The Inner Circle

FedRAMP has published resources to aid stakeholders and vendors in the digitization of FedRAMP authorization package content

  • 1.  FedRAMP has published resources to aid stakeholders and vendors in the digitization of FedRAMP authorization package content

    Posted 3 days ago
    Hi All,

    New and Revised Resources Are Available!

    FedRAMP has published resources to aid stakeholders and vendors in the digitization of FedRAMP authorization package content. Located on the FedRAMP Automation GitHub Repository (GitHub - GSA/fedramp-automation: FedRAMP Automation), these include:

    • Revised - FedRAMP Baselines (XML, JSON, and YAML formats) Updated for the OSCAL 1.0.0 format, the baselines now also include a "CORE" property, enabling tools to identify the FedRAMP core controls; as well as the assessment objectives and methods (Examine, Interview, Test) found in a blank test case workbook (TCW).
    • Revised - Guide to OSCAL-based FedRAMP Content, with explanations and recommendations for concepts common to all FedRAMP deliverables when using OSCAL.
    • Revised - Guide to OSCAL-based FedRAMP System Security Plans (SSP)
    • Revised - Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
    • Revised - Guide to OSCAL-based FedRAMP Security Assessment Reports (SAR)
    • Revised - Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
    • Revised - FedRAMP OSCAL Registry The registry was previously expanded to become the authoritative source for FedRAMP extensions to OSCAL in addition to required identifiers and accepted values. Conformity tags and risk metrics are now included in the registry and explained in the relevant guides. The registry covers FedRAMP requirements in OSCAL baselines (profiles), SSP, SAP, SAR, and POA&M content. It is now published in PDF and HTML, and experimental machine-readable copies are provided in XML and JSON.s
    • OSCAL - based FedRAMP Samples. Updated to reflect OSCAL 1.0.0 for the SSP, SAP, SAR, and POA&M. These exist in both XML and JSON formats.
    • Revised - OSCAL Conversion Tools FedRAMP updated OSCAL conversion tools for several authorization package materials, including SSP, SAR, and SAP.

    Together, these resources enable FedRAMP stakeholders and tool vendors to develop OSCAL-enabled FedRAMP authorization packages. OSCAL is not currently a requirement, but we expect the benefits to spur adoption and FedRAMP is ready to start receiving information in OSCAL as a pilot.



    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------