Digital Authorization Package Pilot
Overview
Purpose
In FedRAMP’s Digital Authorization Package pilot, FedRAMP will collaborate with participants from cloud service providers (CSPs), governance, risk, and compliance (GRC) tool providers, and federal agencies to explore the use of the Open Security Controls Assessment Language (OSCAL) to create machine-readable, digital authorization packages. As a pilot participant, you will use the local validation tooling within your local environment to validate your OSCAL SSP content and report any guidance or validation issues you find. See the pilot announcement blog post for additional information.
CSPs, GRC tool providers, and federal agencies may voluntarily participate in the pilot. If you want to participate, you must meet the prerequisites listed below.
Scope
The Digital Authorization Package pilot will focus on developing extensive guidance to help CSPs create machine-readable OSCAL SSPs, and creating automated validations that provide faster, more consistent, and less laborious reviews of FedRAMP packages. While this pilot will not have an immediate impact on the current authorization process, it will provide significant insights for FedRAMP as we design a new process for CSPs that are ready to develop and submit digital authorization packages using OSCAL.
This pilot will focus on the OSCAL-based (rev 5) SSP as the essential component of a digital authorization package:
- SSP front-matter
- Appendix A - FedRAMP Security Controls
- Appendix E - Digital Identity
- Appendix J - CIS/CRM
- Appendix K - FIPS 199
- Appendix M - Integrated Inventory
- Appendix Q - Cryptographic Modules
- Section 11 - Separation of Duties
The pilot will prioritize addressing the most common SSP deficiencies that lead to review delays.
The pilot will not focus on the development of system security plans describing agency use of cloud services or the implementation of customer responsibilities. That will be covered in future pilots.
Goals and Objectives
- Further Define Digital Authorization Package Composition: Update the automate.fedramp.gov website with more specific details around the key data elements required in digital authorization packages.
- Provide Guidance: Increase the overall quality of OSCAL-based SSPs by providing additional accurate, clear, and actionable guidance on producing an OSCAL-based SSP. Ensure that the guidance addresses common issues and provides meaningful examples.
- Provide Richer System Context: Ensure that system security plans document control implementation and related system context at the service level using OSCAL components.
- Automate and Stabilize Validation Checks: Identify the first set of validations to use for reducing review timeframes and improving consistency. Provide a list of validations that must be checked prior to submitting an SSP to FedRAMP. These validations will reduce human effort and detect issues that have historically been detected later in the FedRAMP package review process.
Expectations for the Pilot
How to Participate
Any CSP, GRC tool provider, or agency may voluntarily participate in the pilot and must meet the following prerequisites before applying to participate:
- Must review code, data, and documentation before release (i.e. pre-release branches such as
develop
andfeature
branches), during, and after release (i.e. in themain
branch or specified releases) in our GitHub repositories. - Must follow official processes and communication mechanisms when participating, whether frequently or ad-hoc (i.e. reporting minimally required information in GitHub; participants will schedule their own office hours; et cetera).
- Must be able to manually or automatically produce OSCAL SSP(s) based on real-world data
- Must use available documentation at https://automate.fedramp.gov/documentation to guide OSCAL SSP development efforts
- Must use OSCAL-CLI to exercise FedRAMP external constraints on OSCAL SSPs
- Must be willing to run validation tool and provide feedback (e.g., identified issues, unclear documentation, desired enhancements, etc.)
- Must be willing to post issues and contribute to discussions on GitHub
The pilot is open source, so there is no application or selection process for the pilot. To join, a CSP, GRC tool provider, or agency must sign up for the mailing list and must have a GitHub account.
The FedRAMP automation team will host biweekly OSCAL Implementers meetings and recurring “pilot office hours”. For details on how to attend the biweekly OSCAL Implementers meetings, please see our mailing list sign-up instructions here. The pilot office hour times enable direct one-on-one discussions between an individual pilot partner and the FedRAMP Automation Team to support troubleshooting, debugging, or sharing detailed feedback. You can sign up for a 30-minute office hour time-block. These blocks are made available on a first-come, first served basis.
Pilot Kickoff Process
FedRAMP will hold a kickoff meeting for all interested participants. During this meeting, FedRAMP will provide the following details:
- How to use validation tooling and available FedRAMP validation rules
- How to open issues and pull requests on GitHub
- Expectations around issue reporting, discussion, and resolution
Pilot Evaluation Process
FedRAMP will hold a retrospective meeting that will be open to all participants. During this meeting, FedRAMP will:
- Share data on the metrics gathered throughout the pilot
- Gather feedback from participants about where the pilot exceeded and fell short of expectations
- Discuss how any unresolved issues will be addressed
- Facilitate a discussion around possible next steps