The Federal Risk and Authorization Management Program (FedRAMP) and the National Institute of Standards and Technology (NIST) released the Open Security Controls Assessment Language (OSCAL) Milestone 2 for public comment.
In a Dec. 17 blog post, FedRAMP said that OSCAL will automate and streamline that authorization process. Agencies, for example, will be able to speed up reviews of the FedRAMP security authorization packages and OSCAL will provide a platform for the FedRAMP Program Management Office (PMO) to build tools improving the quality of security reviews.
OSCAL Milestone 2 is based on previous OSCAL releases with new updates paving the way to automate the FedRAMP authorization process, according to the blog post. For example, a new System Security Plan (SSP) model within OSCAL allows organizations to automate security and privacy control documentation.
Other attributes of Milestone 2 include:
- OSCAL XML and JSON drafts of FedRAMP baselines;
- OSCAL XML, JSON, and YAML drafts of NIST baselines;
- OSCAL catalog and profile models with associated XML and JSON schemas;
- Tools to converts OSCAL catalog, profile, and SSP content between XML and JSON;
- Registry of FedRAMP extensions, identifiers, and a draft list of acceptable values when using OSCAL;
- An OSCAL-based FedRAMP SSP template; and
- A guide document to help developers generate fully compliant OSCAL-based FedRAMP SSP content.
FedRAMP also updated its automation resources on GitHub to include new templates and guides.