed openly and we are seeking your feedback on our progress to date. Will these machine-readable formats and guidance aid your organization in going through the authorization process efficiently? Do you have any further ideas to enhance the work? Let us know!

If you have questions or feedback, please provide comments either via email to oscal@fedramp.gov or as a comment to an existing issue  within the FedRAMP Automation repository.

The FedRAMP PMO looks forward to receiving your comments and sharing additional progress.

Back to Blogs