FedRAMP and the National Institute of Standards and Technology (NIST) announced the release of version 1.0.0 of the Open Security Controls Assessment Language (OSCAL) that aims to help cloud service providers (CSPs) speed the FedRAMP approval process.
OSCAL is a common machine-readable language that FedRAMP and NIST are using to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and products. FedRAMP said OSCAL will help trim the time and resources required for preparing, authorizing, and reusing cloud services.
In a blog post, FedRAMP said it anticipates the rollout of OSCAL 1.0.0 will have several impacts on the stakeholders involved in the cloud approval and acquisition process.
As a result, CSPs can now develop their System Security Plans more rapidly and accurately, which will allow them to validate much of their content before submission to the Federal government for review. With OSCAL 1.0.0, agencies also can expedite their reviews of the FedRAMP security authorization packages. And OSCAL will enable Third Party Assessment Organizations (3PAOs) to automate the planning, execution, and reporting of cloud assessment activities.
OSCAL 1.0.0 includes:
- “Updated stable versions of catalog and profile models which provide a structured representation of control catalogs and baselines or overlays.
- Updated stable version of the System Security Plan model which provides a structured representation of a system’s control-based implementation.
- Updated stable version of the component definition model which provides a stand-alone structured representation of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact.
- Updated stable versions of the assessment plan, assessment results, plan of action, and milestones models, which support the structured representation of information used for planning for and documenting the results of an information system assessment or continuous monitoring activity.