The Federal Risk and Authorization Management Program has received from a cloud service provider the first system security plan in a machine-readable format called Open Security Controls Assessment Language.
FedRAMP expects the adoption of the OSCAL format to help automate reviews of security packages and accelerate authorizations, the program said in a blog post published Thursday.
In June 2021, the National Institute of Standards and Technology and FedRAMP introduced the initial version of OSCAL.
In August 2021, FedRAMP unveiled the first set of OSCAL validation rules to enable CSPs and third-party assessment organizations to perform self-testing to see whether all the required data is included in their security packages prior to submission to the government.
The program also expects the validation rules to enable FedRAMP reviewers to offer feedback with structured markup and focus on the review’s more complex aspects.