Introduction
The Office of Management and Budget (OMB) M-24-15 memo came out with its central theme – Ingest, manage, and export in a machine readable format. These are crucial steps for compliance teams, CSPs, CISOs, and Authorizing Officials (AOs) looking to respond and implement the most recent update from the agency.
The finalized OMB memorandum M-24-15, issued on July 25, 2024, mandates using the Open Security Controls Assessment Language (OSCAL) across all federal agencies, including FedRAMP. This directive aims to standardize and enhance Federal cybersecurity compliance by adopting machine-readable data formats.
Key Themes of OMB M-24-15
The memo introduces significant changes for FedRAMP and Federal Cybersecurity Compliance programs:
- Mandate on OSCAL:
“FedRAMP has identified NIST’s Open Secure Control Assessment Language (OSCAL) as the machine-readable, standardized data format… Agencies must have the necessary procedures in place to produce, accept, and submit materials in machine-readable formats.”
- Artifact Submission
“FedRAMP should receive all artifacts in the authorization process and continuous monitoring process as machine-readable data, through application programming interfaces (APIs).”
Cloud Service Providers
For cloud service providers (CSPs), the mandate means a significant overhaul of their compliance programs. CSPs need to recognize that NIST’s OSCAL standard is highly extensible, and FedRAMP has extended the standard to meet US Federal Government requirements. As OSCAL adoption grows, NIST and FedRAMP will provide frequent updates to their baselines and other requirements, necessitating rapid ingestion into GRC tools.
Additionally, CSPs must transmit all artifacts (SSP, SAP, SAR, and POA&M) in OSCAL. At some point, FedRAMP will no longer accept Word documents and Excel files. CSPs need to convert to OSCAL and begin managing their control statements in an OSCAL compliant tool. With more than 400 CSPs converting to OSCAL, converting early will ensure continued compliance with FedRAMP.
When selecting a GRC tool, CSPs should consult the ACT-IAC white paper, which advises in favor of OSCAL-native solutions.
To implement OSCAL properly, CSPs should consider tools that:
- Ingest, manage, and export SSP, SAP, SAR and POA&M in OSCAL
- Are involved in FedRAMP PMO Early Adopters and Pilot programs
- Easily generate printable documents that can align with agency templates for manual review
Federal Agencies
Federal Agencies received the biggest surprise from OMB. The OMB mandated the Presumption of Adequacy, requiring the acceptance of FedRAMP authorizations, but also putting agencies on a path requiring OSCAL use in their compliance programs.
The memo states that agencies must:
- Ensure authorization materials are provided to the FedRAMP PMO using machine-readable and interoperable formats,
- Ensure that agency governance, risk, and compliance (GRC) tools and system-inventory tools can produce, transmit, and ingest machine readable authorization artifacts using OSCAL or any succeeding formats as identified by FedRAMP;
This means that FedRAMP wants all authorizing documents and data in a machine-readable format.
Federal Agencies also have to adhere to strict timelines within:
- 180 Days: Update agency-wide policy to align with the memorandum.
- 24 Months: Ensure GRC and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL or future protocols identified by FedRAMP.
For each Authority to Operate (ATO) provided by an Authorization Official (AO), the agency must transmit the authorization files to FedRAMP in OSCAL. As discussed in a previous blog post, transitioning ATO programs to OSCAL is the initial step for federal agencies. This transition can be swiftly achieved by adopting and implementing an OSCAL-native GRC platform. Managing CSPs ATO’s in OSCAL will align agencies with FedRAMP and set them up to smoothly transition their GRC programs to an OSCAL.
To implement OSCAL properly CSPs, Federal CISO’s and their compliance teams should consider products that:
- Ingest, Manage and Export SSP, SAP, SAR, and POA&M in OSCAL
- Can rapidly develop workflows, custom datasets, rules, and email automation
- Ensure authorization artifacts meet FedRAMP requirements and are reusable by other agencies
- Can easily generate printable documents aligned with agency templates for manual review
How DRTConfidence Can help
Training Programs: Federal agencies should enroll their staff in our comprehensive, two-day, in-person training course. This program covers OSCAL fundamentals, including detailed models (Catalogs, Profiles, SSP, SAP, SAR, and POA&M) and necessary data pipeline dependencies. Participants will gain hands-on experience in modeling a component registry and will leave with a tailored implementation plan.
Conversion Services: Our four-step conversion service efficiently transforms SSP, SAP, SAR, and historical POA&Ms into the OSCAL format. We ensure all controls are accurately mapped, identifying gaps and remediation areas. Our team will guide you to ensure your existing work is seamlessly converted to OSCAL.
OSCAL-Native GRC Platform: Adopt our OSCAL-native Governance, Risk, and Compliance (GRC) SaaS solution, designed to address the compliance challenges of FISMA and FedRAMP. DRTConfidence streamlines documentation, automates workflows, and enhances interoperability among stakeholders, ensuring a smooth path to continuous compliance.
Key Features of DRTConfidence
- OSCAL-Native: Full support for OSCAL standards, including import, management, and export in JSON and printable formats.
- Automated Workflows: Streamlined compliance processes, reducing manual effort and minimizing errors.
- Export Options: Generate machine-readable or printable files validated by 3PAOs and FedRAMP.
Register for a personalized demo with our OSCAL experts today and see how your team can comply with OMB M-24-15 mandates.