The New Era of FedRAMP: Expediting SSP Submissions via OSCAL

Steve Horvath
Stephen Horvath
August 3, 2023 • 3 min read
Expediting SSP Submissions with OSCAL

The Federal Risk and Authorization Program (FedRAMP) is designed to provide a standardized approach to security authorizations for cloud service offerings. Yet, despite efforts like the FedRAMP Authorization Act, recent reporting from the Government Accountability Office (GAO) shows a serious need for improvement as many agencies aren’t actually implementing the requirements in vendor acquisitions.

Up against these implementation challenges, FedRAMP is trying something new: adopting the use of Open Security Controls Assessment Language (OSCAL) for all packages. What this means is that now all FedRAMP packages should follow OSCAL formats to provide machine-readable representations of control catalogs, control baselines, system security plans and assessment plans and results. Although it may sound like another box to check – especially for the organizations struggling to meet existing FedRAMP standards – OSCAL is expected to bring a number of benefits. For instance, according to FedRAMP:

  • Cloud Service Providers (CSPs) will be able to create their System Security Plans (SSPs) more rapidly and accurately, validating much of their content before submission to the government for review.
  • Third Party Assessment Organizations (3PAOs) will be able to automate the planning, execution, and reporting of cloud assessment activities.
  • Agencies will be able to expedite their reviews of the FedRAMP security authorization packages.

This also means that the FedRAMP marketplace of 400+ offerings must ensure their security controls are represented in OSCAL, opening the door for long-due compliance overhauls.

Telos is proud to serve on the frontlines of the OSCAL transition, helping the world’s most security conscious organizations streamline efforts and achieve compliance. One great example of this is our work with Zscaler, today’s leader in cloud security. In 2021, Zscaler selected our enterprise cyber risk management framework, Xacta®, for management and automation of FedRAMP and Department of Defense (DoD) authorizations. Now, the company is armed with a competitive compliance edge, already having met the new OSCAL requirement.

“Bringing Xacta into the fold was a game changer for us,” said Steve Kovac, Chief Compliance Officer and Head of Global Government Affairs at Zscaler. “The compliance landscape is complex. Telos helps us automate system security plan reviews, expedite the process, and improve accuracy. With all FedRAMP packages now following OSCAL formats, we’re proud to operate ahead of the curve with Telos.”

As organizations transition to the OSCAL framework, their security teams benefit from improved system security assessments, decreased assessment-related labor, improved information sharing and more. Telos was also recently prioritized by the FedRAMP Joint Authorization Board (JAB) to pursue FedRAMP High for Xacta.

Ready to make this a reality at your organization? See how Telos can help by visiting: https://www.telos.com/offerings/xacta/.

 

Steve Horvath
Stephen Horvath
Senior Vice President of Xacta Solutions
Stephen Horvath is the senior vice president of Xacta solutions at Telos Corporation.
Read full bio