Updated Rev. 5 OSCAL Profiles and Resolved Profile Catalogs Have Been Released
June 15 | 2023
FedRAMP has released the second wave of Rev. 5 documents: the Open Security Controls Assessment Language (OSCAL) FedRAMP Rev. 5 baseline profiles and resolved profile catalogs! OSCAL is a language developed by the National Institute of Standards and Technology (NIST) in collaboration with FedRAMP to reduce the time and resources to prepare, authorize, and reuse cloud products and services. The updated documents will assist stakeholders who leverage OSCAL to reduce time and cost by automating their FedRAMP authorization and continuous monitoring requirements.
Outlined below and found here are the FedRAMP OSCAL versions of the NIST 800-53 Rev. 5 baselines for High, Moderate, Low, and Tailored for Low Impact-Software as a Service (LI-SaaS), including XML, JSON, and YAML versions:
- FedRAMP Rev. 5 High baseline profile
- FedRAMP Rev. 5 High baseline resolved profile catalog
- FedRAMP Rev. 5 Moderate baseline profile
- FedRAMP Rev. 5 Moderate baseline resolved profile catalog
- FedRAMP Rev. 5 Low baseline profile
- FedRAMP Rev. 5 Low baseline resolved profile catalog
- FedRAMP Rev. 5 LI-SaaS baseline profile
- FedRAMP Rev. 5 LI-SaaS baseline resolved profile catalog
To submit questions or provide feedback on the items listed above, please email oscal@fedramp.gov
What's Next?
Slated for release on 6/30/2023:
- FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template
- FedRAMP OSCAL Templates, OSCAL Registry, OSCAL Implementation Guides
- FedRAMP System Security Plan (SSP) Template (“front matter” sections for all baselines)
- Appendix A: FedRAMP Security Controls templates (all baselines)
- Appendix F: Rules of Behavior (RoB) Template
- Appendix G: ISCP Template
- Appendix J: CIS and CRM Workbook Template
- Appendix M: Integrated Inventory Workbook Template
- Appendix Q: Cryptographic Modules Table
- FedRAMP Security Assessment Plan (SAP) Template
- Appendix A: Security Test Case Procedures Templates (all baselines)
- FedRAMP Security Assessment Report (SAR) Template
- FedRAMP Risk Exposure Table (RET) Template
- FedRAMP Moderate and High Readiness Assessment Report (RAR) Templates
- 3PAO Readiness Assessment Report Guide
- FedRAMP Laws, Regulations, Standards, and Guidance Reference
Check out our previous blog for more information on the first wave of documents released.