If you are interested in an overview about OSCAL and extensive documentation on how to use it for FedRAMP's specific requirements, please visit our Developer Hub.
FedRAMP maintains this repository with data, software, and documentation to review digital authorization packages for FedRAMP authorizations using OSCAL. Our primary aim is to reduce manual review efforts and timeframes by validating whether submissions conform to FedRAMP’s requirements. Once complete, our tooling will help ensure that packages such as System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) meet FedRAMP's expectations before submission, streamlining the review process.
Our current focus is developing validation constraints to use with the oscal-cli to automatically check that all parts of a FedRAMP digital authorization package (such as System Security Plan) meet FedRAMP's requirements before staff start a formal review.
As a part of this project, we are continuing to release "constraints," or automated "checks" of FedRAMP's digital authorization package requirements, to expand the coverage of our tooling and further automate the review of security artifacts. To learn more about installing and using our validation tooling, go here.
Our tooling:
- Validates OSCAL documents against FedRAMP constraints.
- Identifies compliance with FedRAMP requirements.
- Outputs a SARIF report, detailing both passed and failed validations.
This tooling is intended for use by FedRAMP OSCAL implementers and practitioners, Cloud Service Providers (CSPs), OSCAL tool developers, 3rd Party Assessment Organizations (3PAOs), and federal agencies. We welcome any and all feedback.
Please ask questions or provide feedback on the items above above either via email to [email protected], as a comment to an existing issue, or as a new issue.
FedRAMP's work is based on NIST's OSCAL 1.1.2, and requires an understanding of the core OSCAL syntax, as well as NIST-provided resources to function correctly. As such, we have provided NIST-produced OSCAL resources below.
IMPORTANT: As NIST makes minor syntax updates and releases new versions, please review the NIST OSCAL release notes in addition to guides here for more information about these changes.
This section is for prospective contributors to our automation efforts. As an open source project, fedramp-automation welcomes contributions. To see a detailed guide for contributors, go here
How to build/test our tools
A top-level Makefile is provided to simplify builds.
Build requirements are:
- gnu make
- node.js (as versioned in ./nvmrc)
- Java 11+
- Docker
For usage information, use the default target:
make
If you are developing on Windows, msys2 may be used for the required build tools (make
and bash
, in particular). Follow all the suggested installation steps on the msys2 home page for a complete environment. Additionally, make sure all the build requirements (above) are available on your path.
This section details the version of OSCAL our tooling supports.
FedRAMP has a release strategy and versioning procedure. FedRAMP has a minimally supported version of OSCAL, unless explicitly noted otherwise in specific documents or source code in this repository. Data, software, and documentation in this repository will only support digital authorization package documents with a version number no lower than specified by FedRAMP's OSCAL data and supporting documentation for each release.
Changes to the minimally supported version and deprecation notices will be made in advance of a release.
This repository is for the development and enhancement of OSCAL artifacts only. For issues with the Word and Excel-based templates and artifacts on the fedramp.gov site, please send requests to [email protected].