FedRAMP OSCAL Frequently Asked Questions

Q: When does FedRAMP expect CSPs will need to begin planning and migrating to the OSCAL process?

A: While FedRAMP has not mandated the use of OSCAL by CSPs, FedRAMP encourages CSPs, 3PAOs, agencies, and other stakeholders to begin engaging with the OSCAL community to explore OSCAL’s utility and feasibility. As noted in the New Roadmap for FedRAMP, “FedRAMP needs to operate as a data-first program for its processes to scale”, and OSCAL is a central part of achieving that goal.

A: FedRAMP is looking for partners (CSPs, tool suppliers, federal agencies, 3PAOs, and others) to participate in targeted pilot projects that will advance the program’s ability to operationalize its OSCAL-based automation capabilities. FedRAMP will release more details on how to get involved early summer of 2024. Please signup for FedRAMP Data Bytes to ensure you can follow the latest news.

Q: Will FedRAMP release any learning resources for stakeholders who are not very familiar with OSCAL?

A: FedRAMP is actively updating technical documentation and guidance on this website. Additionally, FedRAMP will be launching a training initiative which will include OSCAL-specific topics. Please stay tuned for more details.

Q: Will there be free tools available to CSPs for creating OSCAL packages?

A: FedRAMP is committed to the development of open-source tools that will help make the transition to digital authorization packages more equitable to its stakeholders. Near-term initiatives include the development of tools to validate FedRAMP OSCAL packages before submission. For more information on open-source OSCAL tools, see FedRAMP OSCAL tools and NIST OSCAL commodity tooling.

FedRAMP is also working to establish an automation platform that will provide OSCAL content creation, validation, and submission capabilities. More details are anticipated in FY25.

Q: How do I get involved in this work?

A: FedRAMP is developing its automation approach collaboratively, as open source, with the FedRAMP OSCAL community. Direct community participation is welcome and encouraged.

Q: FedRAMP frequently provides OSCAL data in XML format. Does FedRAMP prefer OSCAL XML over OSCAL JSON or YAML formats?

A: No, FedRAMP does not have a near-term or long-term preference for one of the OSCAL data formats. FedRAMP does and will provide content in all OSCAL JSON, XML, and YAML data formats. FedRAMP is committed to software, data, and documentation to support processing and creating OSCAL data in all formats.