OSCAL and FedRAMP 

Automated compliance is a constantly evolving topic, especially when it comes to large and complex cloud services. The demand for automated compliance for businesses is driven by regulatory frameworks such as PCI, HIPAA, CJIS, and FedRAMP. Cloud providers are seeking to enable or maintain compliance for their service in more efficient ways in order to match the flexibility and agility that cloud enables. OSCAL seeks to provide an automated, machine-oriented process to document and assess security controls for information systems. NIST and the FedRAMP PMO are working closely to tailor OSCAL to integrate the nuances of FedRAMP baselines and documentation.  

What is OSCAL? 

NIST is in the process of developing “a standardized, data-centric framework that can be applied to an information system for documenting and assessing its security controls.” The USNISTGOV Github for OSCAL Readme depicts the architecture of the architecture between machine-oriented to human oriented path of compliance which it is intended to solve.  

OSCAL addresses issues facing organizations that must comply with multiple regulatory frameworks, which makes it even more challenging with the complexity that large cloud systems can bring to the table. These issues include: 

• Lack of control information standardization. 

• Assessment of control implementations across multiple components. 

• Support multiple regulatory frameworks simultaneously. 

• Automate documentation reviews and control assessments. 

OSCAL has clearly defined goals for the initiative in order to help organizations overcome these hurdles for compliance. The goal is to: 

• Decrease paperwork. 

• Improve system security assessments. 

• Enable continuous assessment. 

• Address a wide scope of cybersecurity frameworks, each framework must provide their own specific guidance. 

Progress of the established OSCAL milestones was demonstrated at the most recent development meeting.  

What It Means For FedRAMP 

Adopting OSCAL doesn’t guarantee an organization will achieve a faster ATO. However, it does enable organizations to streamline compliance processes by removing repeated manual labor, improving traceability, and accelerating evidence generation. The FedRAMP PMO plans to take each page of the SSP and demonstrate how to express each page of the SSP in OSCAL. 

Guidance has been published by the FedRAMP PMO for public comment at FedRAMP's newest blog:  FedRAMP Moves to Automate the Authorization Process 

• Demonstrate pages of the SSP and how they can be expressed in OSCAL. 

• Generate feedback to align OSCAL with FedRAMPs’ unique requirements. 

• Be available for about 2 months. 

Summary 

Since the process for FedRAMP SSP documentation and OSCAL is not fully complete, the FedRAMP PMO is not accepting package documentation in the OSCAL format at this time. This gives consumers of OSCAL (InfusionPoints included!) time to give feedback to NIST and the FedRAMP PMO to smooth out the compliance as code process.