Tag Archives: open security controls assessment language

The Federal Risk and Management Program (FedRAMP) has issued Open Security Controls Assessment Language (OSCAL) validation rules to help automate reviews of security packages and speed up authorizations. The OSCAL validation rules will enable cloud service providers and third-party assessment organizations to perform self-testing to see whether all the required data is included in their security packages prior to submission to FedRAMP.

The Federal Risk and Authorization Management Program (FedRAMP) has released updated resources and conversion tools meant to help vendors and other stakeholders advance the digitization of FedRAMP authorization packages for commercial cloud services using a common machine-readable language. FedRAMP is also requesting comments on the machine-readable formats and further guidance.

The Federal Risk and Authorization Management Program (FedRAMP) office and the National Institute of Standards and Technology (NIST) have introduced a machine-readable standard that works to automate the preparation, authorization and reuse of commercial cloud offerings for the government sector. The FedRAMP office expects OSCAL to help vendors prepare and review system security plans faster

Dave Zvenyach, director of the General Services Administration's (GSA) Technology Transformation Services (TTS) organization, said the agency is looking to modernize Federal Risk and Authorization Management Program (FedRAMP) processes with automation technology. Zvenyach noted that FedRAMP, which set a standardized assessment and certification approach for cloud offerings, generates nonlinear costs as the agency onboards more providers into the program.

Ashley Mahan, director of the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP), said that FedRAMP saw a 50 percent rise in government agencies reusing certified cloud services in fiscal year 2020 as those organizations continue to work to meet the telework requirements during the COVID-19 pandemic.

The Federal Risk Authorization Management Program (FedRAMP) is working with the National Institute of Standards and Technology (NIST) to implement a universal programming language that can help accelerate cloud certification and drive automation in government operations. “What normally would take an assessor weeks to do, an OSCAL tool can perform in seconds,” said David Waltermire. 

The National Institute of Standards and Technology (NIST) has issued an updated version of its Open Security Controls Assessment Language (OSCAL) milestone that includes guidelines for control baselines and system security plans (SSP) for various hardware and software.

The Federal Risk and Authorization Management Program has worked with industry and the National Institute of Standards and Technology to develop the Open Security Controls Assessment Language to help automate the authorization process.