By Chor-Ching Fan

FedRAMP automation is on its way.  The Open Security Controls Assessment Language (OSCAL) is a machine-readable information exchange format developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance frameworks based on security controls and functional requirements. OSCAL support the expression of compliance information through XML, JSON and YAML formats.  OSCAL was released in June 2021 and is currently in Version 1.1.0 (late July 2023)

The FedRAMP cybersecurity management program is the first key adopter of the OSCAL standard.  OSCAL promises to enable FedRAMP automation (and other frameworks that adopt it) improving the efficiency and effectiveness of compliance management by providing a standardized, machine-readable format for capturing and sharing security information.  OSCAL automation has the ability to simplify many of the manual tasks involved in compliance including:

• Generating security documentation
• Assessment plan and results evaluation
• Tracking remediation activities
• Reporting on compliance status

OSCAL can be used to support a wide range of compliance frameworks, including:

• FedRAMP (early adoption in progress)
• NIST Cybersecurity Framework (CSF)
• ISO/IEC 27001
• SOC 2
• HIPAA
• PCI DSS

FedRAMP automation with OSCAL promises to be significant improvement over previous approaches to compliance automation.  As proven by similar information exchange automation initiatives in other industries i.e. ecommerce supply chain documents or financial filing with the SEC,  OSCAL should make compliance management be more efficient, more effective, and more scalable.

Here are some of the benefits of using the new OSCAL compliance framework:

• Efficiency: OSCAL automation will reduce manual tasks involved in compliance, such as generating security documentation, conducting assessments, and tracking remediation activities. This can save organizations a significant amount of time and money.  FedRAMP SSPs can easily run 300+ pages in Microsoft Word.  With continual updates and document submissions to the FedRAMP PMO,  this task alone will benefit greatly from OSCAL.
• Effectiveness: OSCAL provides a standardized, machine-readable format for capturing and sharing security information. This makes it easier to identify, evaluate and determine next steps to remediate key risks for the US government and cloud service providers.
• Scalability & Extensibility: OSCAL is a scalable framework that can be used to support a wide range of compliance frameworks.  OSCAL is extensible so any user or standards body can leverage the reference models while ensuring it supports the unique elements of their own privacy and security risk program.

Since its 1.0 release in 2021,  Rizkly has supported the OSCAL standard with the goal of providing the best software for FedRAMP automation.  We love OSCAL and think its great for the cybersecurity compliance world.  Companies (CSPs) can import their existing Word SSPs and generate OSCAL with one-click in Rizkly.  It will not be practical for most organizations to use XML editors and handcraft OSCAL files each time there are updates or submission requirements.  While still in a pre-commercialization status for FedRAMP,  we recommend that CSPs explore the transition to OSCAL along with their FedRAMP R4 to R5 gap analysis and planning efforts. If you’re wondering about a FedRAMP R4 vs R5 gap analysis,  Rizkly, compliance automation software with dedicated FedRAMP OSCAL compliance experts, is ready to assist…just contact us.

Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work.  Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps.  We will gladly refer you to appropriate partners if and when the need arises.   Creating policies,  procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.

Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative.  We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project.  Typical project activities include:

• Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
• Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort 
• Develop the system ‘boundary’, and what will be in scope for compliance purposes
• Draft a system architecture diagram that clearly depicts the system boundary
• Review existing documentation and work with your team members to understand system and process specifics
• Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
• For each gap determine a detailed plan of action to remediate
• Collaborate as needed with personnel (staff and/or your vendors) during remediation. 
• Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
• Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
• Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
• Post-remediation ensure that all controls are in place and operating effectively