Leveraging OSCAL for FedRAMP authorizations

When we drill down to its essence, technology is all about making things "smarter, faster, better." Fortunately, the Federal Risk and Authorization Management Program (FedRAMP) appears poised to do just that – significantly improving its authorization processes.

To reduce end-to-end authorization timelines, FedRAMP recently announced that it intends to implement validation rules which will leverage Open Security Controls Assessment Language to automate reviews. Developed by the National Institute of Standards and Technology, OSCAL is a set of hierarchical, XML, JSON and YAML-based formats which standardize the representation of information related to the publication, implementation and assessment of security controls and cloud compliance. OSCAL provides machine-readable representations of control catalogs, control baselines, system security plans, assessment plans and results.

With review teams taking advantage of "reusable automation" to perform initial package reviews, FedRAMP will be able to more quickly notify cloud service providers when a package does not meet requirements. The automated reviews will provide consistent feedback with structured markup, just as reviewers do today. In addition, CSPs and third-party assessment organizations (3PAOs) can use the technology to conduct their own self-tests prior to submitting a package. "When both FedRAMP and industry utilize automated validation rules," according to a FedRAMP blog about the announcement, "FedRAMP reviewers will spend less time on packages that do not pass initial criteria, and therefore, are not ready for review."

FedRAMP was launched in 2011 to establish a cost-effective, risk-based, standardized approach for the adoption and use of cloud services by the federal government. Either agencies or the FedRAMP Joint Authorization Board (JAB) can grant sponsorships required for CSPs to receive authority to operate or a provisional authority to operate. To be considered for FedRAMP ATO or P-ATO, CSPs work with 3PAOs to complete a readiness assessment and/or a full assessment of its offering.

It's becoming increasingly clear that in order to succeed in the government cloud market, CSPs must establish a strong FedRAMP presence. In a 2020 survey of federal IT and business decision-makers, four of five said they either prefer to use FedRAMP-authorized cloud services or exclusively use them. However, agencies encounter difficulties in acquiring and/or designating internal personnel to validate the security of ATO solutions (as cited by 41% of these decision-makers), and they also indicate that there aren't enough solutions/services available in the FedRAMP Marketplace to meet organizational requirements (34%). More than one-quarter said it takes too long to get JAB authorization. As of mid-August, there were only 235 FedRAMP authorized offerings in the FedRAMP Marketplace out of the 15,000 commercial cloud products in existence.

So how will an OSCAL-enabled automated review process help address these challenges? Here are three immediate – and impactful – benefits, and how they perfectly fit into the "smarter, faster, better" equation:

It will put power in the hands of CSPs (smarter). As OSCAL becomes more widely adopted, CSPs will use OSCAL-enabled apps to conduct their own self-tests. Instead of waiting for FedRAMP or 3PAOs to tell them how they're doing, they'll be able to find out how far along they are on meeting requirements on their own.

It will satisfy the "need for speed" (faster). While some manual processes will remain, OSCAL is all about making things go faster. There will be no need for the tedious generation of hundreds of pages of Excel and Word docs. Machine-driven assessment and review will show which package security controls are good and which aren't. While the time saved is still TBD, it seems possible that the typical turnaround period of two to four months for an assessment could be reduced to a mere two to four weeks.

It will drive new levels of continuous improvement (better). OSCAL provides the building blocks for interoperability across disparate tools, getting technologies to talk to each other that normally don't. This lays the groundwork for delivering prescriptive information to get cloud security to where it needs to go. OSCAL's common language will normalize and liberate valuable data from tools for, say, network asset management and governance, risk and compliance, to cite just two examples. As a result, government IT leaders and their teams will be able to – with support from additional machine learning/artificial intelligence tools – analyze the data to determine which security controls are working and which aren't. With this, they can improve FedRAMP baselines for authorization requirements, with better informed decisions about security posture and risk management.

It will take some work to maximize the potential of OSCAL, as most OSCAL-enabled end-user applications are yet to be built. But the automated validation rules represent a crucial step in the right direction, promising to usher in a new era of groundbreaking efficacy and impact for FedRAMP. It’s a perfect example of how our dedication and even passion for innovation doesn't simply bring out the best in our technology – it brings out the best in our government.