About FedRAMP’s Use of OSCAL

The Federal Risk Authorization and Management Program (FedRAMP®) is working to scale the Program’s ability to meet the needs of the market. To scale, FedRAMP needs to improve the degree of automation used to create, submit, and review packages for cloud information systems, and to continuously monitor these systems to ensure that baseline security requirements are met.

The Open Security Controls Assessment Language (OSCAL) provides the capabilities needed to realize FedRAMP’s strategic objectives around automation and modernization.

This section of the website includes:

• Important background information to help understand the types of information contained in security documentation used for assessment.
• Information on the OSCAL models and how they are used to represent security documentation and assessment information.
• Discussion of how the OSCAL models are used by different stakeholders.
• Examination of the benefits of using OSCAL as part of FedRAMP’s automation and modernization strategy.
• Answers to frequently ask questions on FedRAMP’s use of OSCAL and the automation and modernization approach.
• Information on how FedRAMP will manage releases that include human- and machine-oriented resources.