The Federal Risk and Authorization Management Program (FedRAMP) authorization journey can sometimes be a confusing one to navigate, but experts agree that the National Institute of Standards and Technology’s (NIST) Open Security Controls Assessment Language (OSCAL) formats are helping to speed the FedRAMP approval process.
OSCAL is a common machine-readable language that FedRAMP and NIST are using to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and products. FedRAMP and NIST announced the release of version 1.0.0 of OSCAL in June.
During an August 18 event hosted by FCW, Federal and private sector experts talked about what OSCAL 1.0.0 offers, and how it has eased the FedRAMP authorization journey.
“The complexity of trying to determine whether or not you’ve got consistent controls across your entire environment is really difficult,” said Joseph Flynn, CTO at Boomi. “It puts an undue burden upon security officers and app developers and vendors to really manage this ever-expanding diverse application portfolio.”
“By using OSCAL as a way to create this machine-to-machine communication around these controls, we can really speed up the creation of SSP [system security plan],” Flynn continued. “From a procurement perspective where you might be a FedRAMP authorized vendor, many times agencies will do their overall assessment on top of that, so hopefully this will actually help accelerate and standardize some of those procurement challenges that we’ve seen over the years.”
Michaela Iorga, senior security technical lead for cloud computing at NIST, said OSCAL helped eased her “extremely frustrating” role in which she was “trying to advise government agencies of how to meet” Cloud First and Cloud Smart policy mandates.
“OSCAL was envisioned at the beginning when it started development to respond to the Federal government needs, in particular FedRAMP’s of employing security assessments or automation,” Iorga said. “But [OSCAL] was actually aiming to go way beyond that and to set the foundation for more interoperable and portable security automation in general and support more of the tedious, faster, and repeatable assessment of not only cloud service providers but also on-premise systems.”
Iorga said OSCAL “delivers full support for leveraging authorizations,” and makes it much easier to have visibility to analyze all of the security controls and inherited controls.
“OSCAL allows you to be able to pack those data sets with information and to build that traceability from the top of the stack all the way down and look at all the controls that come with controls, and which ones are inherited, what part of the control is inherited, and what is the responsibility for each entity that is responsible for a layer of the stack,” Iorga said.
Iorga said NIST has “a lot more planned” for OSCAL 2.0 and “beyond” to continue to help speed the FedRAMP approval process.