A More Automated FedRAMP is One Step Closer


The program office seeks public comments on updates to its automation plans.

The Federal Risk and Authorization Management program office Tuesday released an updated version of its plans to incorporate automation into its cloud security vetting.

FedRAMP, housed within the General Services Administration, began partnering with the National Institute of Standards and Technology and industry partners several months ago to devise ways automation could improve and accelerate the cloud security certification process.

The result is the machine-readable Open Security Controls Assessment Language, or OSCAL, that “can be applied to the publication, implementation and assessment of security controls,” according to a Dec.17 blog post by FedRAMP staff.

The blog post announced the release of the second iteration of OSCAL for public feedback. The new release includes:

  • A new system security plan model that allows organizations to document the security and privacy control implementation of their systems using a rich OSCAL model.
  • Updated stable versions of the OSCAL catalog and profile models, along with associated XML and JSON schemas.
  • Updated content in OSCAL XML, JSON, and YAML formats for the NIST SP 800-53 revision 4 catalog, and for the three NIST and four FedRAMP baselines.
  • Provides tools to convert OSCAL catalog, profile, and SSP content between OSCAL XML and JSON formats.

FedRAMP is charged with ensuring cloud service providers meet the government’s security requirements, but the paperwork-heavy process is sometimes criticized for being costly and time-consuming. A December audit by the Government Accountability Office found that while the government’s use of cloud computing is up, agencies sometimes skirt the mandated FedRAMP process because it is labor-intensive or expensive.

The program office believes OSCAL may alleviate many of those issues. According to the blog post, cloud service providers “will be able to create their system security plans more rapidly and accurately, validating much of their content before submission to the government for review.” OSCAL could also improve the speed at which third-party assessment organizations the planning, execution and reporting of cloud assessments.