Digital Authorization Package Pilot Launch
August 28 | 2024
Today, FedRAMP is launching the Digital Authorization Package pilot. This pilot will explore the use of the Open Security Controls Assessment Language (OSCAL) to create machine-readable, digital authorization packages. During this pilot, FedRAMP will collaborate with cloud service providers (CSPs), governance, risk, and compliance (GRC) tool providers, and federal agencies, who will review and use new FedRAMP open source guidance and validation tooling, and share feedback with FedRAMP during pilot office hours. The primary goal of the pilot is to improve the FedRAMP digital authorization package guidance and validation tooling while helping CSPs prepare high-quality system security plans in OSCAL. This is a significant and necessary step towards accepting digital authorization packages as part of achieving a FedRAMP authorization.
On July 11, 2024, FedRAMP launched the automate.fedramp.gov hub, which provides developers with guidance for creating tools that produce OSCAL-based data. This guidance describes how to meet FedRAMP’s data requirements for a digital authorization package. Additionally, FedRAMP has developed a new set of data validation rules that can be used to automatically check that a digital authorization package meets the requirements. These rules are available for testing and feedback through the pilot and are expected to drive significant improvements in FedRAMP data consistency, completeness, and accuracy. Use of digital artifacts will allow for greater efficiencies in package review and continuous monitoring processes by reducing issues that lead to multiple review cycles and by reducing human efforts in areas that benefit from greater automation.
FedRAMP digital transformation and modernization
The System Security Plan (SSP) is one of the core documents in a FedRAMP authorization package. It identifies and describes the component services of the system, the security requirements for the system, and the security controls implemented to meet those requirements. The accuracy of the SSP is paramount for authorizing officials and is the basis upon which FedRAMP cloud service offerings are assessed, authorized, and continuously monitored.
Without digital authorization packages, security information is captured as a collection of unstructured and semi-structured documents that do not lend themselves well to automation. Current processes for creating and reviewing FedRAMP packages are time consuming and challenging due to the largely manual process required for producing this documentation. There are often passbacks between stakeholders (e.g., CSPs, independent assessors, federal agencies, and FedRAMP) at various stages of the assessment and review processes due to missing, incomplete, or inaccurate information. This can lead to significant delays in authorization.
The Digital Authorization Package pilot will focus on developing extensive guidance to help CSPs create machine-readable OSCAL SSPs, and creating automated validations that provide faster, more consistent, and less laborious reviews of FedRAMP packages. While this pilot will not have an immediate impact on the current authorization process, it will provide significant insights for FedRAMP as we design a new process for reviewing digital authorization packages and will help CSPs improve the level of detail and overall quality of their system security plans using OSCAL.
Pilot participants wanted
To launch this pilot, FedRAMP is seeking collaboration partners, including CSPs, GRC tool providers, and federal agency stakeholders, to help improve open source FedRAMP guidance and validation tooling. These open source resources support the production of high-quality FedRAMP packages and continuous monitoring information in a digital form based on the Open Security Controls Assessment Language (OSCAL).
During the pilot, participants will be expected to produce and validate OSCAL SSPs based on real-world data and must be:
- Willing to review FedRAMP OSCAL SSP technical guidance and identify any areas where the documentation can be improved
- Able to use the OSCAL SSP validation rules for SSP validation, reporting any incorrect errors and any areas to improve the validations
- Willing to collaborate with the FedRAMP OSCAL automation team and provide detailed feedback on GitHub and during weekly conference calls
The pilot will be run as an open source project on GitHub. Participation in the pilot is voluntary.
Working together with FedRAMP
FedRAMP will leverage the GSA/fedramp-automation and GSA/automate.fedramp.gov GitHub repositories for collaboration with pilot partners. Individual issues will be tracked in these repositories, which will be used to discuss and resolve improvements in the FedRAMP OSCAL guidance or validations.
Collaboration partners will not be asked to share sensitive or proprietary package information or documents during the pilot. They will use the local validation tooling within their local environments to validate their OSCAL SSP content and report back on any guidance or validation issues they find.
The FedRAMP automation team will host weekly OSCAL implementer meetings and recurring “pilot office hours.” To attend the weekly OSCAL implementer meetings, subscribe to the distribution list. The pilot office hour times enable direct one-on-one discussions between an individual pilot partner and the FedRAMP team to support troubleshooting, debugging, or sharing detailed feedback. You can sign up for a 30-minute office hour time-block. These blocks are made available for pilot participants on a first-come, first-served basis.
Stay informed
Our pilot program web page provides information about our pilots. Check back for the latest updates. Email us at pilots@fedramp.gov if you have questions.