The Federal Risk and Authorization Management Program has unveiled a pilot program to explore the use of the Open Security Controls Assessment Language — OSCAL — to develop machine-readable, digital authorization packages.
FedRAMP said Wednesday the Digital Authorization Package pilot’s goal is to enhance the program’s open source digital authorization package guidance and validation tooling and help cloud service providers, or CSPs, prepare system security plans, or SSPs, in OSCAL.
An SSP is one of the key documents in a FedRAMP authorization package. The document describes a system’s component services and security requirements and identifies the implemented security controls to meet those requirements.
FedRAMP will work with federal agencies, CSPs and providers of governance, risk and compliance tools and run the pilot as an open source project on GitHub.
The program expects pilot participants to review FedRAMP OSCAL SSP technical guidance, identify areas for improvement in the documentation, use the OSCAL SSP validation rules, collaborate with the OSCAL automation team and offer feedback on GitHub and during weekly conference calls.