FedRAMP Automation and Modernization

FedRAMP is committed to increasing program effectiveness through automation and technology-forward operation. OSCAL provides a means for describing system context in richer, machine-readable form, which is a key enabler for significant improvements in assessment consistency, efficiency, and accuracy. The following efforts will position FedRAMP to benefit greatly from OSCAL use.

  1. Implement OSCAL-based data exchanges to improve the frequency and detail of data provided to FedRAMP and agencies, supporting initial and ongoing assessment use cases.

    Adoption of OSCAL by FedRAMP stakeholders is critical to realizing the FedRAMP automation vision. OSCAL provides unique benefits to each stakeholder group. FedRAMP is positioned at the center of these stakeholders to provide incentives and the knowledge resources needed to further OSCAL adoption. Specific focus should be on GRC tool providers, which are crucial in providing the tools needed by other stakeholders to succeed in OSCAL adoption. FedRAMP investment in commodity OSCAL tooling to support OSCAL content validation and human documentation generation is critical in supporting the transition to OSCAL use.

  2. Promote the use of OSCAL across the FedRAMP ecosystem as a means to exchange richer contextual information about how core security requirements are addressed in systems maintained by CSPs and federal agencies.

    The rich web of dependencies between cloud services can be visualized and used to determine an ecosystem-wide risk viewpoint and to identify how risks in heavily reused cloud systems are inherited across the ecosystem. This viewpoint enables FedRAMP to more proactively manage risks related to the Federal Government’s use of cloud services in a way that is not possible without OSCAL.

  3. Ensure use of the OSCAL SSP’s granular capabilities to provide richer contextual information about how controls are implemented within a system’s specific services.

    This contextual information is significant for understanding where there are gaps in control implementations, the impact of flaws in the software used within a system, and the impact of changes to the system. Driving this level of detail in the SSP is critical to automating many of FedRAMP’s review processes that currently rely heavily on human analysis.

  4. Enhance OSCAL capabilities to support cloud-based and traditional data center use cases.

    While FedRAMP is focused on ensuring that security risks are properly identified, monitored, and managed for services that are hosted by third-party cloud service providers used by the Federal Government, agencies use a mixture of cloud and data center services. It is essential that OSCAL provides robust support for both of these use cases, inside and outside the Federal Government. FedRAMP will work with the OSCAL community to expand OSCAL capabilities in a way that broadly supports federal and non-federal use for cloud and data center use cases. This helps to ensure that stakeholder investments in OSCAL have the widest possible value.