Introduction
Major changes are on the horizon for FedRAMP, Cloud Service Providers (CSPs), and Federal Agencies that provide Authority to Operate (ATO) within their environments. During a recent call with industry partners, FedRAMP shared that it is moving toward providing clear OSCAL requirements to CSPs and Federal Agencies. CSPs and Federal CISOs have anticipated the move to OSCAL since an October 2023 draft OMB memo mandated automation and machine-readable data.
At the time of writing this blog, the OMB draft Memo stated that within 18 months of finalization, CSPs and Federal agencies submit FedRAMP authorization and continuous monitoring artifacts exclusively through automated, machine-readable means.
These changes stem from the 2022 FedRAMP Authorization Act, which reauthorized FedRAMP and required the automation of compliance and authorization processes across the federal government. Late in 2023, OMB issued draft guidance mandating that Federal Agencies that grant ATOs to commercial products must submit relevant artifacts (such as SSP, SAP, SAR, POA&Ms) to the FedRAMP PMO in machine-readable and interoperable formats.
Let’s be clear: machine-readable and interoperable formats = OSCAL (Open Security Controls Assessment Language).
This spring, ACT-IAC developed and published a Compliance Automation Process Maturity Model (CAPMM) that outlines a basic approach to help organizations rapidly adopt OSCAL. It also recommends that government agencies adopt OSCAL-Native tools. Read the White Paper.
What This Means for Federal Agencies: cATO –Continuous Compliance and Authority to Operate
Federal Agencies will soon face another unfunded mandate—sending all ATO packages to FedRAMP in a machine-readable format. However, this mandate doesn’t necessarily mean more costs. Managing ATO packages, and eventually internal RMF processes in OSCAL, could actually reduce compliance costs and bring Federal Agencies one step closer to cATO.
Agencies should address these requirements in two phases: ATO and RMF.
Phase 1: Managing ATO in Machine-Readable Formats:
Agencies should lay the ground work to import, manage, and export: SSP, SAP, SAR, and POA&M from their CSPs in OSCAL format. Legacy GRC tools are not equipped to manage OSCAL JSON files. Agencies should follow the recommendation from ACT-IAC and acquire OSCAL-Native GRC tools.
Phase 2: Migration and Management of Internal RMF Processes to OSCAL:
NIST 800-53 and 800-37 require meticulous documentation of security controls, system categorization, assessment procedures, and risk management strategies. The sheer volume of documentation required to maintain internal systems leads to inefficiencies, delays, and increased resource allocation.
Adopting OSCAL means aligning systems and their cybersecurity controls with OSCAL. All downstream activities, including assessments, authorizations, scans, and POA&Ms, are inherently linked in the same data fabric. Improving efficiency in the compliance process sets the groundwork for integration with CI/CD and DevSecOps pipelines.
What This Means for CSPs: Improved Timelines and Lower Costs for FedRAMP Authorization
Cloud Service Providers should be thrilled, especially new entrants. FedRAMP shared that that it will provide substantial validations for SSPs submitted in OSCAL, ensuring that assessments focuses on the merits of the package. A machine-readable file will also speed up the evaluation process increasing the throughput of FedRAMP’s PMO.
CSPs should consider migrating to OSCAL-Native GRC tools that can import 800-53 catalogs from NIST and data validation schemas from FedRAMP. Tools that rely on manual mapping will face difficulty managing frequent releases as OSCAL adoption drives changes to baselines and frameworks.
What’s Next?
For Federal Agencies: Federal Agencies need to start training staff on OSCAL and cATO. NIST provides introductory courses on OSCAL here. Additionally, CISOs and Authorizing Officials (AO) should engage their staff to determine if their current ATO processes support OSCAL.
For Cloud Service Providers: Cloud Service Providers need to engage their FedRAMP and GRC teams and ask the following questions:
-
Are we ready to submit our FedRAMP artifacts (SSP, SAP, SAR, and POA&Ms) in OSCAL?
-
Can we import OSCAL baselines from FedRAMP and NIST?
-
Can we manage all FedRAMP artifacts in OSCAL?
Many CSP already manage their FedRAMP Packages in a GRC product. Now is the time to convert to OSCAL-Native tools to avoid being left without a complaint package when FedRAMP mandates OSCAL only submissions.
About DRTConfidence
DRTConfidence is an OSCAL-native Governance, Risk, and Compliance (GRC) Software as a Service (SaaS) solution designed to address the growing compliance challenges of FISMA and FedRAMP. Our platform streamlines the documentation process, automates compliance workflows, and fosters interoperability among stakeholders, ensuring a seamless path to continuous compliance.
Key Features of DRTConfidence
-
OSCAL-Native: Built to fully support the OSCAL standard. Import, management, and export in JSON and printable format.
-
Automated Workflows: Including FIP-199 Categorization, control development, assessments, and risk management. Streamlines compliance processes, reducing manual effort and minimizing errors.
-
Interoperability: Enhances collaboration among stakeholders by ensuring that all documentation and processes are easily shareable and compatible.
Schedule a conversion to OSCAL today.