00:00:00:00 - 00:00:03:22
So thank you very much, to NIST
for having us here, for giving us

00:00:03:22 - 00:00:05:21
this opportunity
to come and talk about the work

00:00:05:21 - 00:00:08:08
that we've been doing
at the OSCAL Foundation

00:00:08:08 - 00:00:13:08
on particularly, FedRAMP artifacts
and what it means for a FedRAMP artifact

00:00:13:08 - 00:00:16:08
to be machine readable and OSCAL compliant.

00:00:16:12 - 00:00:20:00
I'm here today with Brian Ruff,
who is the leader

00:00:20:00 - 00:00:23:03
of the OSCAL Foundation's FedRAMP
focus group.

00:00:23:03 - 00:00:27:23
Brian is our FedRAMP expert inside of the
foundation, and really knows his stuff.

00:00:27:23 - 00:00:31:16
So I'm really excited to be here with him
to talk through what we've done so far.

00:00:31:18 - 00:00:34:00
Talk through the history
of all of this work that we're doing,

00:00:34:00 - 00:00:36:08
and most importantly,
talk about the future of it

00:00:36:08 - 00:00:41:01
and how we hope that this future, includes
all of you through your feedback and information.

00:00:41:04 - 00:00:44:18
Brian, do you want to kick us off
and talk through our agenda for today?

00:00:44:21 - 00:00:46:09
Sure. Thank you. Stephen. Yes.

00:00:46:09 - 00:00:50:21
we want to, encourage questions
as we go to the degree that time allows.

00:00:50:21 - 00:00:53:24
We will also have a time at the end
for questions, So please,

00:00:54:03 - 00:00:58:03
keep that in mind, We want to just step
briefly through a brief history.

00:00:58:03 - 00:01:01:01
We want to let you know
about some of the feedback we received.

00:01:01:01 - 00:01:04:07
I'll get you thinking now, like
we also want to hear about any feedback.

00:01:04:07 - 00:01:06:19
Anyone from this group
may have either today

00:01:06:19 - 00:01:10:19
in this conversation or a later date via
any of our communication paths.

00:01:10:22 - 00:01:12:00
Then we're going to talk about

00:01:12:00 - 00:01:15:09
the priorities that we've established
and our plan to go forward.

00:01:15:11 - 00:01:18:20
We will spend a fair amount of time
on adoption paths.

00:01:18:20 - 00:01:22:14
This is how to adopt OSCAL
for your FedRAMP needs.

00:01:22:16 - 00:01:26:07
And then we will get into current
state of our work, on the effort.

00:01:26:07 - 00:01:28:09
And that's going to include some show
and tell.

00:01:28:09 - 00:01:30:09
We'll show you some of the resources
we've developed.

00:01:30:09 - 00:01:34:01
We'll walk through them at a high level,
give you a chance to ask a few questions.

00:01:34:01 - 00:01:36:10
And then we'll wrap up
with some discussion.

00:01:36:10 - 00:01:38:04
Okay. Just a quick history.

00:01:38:04 - 00:01:41:22
Don't want to spend a lot of time
here, but, relative to FedRAMP,

00:01:41:22 - 00:01:44:17
OSCAL has been on FedRAMP’s radar
for a while.

00:01:44:17 - 00:01:48:17
Back in 2018, NIST and FedRAMP began
the collaboration.

00:01:48:19 - 00:01:51:20
that was a very, solid partnership
for several years.

00:01:51:23 - 00:01:54:22
In 2021, OSCAL 1.0 was released.

00:01:54:22 - 00:01:58:16
The first FedRAMP submissions
came along the next year in 2022.

00:01:58:16 - 00:02:01:00
Things kind of got a little stagnant for a while.

00:02:01:00 - 00:02:05:15
And in 2024, there was a fresh start
on behalf of, GSA and the PMO.

00:02:05:17 - 00:02:10:00
But then in 2025, the PMO decided,
when it introduced 20 X

00:02:10:07 - 00:02:12:05
to stop all OSCAL efforts.

00:02:12:05 - 00:02:14:22
More recently, earlier this year, 2026.

00:02:14:22 - 00:02:19:04
The PMO has responded to feedback
and, has decided

00:02:19:04 - 00:02:22:18
that OSCAL should still be on
the radar based on industry feedback. But

00:02:22:18 - 00:02:27:22
it did put it on industry to figure out
what OSCAL looks like for FedRAMP.

00:02:28:00 - 00:02:31:18
that's where the OSCAL foundation,
decided as an industry

00:02:31:21 - 00:02:35:03
group focused on OSCAL
we were the right organization

00:02:35:03 - 00:02:39:03
in the right place and that we should
absolutely, try to respond to that call.

00:02:39:06 - 00:02:42:20
So the work you're going to see here
is our response to FedRAMP’s

00:02:42:23 - 00:02:45:04
request have industry figure out on OSCAL.

00:02:45:04 - 00:02:48:06
Part of the goal of presenting today
is to promote

00:02:48:06 - 00:02:51:09
awareness of this work
and to encourage you to participate.

00:02:51:13 - 00:02:54:05
We really want more involvement,
more feedback.

00:02:54:05 - 00:02:55:17
This is going to be successful.

00:02:55:17 - 00:02:58:17
It's going to be because we're
all coming together to make it successful.

00:02:59:06 - 00:03:02:10
So I want to take a chance
to talk a little bit about,

00:03:02:10 - 00:03:06:23
how this work has connected
to other relevant organizations

00:03:06:23 - 00:03:08:10
in this space
because at the end of the day,

00:03:08:10 - 00:03:12:04
what we're talking about here
is a standard for communication

00:03:12:04 - 00:03:13:19
that needs to be interoperable

00:03:13:19 - 00:03:16:03
and needs to work
with a lot of different organizations.

00:03:16:03 - 00:03:20:01
So we have been in active communications
with the FedRAMP

00:03:20:01 - 00:03:22:17
PMO about what
this actually needs to look like.

00:03:22:17 - 00:03:25:18
We've wanted to make sure
that we don't end up in a position

00:03:25:18 - 00:03:28:24
where the FedRAMP PMO is surprised
by what we're providing them.

00:03:28:24 - 00:03:30:11
They have asked industry

00:03:30:11 - 00:03:34:05
to put together what they think
these packages should look like.

00:03:34:05 - 00:03:37:05
But we also want to do it
in partnership with FedRAMP PMO

00:03:37:05 - 00:03:39:24
so that when we get to the final stage,
we're ready to go.

00:03:39:24 - 00:03:43:14
everyone is ready for these packages,
ready to intake and manage them.

00:03:43:14 - 00:03:46:17
So we've been, in ongoing conversations
with FedRAMP PMO,

00:03:46:21 - 00:03:48:04
and that's been really productive.

00:03:48:04 - 00:03:51:24
We've also had really recent,
communication and outreach

00:03:51:24 - 00:03:55:17
and engagement with the Cloud Service
Provider Advisory Board or the CSP-AB.

00:03:56:06 - 00:03:59:08
This is an industry group
of cloud service providers

00:03:59:08 - 00:04:02:12
that are very interested in the work
that we've been doing here,

00:04:02:12 - 00:04:05:12
because they all have to adhere
to FedRAMP requirements.

00:04:05:13 - 00:04:09:14
so they are interested in seeing
what the format that we put together

00:04:09:14 - 00:04:11:17
is what the representation
we put together is,

00:04:11:17 - 00:04:15:21
because that will be a way for them
to meet the upcoming FedRAMP requirements.

00:04:16:02 - 00:04:18:22
We've also, from a foundation
perspective, had the chance to talk

00:04:18:22 - 00:04:21:03
to a lot of US government agencies.

00:04:21:03 - 00:04:22:07
At the end of the day,

00:04:22:07 - 00:04:26:04
These FedRAMP packages
actually get sent to the individual

00:04:26:04 - 00:04:29:24
agencies that are trying to procure
individual services from FedRAMP.

00:04:29:24 - 00:04:33:19
And so there has to be a dialog
that includes those agencies as well,

00:04:33:19 - 00:04:36:10
because not only does
FedRAMP need to be ready for these machine

00:04:36:10 - 00:04:39:23
readable packages, but the actual agencies
at the end of the road

00:04:39:23 - 00:04:41:08
need to be ready for them as well.

00:04:41:08 - 00:04:46:13
So we've been in lots of conversations
with agencies all across the US federal government.

00:04:46:13 - 00:04:50:11
to make them aware of this work,
to make sure that they know what it will

00:04:50:11 - 00:04:54:10
take to, handle these packages
and be part of this larger ecosystem.

00:04:54:10 - 00:04:56:08
So this has been really successful so far.

00:04:56:08 - 00:05:01:01
People are interested in the OSCAL representations for FedRAMP packages.

00:05:01:03 - 00:05:04:23
The majority of them are interested mostly
in waiting to see

00:05:04:23 - 00:05:06:07
what the industry creates.

00:05:06:07 - 00:05:08:12
They don't have a strong opinion
one way or the other,

00:05:08:12 - 00:05:12:07
and they are looking to the foundation
and to industry to put it together.

00:05:12:07 - 00:05:17:04
So if you are interested in being part of
that, this is great effort to join.

00:05:18:12 - 00:05:20:18
So I want to take a minute to

00:05:20:18 - 00:05:24:02
talk about the feedback that we've gotten
as part of these conversations.

00:05:24:04 - 00:05:26:01
As I said, we've talked to industry
groups,

00:05:26:01 - 00:05:28:12
we've talked to individual companies,
we've talked to GRC

00:05:28:12 - 00:05:30:19
vendors, we've talked to agencies,
we've talked to FedRAMP.

00:05:30:19 - 00:05:32:09
And over the last several

00:05:32:09 - 00:05:35:12
years, we've been collecting the feedback
that we've gotten about OSCAL.

00:05:35:14 - 00:05:40:18
And I think it's important for us
to be very forward and very honest

00:05:40:18 - 00:05:43:22
about what people have told us
about the shortcomings of OSCAL,

00:05:43:22 - 00:05:47:23
because by adjusting for that is how
we're going to make this successful.

00:05:48:02 - 00:05:53:19
So we have heard from people that
they love that OSCAL is highly flexible.

00:05:53:23 - 00:05:57:09
They love that
OSCAL can adequately capture

00:05:57:11 - 00:06:01:18
all of the different kinds of information
that exist in a FedRAMP authorization

00:06:01:18 - 00:06:04:13
package, as well as lots of information
that's not currently

00:06:04:13 - 00:06:07:00
in the authorization package,
but is valuable to include.

00:06:07:00 - 00:06:10:19
And this includes, controls
from other frameworks, connecting

00:06:10:19 - 00:06:11:23
and mapping together

00:06:11:23 - 00:06:15:11
what you are doing for FedRAMP
to your other compliance frameworks.

00:06:15:13 - 00:06:19:02
Being able to say
that I am a FedRAMP medium.

00:06:19:06 - 00:06:23:05
And this maps accordingly to, for example,
maybe CMMC

00:06:23:05 - 00:06:25:09
or some other FISMA requirements.

00:06:25:09 - 00:06:28:12
Most importantly, that it's viable, right?

00:06:28:14 - 00:06:32:20
One of the concerns we had many years ago
was, is this actually going

00:06:32:20 - 00:06:35:12
to end up being viable?
And the answer is really a resounding yes.

00:06:35:12 - 00:06:38:16
It is absolutely viable
to represent the entirety

00:06:38:16 - 00:06:41:19
of the FedRAMP SSP package
in OSCAL today.

00:06:42:00 - 00:06:47:07
And that an open standard that an industry
group can come together and work on.

00:06:47:09 - 00:06:49:21
is a really great part of this process.

00:06:49:21 - 00:06:52:01
So everyone we've talked
to, from both the end

00:06:52:01 - 00:06:56:03
user to the GRC vendors, are really happy
with the flexibility,

00:06:56:03 - 00:07:00:13
the interoperability and the open industry
driven nature of this work.

00:07:00:23 - 00:07:06:02
Some of the cons that we've heard, some of the
downsides or reasons that people are less

00:07:06:04 - 00:07:07:10
excited about this

00:07:07:10 - 00:07:09:23
The number one thing
that we hear time and time again

00:07:10:01 - 00:07:14:00
is that OSCAL is too complex,
that it is too big and too hard

00:07:14:00 - 00:07:18:04
for agencies or companies
to actually use meaningfully.

00:07:18:04 - 00:07:21:04
And that the fact that OSCAL
is really flexible

00:07:21:04 - 00:07:24:17
also means
that there is a lot of difference,

00:07:24:17 - 00:07:28:08
potentially, between different approaches
to representing this information.

00:07:28:10 - 00:07:30:11
Overall, this makes it difficult to adopt.

00:07:30:11 - 00:07:34:08
And most of all, it makes it really hard
to adopt all at once.

00:07:34:13 - 00:07:38:02
It makes it really difficult
to go from having no machine readable

00:07:38:02 - 00:07:42:00
content for FedRAMP authorizations
to being fully OSCAL compliant.

00:07:42:01 - 00:07:43:08
That's a big jump.

00:07:43:08 - 00:07:47:00
And it doesn't help that
there is not a lot of tooling out there

00:07:47:01 - 00:07:48:16
to help you make that jump.

00:07:48:16 - 00:07:50:07
So looking at the big picture here,

00:07:50:07 - 00:07:52:21
after all of these conversations
that we've been having,

00:07:52:21 - 00:07:56:14
we see that OSCAL is absolutely
an answer

00:07:56:14 - 00:08:00:00
to this problem of representing FedRAMP
authorization packages.

00:08:00:00 - 00:08:04:02
But that there might be
some extra guidance or work to be done

00:08:04:02 - 00:08:10:08
around it to help agencies, companies,
and anyone actually adopt this work.

00:08:10:09 - 00:08:13:16
So we looked at this feedback,
and this is what drove the work

00:08:13:16 - 00:08:15:00
that we're going to show you today.

00:08:15:00 - 00:08:17:17
We wanted to try and address
the cons that are here

00:08:17:17 - 00:08:21:05
while we lean on the pros
and lean on the strengths of OSCAL

00:08:21:05 - 00:08:23:14
while we kind of shore up
some of those downsides.

00:08:23:14 - 00:08:24:12
And I hope you'll see that

00:08:24:12 - 00:08:27:12
what we've done,
does a pretty good job of mapping to this.

00:08:27:23 - 00:08:30:02
In order to meet this sense of it's

00:08:30:02 - 00:08:33:09
really hard to go all at once,
we are taking a phased approach.

00:08:33:12 - 00:08:35:23
This is a lot of work for the foundation
to take on.

00:08:35:23 - 00:08:39:02
There's a lot of parts of FedRAMP
and the FedRAMP

00:08:39:02 - 00:08:42:10
PMO’s target for what we're going to
is moving in real time.

00:08:42:12 - 00:08:47:06
A lot of this work was actually
just recently started by FedRAMP RFC 0024

00:08:47:08 - 00:08:50:01
So there's a lot of moving parts
and things in process.

00:08:50:01 - 00:08:52:15
So we're taking a very phased approach
here.

00:08:52:15 - 00:08:57:00
After RFC 0024, which,
if you're not aware, was FedRAMP’s

00:08:57:01 - 00:09:00:17
declaration that they're going to begin
requiring machine readable

00:09:00:17 - 00:09:04:15
package submissions and no longer
accepting Word and Excel spreadsheets.

00:09:04:17 - 00:09:06:20
That's
what kicked off phase zero of this work.

00:09:06:20 - 00:09:10:04
We put together a team at the OSCAL foundation of companies

00:09:10:04 - 00:09:13:20
and tool vendors that are interested
in creating the guidance

00:09:13:20 - 00:09:17:01
for this created some shared resources
and really jumped in on the work.

00:09:17:01 - 00:09:21:13
The thrust of our work
has been to focus on the FedRAMP SSP.

00:09:21:15 - 00:09:24:23
That is the core of a FedRAMP
authorization package.

00:09:25:01 - 00:09:28:11
So when you submit an authorization
package to FedRAMP, big bulk of it

00:09:28:11 - 00:09:31:12
is this monolithic SSP document,
which is typically,

00:09:31:13 - 00:09:33:10
you know, 300 pages of a word document.

00:09:33:10 - 00:09:37:04
We want to take all of the information
that is in those 300 pages

00:09:37:04 - 00:09:40:07
of word document and create a guide or a

00:09:40:07 - 00:09:43:11
representation of what
that would look like in OSCAL.

00:09:43:14 - 00:09:44:17
And that is what we are

00:09:44:17 - 00:09:48:12
working on right now, and is what
we're going to show you today as well.

00:09:48:13 - 00:09:52:12
The work that we've done so far,
and our priority list for the SSP is first

00:09:52:12 - 00:09:55:18
and foremost
to create clarity and guidance around

00:09:55:18 - 00:09:58:16
what the representation looks like,
because OSCAL is really flexible.

00:09:58:16 - 00:10:01:20
There's a lot of different ways
to represent an SSP in OSCAL,

00:10:01:20 - 00:10:03:01
and we want to make sure that everyone

00:10:03:01 - 00:10:05:20
is doing it
in a similar and interoperable way.

00:10:05:20 - 00:10:08:20
So what you're going to see today is our attempt at clarifying

00:10:08:20 - 00:10:10:17
and providing guidance
around that representation.

00:10:10:17 - 00:10:13:24
After this work, we want to help
people get on board with this.

00:10:14:00 - 00:10:17:06
That means aiding in adoption,
and potentially creating tooling

00:10:17:06 - 00:10:22:00
to help validate, and, like, identify
errors or issues in the fabric of space.

00:10:22:00 - 00:10:23:21
Things to think about as we move forward.

00:10:23:21 - 00:10:27:24
And this will be relevant to think about,
especially after Brian has a chance

00:10:27:24 - 00:10:30:24
to talk you through what we've done so far
as we look to the future.

00:10:31:02 - 00:10:34:01
We're leaving ourselves open
to different possibilities because, again,

00:10:34:01 - 00:10:38:08
the FedRAMP target is moving a little bit
as policy continues to change.

00:10:38:11 - 00:10:41:11
things that we're keeping an eye on
are FedRAMP 20 X.

00:10:41:14 - 00:10:46:07
Everything you're going to see
today is related to the FedRAMP Rev 5 process

00:10:46:07 - 00:10:48:05
Which is the current existing
process.

00:10:48:07 - 00:10:52:20
FedRAMP 20 X is a newer pilot program
that FedRAMP is testing

00:10:52:20 - 00:10:55:20
and wants to eventually
try and move people over to.

00:10:55:22 - 00:10:58:22
So as we look towards the future,
we want to think,

00:10:58:23 - 00:11:03:11
how does this work translate or map to,
where it does FedRAMP 20 x.

00:11:03:15 - 00:11:07:04
We also want to be looking at PO&AMs,
SAPs and SARs.

00:11:07:04 - 00:11:09:02
For those of you familiar
with the FedRAMP process,

00:11:09:02 - 00:11:12:17
those are auxiliary documents
that provide additional information.

00:11:12:17 - 00:11:16:23
there is some question from FedRAMP
whether or not those will be required.

00:11:16:24 - 00:11:18:03
There's just a recent notice

00:11:18:03 - 00:11:21:09
came out that indicated
that PO&AMs may no longer be required.

00:11:21:09 - 00:11:24:06
So these are going to be based on FedRAMP
decisions.

00:11:24:06 - 00:11:25:18
and industry interactions.

00:11:25:18 - 00:11:28:11
And then down the line, we also want to
look at doing similar work in terms

00:11:28:11 - 00:11:32:03
of creating a shared, interoperable
representation for things like CMMC

00:11:32:07 - 00:11:33:06
other FISMA

00:11:33:06 - 00:11:36:21
Control frameworks and even,
completely different compliance schemes.

00:11:37:01 - 00:11:37:07
Okay.

00:11:38:10 - 00:11:39:20
So I'm going to turn things over to Brian,

00:11:39:20 - 00:11:43:01
and he's going to talk through,
what this actually looks like.

00:11:43:10 - 00:11:45:23
Thanks, Stephen. Okay,
so let's dive into this.

00:11:45:23 - 00:11:48:13
The SSP adoption paths.

00:11:48:13 - 00:11:50:20
Again, going back to the feedback.

00:11:50:20 - 00:11:55:09
We've heard that,
the flexibility creates complexity.

00:11:55:12 - 00:11:59:10
jumping right into the OSCAL is a very big jump.

00:11:59:10 - 00:12:02:15
We need to move more incrementally
into OSCAL.

00:12:02:15 - 00:12:05:19
And so we've invested
a fair amount of, time trying to determine

00:12:05:20 - 00:12:07:24
what does it look like
to move incrementally.

00:12:07:24 - 00:12:12:05
we quickly realized that what it looks
like to move incrementally, is different.

00:12:12:08 - 00:12:14:02
If you're approaching OSCAL

00:12:14:02 - 00:12:19:04
fresh versus if you have to, convert
from your legacy word SSP to OSCAL.

00:12:19:07 - 00:12:22:18
So these are the two paths
that we've created, the retrofit adoption

00:12:22:18 - 00:12:28:03
path for existing cloud service providers
who have their legacy word SSP.

00:12:28:03 - 00:12:30:09
They want to get going
with OSCAL quickly.

00:12:30:09 - 00:12:31:10
But they want to minimize

00:12:31:10 - 00:12:34:01
the amount of refactoring
they have to do to get started.

00:12:34:01 - 00:12:39:17
The native adoption path is
you don't have a FedRAMP SSP in word today.

00:12:39:18 - 00:12:41:01
You're just getting started.

00:12:41:01 - 00:12:42:15
So you're going to jump in.

00:12:42:15 - 00:12:44:12
You'd approach OSCAL very differently.

00:12:44:12 - 00:12:46:24
If you don't have to deal
with the legacy burden.

00:12:46:24 - 00:12:50:24
Please keep in mind, though,
the FedRAMP PMO is current position

00:12:51:03 - 00:12:55:06
is that they want new systems
to pursue 20 X.

00:12:55:06 - 00:12:58:02
They do not want new systems
to pursue Rev 5.

00:12:58:02 - 00:13:00:13
And right now this is focused on Rev 5.

00:13:00:13 - 00:13:03:12
So chances are you're going to be
an existing

00:13:03:12 - 00:13:06:15
CSP interested
in the retrofit adoption path.

00:13:06:15 - 00:13:09:06
aligned with what, the PMO is asking for.

00:13:09:06 - 00:13:11:15
But, we do have this native adoption path here.

00:13:11:15 - 00:13:14:01
We think it applies more broadly
than just FedRAMP.

00:13:14:01 - 00:13:17:01
But we wanted to have it as an option
for systems as well.

00:13:17:11 - 00:13:20:14
When we do our show
and tell in a few slides.

00:13:20:18 - 00:13:24:09
We're going to dig into these paths
a little bit.

00:13:24:09 - 00:13:26:11
We'll show you some resources.
More importantly,

00:13:26:11 - 00:13:30:06
the detail for this documentation
is publicly available online.

00:13:30:06 - 00:13:32:10
We want to make sure
you know where to find it,

00:13:32:10 - 00:13:35:08
so that you can examine it
when you have more time,

00:13:35:08 - 00:13:38:06
and at a level of appropriate
for your needs.

00:13:38:06 - 00:13:40:14
Just to highlight a couple of things here.

00:13:40:14 - 00:13:42:03
There's a fair amount of focus on that.

00:13:42:03 - 00:13:44:12
retrofit path MVP.

00:13:44:12 - 00:13:48:12
And what we're saying here is
what is the minimum necessary

00:13:48:14 - 00:13:52:23
that we need to do just to get
your SSP content into OSCAL?

00:13:53:06 - 00:13:56:10
Without having to normalize the data
at all, without having

00:13:56:10 - 00:13:59:16
to get into things
like components just yet.

00:13:59:18 - 00:14:04:03
We really just want to get
you converted as simply as possible.

00:14:04:03 - 00:14:07:03
And so the MVP becomes your target
for that.

00:14:07:03 - 00:14:09:17
We have a fair amount of resources there.

00:14:09:17 - 00:14:13:23
this uses what we call the flat inventory,
and the flat control response.

00:14:13:23 - 00:14:17:15
It's basically just taking your data
as it is and moving it into the machine

00:14:17:15 - 00:14:20:15
readable format over the next few phases.

00:14:20:17 - 00:14:25:06
You start to move toward a more
normalized data that is preferred in OSCAL,

00:14:25:09 - 00:14:28:23
where you start to create components
and use components

00:14:28:23 - 00:14:32:10
with your inventory, use components
to respond to your controls.

00:14:32:13 - 00:14:33:19
But the good news is OSCAL

00:14:33:19 - 00:14:36:06
let you do that
a little at the time, incrementally.

00:14:36:06 - 00:14:38:03
You start out very flat.

00:14:38:03 - 00:14:42:03
You create a few components
that you may need for other reasons.

00:14:42:03 - 00:14:43:18
We can get into that as well.

00:14:43:18 - 00:14:47:01
As you create those components,
you start to move your inventory

00:14:47:01 - 00:14:50:08
and your control responses
to that component based approach

00:14:50:09 - 00:14:51:24
just for the ones you've created.

00:14:51:24 - 00:14:55:12
Some day, you get to a point
where you're fully normalized and

00:14:55:20 - 00:14:58:13
all of your components are well defined.

00:14:58:13 - 00:15:02:17
All of your inventory references
components, all of your control responses,

00:15:02:20 - 00:15:04:04
reference components.

00:15:04:04 - 00:15:07:16
This path gets
you there on the native adoption path.

00:15:07:16 - 00:15:11:09
It makes more sense to start out early
with components, and we help you determine

00:15:11:09 - 00:15:15:14
which components to focus on early,
and we build you up from there.

00:15:15:14 - 00:15:17:08
There are some simple use cases

00:15:17:08 - 00:15:21:09
that represent probably 70-80%
of what you put in an SSP.

00:15:21:11 - 00:15:25:09
You just getting started with components
you need for control and starting

00:15:25:09 - 00:15:26:18
to populate that control.

00:15:26:18 - 00:15:29:19
Then you get into things like leverage
authorizations,

00:15:29:19 - 00:15:32:19
external systems
and services, ports and protocols that

00:15:33:05 - 00:15:36:19
And then we just increase the complexity
until we get to, again,

00:15:36:19 - 00:15:38:02
a fully normalized state.

00:15:38:02 - 00:15:41:20
So both of these paths
and in a fully normalized state,

00:15:41:20 - 00:15:44:24
And the idea is whichever path you travel,
when you get to the end,

00:15:45:05 - 00:15:48:07
your SSP would look the same regardless
of which path you traveled.

00:15:48:14 - 00:15:48:21
Yeah.

00:15:48:21 - 00:15:52:03
I just to add to that, because I think it
warrants some reinforcement.

00:15:52:04 - 00:15:54:06
For those of you
that are very familiar with OSCAL,

00:15:54:06 - 00:15:57:13
but not familiar with this FedRAMP work,
the approach here is a little bit

00:15:57:13 - 00:16:02:04
different than the OSCAL traditional approach
in that what we're trying to do

00:16:02:04 - 00:16:07:11
here is to make something that is as easy
to get onboarded with as possible.

00:16:07:12 - 00:16:12:09
We have a goal of just getting FedRAMP
packages into a machine readable format.

00:16:12:11 - 00:16:15:19
And that means the MVP,
our minimum product here, doesn't

00:16:15:19 - 00:16:19:01
have all of the fancy bells and whistles
that OSCAL can provide.

00:16:19:02 - 00:16:20:02
Instead, it's dedicated

00:16:20:02 - 00:16:24:00
to just getting that information
in as cleanly and quickly as possible.

00:16:24:00 - 00:16:29:13
And then moving from there incrementally
to the full OSCAL feature set.

00:16:29:18 - 00:16:30:03
Yeah.

00:16:30:03 - 00:16:32:18
We've realized that almost
all of the documentation around

00:16:32:18 - 00:16:35:06
OSCAL, it's
been focused on this normalized state.

00:16:35:06 - 00:16:37:20
you know, I've been one of the people
involved in that in the past.

00:16:37:20 - 00:16:41:22
And so, we've recognized
based on the feedback, we have to focus

00:16:41:22 - 00:16:45:09
on this MVP state, and what it looks like
to make the incremental change.

00:16:45:09 - 00:16:46:14
we're really excited about this.

00:16:46:14 - 00:16:48:24
That's
why we're talking about it obviously.

00:16:48:24 - 00:16:53:20
Until it gets used, we're not going
to know for sure how viable it is.

00:16:53:20 - 00:16:57:01
So we're eager for people
to look at this and provide feedback.

00:16:57:03 - 00:16:59:13
we've made our best good faith attempt.

00:16:59:13 - 00:17:00:23
But we know it's not perfect.

00:17:00:23 - 00:17:03:15
Like, let us know where
things don't make sense to you.

00:17:03:15 - 00:17:05:01
If they don't make sense to you,
they probably

00:17:05:01 - 00:17:06:24
don't make sense to your colleagues
either.

00:17:06:24 - 00:17:08:09
We want to improve that.

00:17:08:09 - 00:17:11:09
And we're going to give you some avenues
for communicating that to us,

00:17:11:09 - 00:17:12:15
or even for getting involved.

00:17:13:21 - 00:17:16:19
speaking
of so, we've created a few resources.

00:17:16:19 - 00:17:18:16
The biggest this is a GitHub repo.

00:17:18:16 - 00:17:20:07
We're going to show you that in a moment.

00:17:20:07 - 00:17:23:08
That's where we've put the FedRAMP
baseline in OSCAL format.

00:17:23:10 - 00:17:28:13
And we've put a few various example
SSP out there, to match our fully

00:17:28:13 - 00:17:33:03
normalized state as well as our,
MVP or core states getting started.

00:17:33:03 - 00:17:35:12
We also have a patterns library
we're going to show you

00:17:35:12 - 00:17:38:13
and that's temporarily at this other URL
that was just so

00:17:38:18 - 00:17:39:24
we can get started quickly.

00:17:39:24 - 00:17:44:04
We're in the process of transitioning
that to a proper OSCAL Foundation URL.

00:17:44:17 - 00:17:48:16
So be aware that that'll change. We’ll set up
a redirect if it does if and when it does.

00:17:48:18 - 00:17:50:20
But that's where you find the adoption
strategies.

00:17:50:20 - 00:17:53:09
We've
talked about the representation guidance.

00:17:53:09 - 00:17:56:03
And you can get some detail here
about project milestone.

00:17:56:03 - 00:18:00:03
So the next steps we're taking
is we make decisions and update

00:18:00:11 - 00:18:02:12
our priorities and our milestones.

00:18:02:12 - 00:18:06:00
That's where you will find those updates,
as well as any, current status.

00:18:06:13 - 00:18:11:12
And with that, going to,
move into a, a demonstration here.

00:18:11:16 - 00:18:12:01
There we go.

00:18:13:06 - 00:18:13:23
Okay.

00:18:13:23 - 00:18:15:08
Two things here.

00:18:15:08 - 00:18:19:20
One of which is the, OSCAL Foundation
GitHub repo.

00:18:19:23 - 00:18:22:15
So I called this out on this slide
we just saw.

00:18:22:15 - 00:18:27:23
This is where you actually, automation
repo that have the baselines out there.

00:18:28:01 - 00:18:31:10
few weeks ago,
they've now removed it from public view.

00:18:31:11 - 00:18:34:24
We don't know if it's been deleted
or just changed to private.

00:18:34:24 - 00:18:38:03
But we've had forks of that information.

00:18:38:07 - 00:18:41:19
A segue here, but I'm going to
I think it's a worthwhile segue.

00:18:41:21 - 00:18:43:17
We forgot to include it.

00:18:43:17 - 00:18:46:24
We do have the old FedRAMP automate document

00:18:47:01 - 00:18:51:05
We were looking for,
GSA instances that said.

00:18:51:17 - 00:18:54:07
our main FedRAMP resources repo we've done

00:18:54:07 - 00:18:57:07
specifically
to distinguish ourselves from.

00:18:57:12 - 00:19:00:08
We recognize that most organizations

00:19:00:08 - 00:19:01:20
are working with JSON.

00:19:01:20 - 00:19:04:01
all three formats are here.

00:19:04:01 - 00:19:07:04
We have, in both formats,
meaning that the OSCAL profile,

00:19:07:05 - 00:19:10:22
which is the preferred way
to work with OSCAL controls.

00:19:10:24 - 00:19:12:09
then we also have reserved

00:19:12:09 - 00:19:17:04
profile catalog, which is effectively
a pre cached, preprocessed

00:19:17:09 - 00:19:20:17
version of the FedRAMP baseline
in OSCAL format.

00:19:20:24 - 00:19:24:14
So that's another thing in our adoption
path is to get started.

00:19:24:14 - 00:19:26:07
we make available to you.

00:19:26:07 - 00:19:29:01
The resolve profile catalog
that so you don't have to deal

00:19:29:01 - 00:19:31:11
with profile resolution
right out of the gate.

00:19:31:11 - 00:19:34:12
But you do need to understand that
at some point

00:19:34:12 - 00:19:37:15
you have to move to actually
processing the profiles yourself.

00:19:37:17 - 00:19:41:02
Otherwise you will not be able to overlay
other control

00:19:41:02 - 00:19:44:17
frameworks or like do privacy overlays
or things like that.

00:19:44:19 - 00:19:48:11
Be aware that the resolve profile catalogs
get you started quickly.

00:19:48:11 - 00:19:50:14
But are not where
you want to be long term.

00:19:51:17 - 00:19:54:10
Then example SSPs

00:19:54:10 - 00:19:59:01
again we have the XML, JSON, YAML format

00:19:59:01 - 00:20:03:24
And we have our normalized, retro path MVP
and so we have to

00:20:03:24 - 00:20:06:18
I mean, the name here
is, is should be the native core.

00:20:06:18 - 00:20:09:02
So basically this is
you're getting started SSP

00:20:09:02 - 00:20:11:04
for each of the two adoption paths.

00:20:11:04 - 00:20:13:12
And then this is your target state SSP.

00:20:13:12 - 00:20:15:07
we've offered you the three examples.

00:20:15:07 - 00:20:17:12
If we find the need to further update

00:20:17:12 - 00:20:20:12
these examples,
this is where you will find those updates.

00:20:21:08 - 00:20:25:03
Getting to the actual patterns
library itself.

00:20:25:03 - 00:20:28:07
When you first visit the URL, you get this
welcome page, this

00:20:28:16 - 00:20:31:15
which basically gives you
a little lay of the land here.

00:20:31:15 - 00:20:34:03
You have a link to the adoption
strategies for SSP.

00:20:34:03 - 00:20:38:01
And then we've laid out basically at the
high level, how the library is organized.

00:20:38:12 - 00:20:43:13
We give you a link to the project status
and our next step. Tell you a little governance,

00:20:43:17 - 00:20:47:08
within the foundation and how this effort
fits into that governance.

00:20:47:09 - 00:20:50:08
And there's a few links here
on how to get involved.

00:20:50:08 - 00:20:53:12
The single biggest way to get involved in
the OSCAL Foundation

00:20:53:16 - 00:20:56:15
is to go to the foundations
group list, get connected

00:20:56:15 - 00:21:01:09
with the technology working group,
which meets every Tuesday at 11 a.m.

00:21:01:09 - 00:21:01:24
eastern time.

00:21:01:24 - 00:21:06:14
the FedRAMP Technology Focus group,
which is a working level group.

00:21:06:16 - 00:21:08:17
we have also have a mailing list out here.

00:21:08:17 - 00:21:11:17
We are going to be, reevaluating our time
slot.

00:21:11:23 - 00:21:15:15
come join the listserv at this link.

00:21:15:18 - 00:21:17:12
Or, you you can also go through the
get involved

00:21:17:12 - 00:21:20:24
pages, and, you can get more information
and keep track of what we're doing.

00:21:22:19 - 00:21:25:24
When you go to the adoption strategies.

00:21:26:24 - 00:21:29:07
Again, we talked briefly about Retrofit

00:21:29:07 - 00:21:32:07
and Native here to give you links to each.

00:21:32:19 - 00:21:35:11
This is that same graphic
you saw in the presentation.

00:21:35:11 - 00:21:38:12
But beneath that graphic,
get into the detail.

00:21:38:12 - 00:21:41:14
And the way we've approached it
is that this is the roadmap.

00:21:41:17 - 00:21:45:13
And then we have links
the individual topic areas,

00:21:45:17 - 00:21:49:12
so that you can drill in as you work
your way down the roadmap.

00:21:49:12 - 00:21:52:12
Now, there's still work in progress
happening here.

00:21:52:16 - 00:21:56:14
So there are some pages
that we've not fully fleshed out yet.

00:21:56:17 - 00:21:57:19
Still need a little work.

00:21:57:19 - 00:22:02:00
I'm going to say we're probably 85% done
the representation documentation.

00:22:02:04 - 00:22:05:19
For awareness,
we, took the old FedRAMP SSP work

00:22:05:19 - 00:22:08:11
that was about to be published
last February.

00:22:08:11 - 00:22:10:05
February 2025.

00:22:10:05 - 00:22:11:22
And we rejuvenated that.

00:22:11:22 - 00:22:14:08
But we've also refreshed it in several
ways.

00:22:14:08 - 00:22:16:17
We've removed a lot of the complexity.

00:22:16:17 - 00:22:20:03
We removed a lot of things
that are no longer relevant.

00:22:20:03 - 00:22:20:18
you know, we've

00:22:20:18 - 00:22:24:14
we tried to repackage it in a way
to make it more easily consumable.

00:22:27:03 - 00:22:28:17
A few quick examples.

00:22:28:17 - 00:22:31:17
If I go to like, say, parties
in locations.

00:22:33:02 - 00:22:38:05
We've moved away from XML examples
and we're focusing on YAML examples.

00:22:38:09 - 00:22:40:00
Between JSON and YAML.

00:22:40:00 - 00:22:42:12
the representation is almost identical.

00:22:42:12 - 00:22:45:13
JSON tends to take up a lot more space,
even though probably more

00:22:45:13 - 00:22:48:23
than 80% of adoption
as JSON adoption with feedback we have is

00:22:48:23 - 00:22:53:16
YAML is the best format for examples,
so we're using the YAML for examples here.

00:22:53:23 - 00:22:56:07
We've tried to stay very concise.

00:22:56:07 - 00:22:59:07
Minimal unnecessary statements.

00:23:01:21 - 00:23:02:21
Really tried to make it.

00:23:02:21 - 00:23:05:23
So you can just jump to
what the topic you need to.

00:23:07:02 - 00:23:09:09
A little bit more on organization.

00:23:09:09 - 00:23:12:09
If I come over here to shelves.

00:23:13:04 - 00:23:17:15
So eventually we'll move any topic
that's not specific to FedRAMP.

00:23:17:15 - 00:23:19:14
It's how you do any at OSCAL framework.

00:23:19:14 - 00:23:21:03
We're going to move over to core OSCAL.

00:23:21:03 - 00:23:23:01
This is more of a placeholder right now.

00:23:23:01 - 00:23:24:09
There's a few items in there.

00:23:26:13 - 00:23:27:08
And then

00:23:27:08 - 00:23:30:08
we have the FedRAMP specific
bookshelf today.

00:23:32:05 - 00:23:33:18
Which we have our

00:23:33:18 - 00:23:39:00
some topic areas, checked out, but most of
the content is in these first three.

00:23:39:02 - 00:23:40:17
So the supporting resources

00:23:40:17 - 00:23:44:09
is where you'll find more information
about the baselines in the examples.

00:23:44:09 - 00:23:46:02
I just showed you that on GitHub.

00:23:46:02 - 00:23:49:02
we have some content here on validating

00:23:49:09 - 00:23:52:09
what you create.

00:23:52:15 - 00:23:56:20
then I'm going to jump over to SSP.

00:23:58:12 - 00:24:00:22
And I want to show you that
for the most part,

00:24:00:22 - 00:24:04:01
this is organized
the word based SSP, is organized.

00:24:04:01 - 00:24:08:14
So we have a section here about title
pages prepared by and for it approvers.

00:24:08:14 - 00:24:13:10
Then we have one page for each of the 11
sections in the template.

00:24:13:10 - 00:24:15:11
So each of these numbers

00:24:15:11 - 00:24:19:08
corresponds with the section number
and the FedRAMP template.

00:24:19:08 - 00:24:20:24
These are the topic areas.

00:24:20:24 - 00:24:22:16
Section four is system owner.

00:24:22:16 - 00:24:25:12
So here's you know,
where you go for system owner information.

00:24:25:12 - 00:24:29:21
good example actually is section three
and the template is system information.

00:24:30:01 - 00:24:32:10
We cover each row.

00:24:32:10 - 00:24:36:08
Each row in the system
information table has a topic area here.

00:24:37:22 - 00:24:39:01
This table of memory.

00:24:39:01 - 00:24:41:00
That's actually the appendix C.

00:24:41:00 - 00:24:42:16
So we just give you a link.

00:24:42:16 - 00:24:46:07
You can go to appendix C
and work on digital identity levels.

00:24:48:08 - 00:24:52:02
So we've tried to orient it
to the sequencing

00:24:52:02 - 00:24:55:02
you're used to seeing in the SSP
as much as possible.

00:24:55:02 - 00:24:58:15
So certainly for sections
1 to 11, appendix A-Q

00:24:58:18 - 00:25:02:10
where we've called out as system inventory
and control responses

00:25:02:10 - 00:25:05:15
are sufficiently complex topics
that we've, given them

00:25:05:15 - 00:25:08:15
their own chapters.

00:25:10:12 - 00:25:10:21
And again,

00:25:10:21 - 00:25:15:01
you'll see, like this is about the control
piece is probably 80, 90% complete.

00:25:15:01 - 00:25:16:22
But we do have a little bit of work
in progress.

00:25:16:22 - 00:25:19:22
We hope to wrap up in the next week or so.

00:25:21:00 - 00:25:22:23
The other thing I want to show you is

00:25:22:23 - 00:25:27:03
that is available to the public
at the bottom of every page.

00:25:27:04 - 00:25:29:03
I'm going to go back to the, Yeah.

00:25:30:13 - 00:25:32:22
Let me go back to the system information
page.

00:25:32:22 - 00:25:35:24
The bottom of every page
is a comments area.

00:25:37:14 - 00:25:40:21
If you want to leave a comment,
you can self register.

00:25:41:23 - 00:25:44:13
So you click log in.

00:25:44:13 - 00:25:45:01
there we go.

00:25:45:01 - 00:25:48:17
Right now we just are using federated
Google identities.

00:25:49:02 - 00:25:50:22
could create just your own email address.

00:25:50:22 - 00:25:53:11
But if you, use
any kind of Google account,

00:25:53:11 - 00:25:56:11
you can just go ahead
and use that to get authenticated.

00:25:56:24 - 00:26:02:00
So now I'm logged in
and now I can go to the bottom here and

00:26:03:12 - 00:26:06:11
add a comment becomes available to me

00:26:06:11 - 00:26:09:09
anybody with a Google account
can leave a comment.

00:26:09:09 - 00:26:13:06
We wanted to have something, like that,
just so we have some accountability

00:26:13:06 - 00:26:16:01
on comments to help keep spam down
and things like that.

00:26:16:01 - 00:26:18:12
We didn't want it
to just be completely wide open.

00:26:18:12 - 00:26:22:00
We may federate with other identity
providers down the road.

00:26:22:00 - 00:26:23:08
This was just to get started.

00:26:23:08 - 00:26:27:22
But this is the best way to leave feedback
on specific pieces of information here

00:26:27:22 - 00:26:28:23
We will respond here.

00:26:28:23 - 00:26:32:04
We have a way to see summary of comments,
But we do encourage you

00:26:32:04 - 00:26:36:02
to get involved in the foundation,
or at least in the technology focus group.

00:26:36:02 - 00:26:37:06
It's open to the public.

00:26:37:06 - 00:26:40:23
You do not have to join the foundation
as a member to participate in

00:26:40:23 - 00:26:42:05
the technology focus group.

00:26:43:18 - 00:26:46:16
And again,
know Michaela is going to post the slides.

00:26:46:16 - 00:26:49:14
So you'll be able to get this information
from there.

00:26:49:14 - 00:26:52:22
But we've given you links
to, the Technology Working group.

00:26:52:22 - 00:26:56:02
Which is our Tuesday meeting,
the technology focus group to get plugged

00:26:56:02 - 00:26:59:07
in that way,
the GitHub repo, and the patterns library.

00:26:59:09 - 00:27:01:17
Again, that URL should be changing soon.

00:27:01:17 - 00:27:07:01
to double down again on what Brian said is
this is a way of bringing together

00:27:07:01 - 00:27:11:18
the industry, the government, all of the
interested parties to work together

00:27:11:20 - 00:27:15:18
create an interoperable, standardized
approach to doing these FedRAMP packages.

00:27:16:02 - 00:27:19:02
So we want people to come in
and provide their feedback.

00:27:19:02 - 00:27:20:06
We want people to come into.

00:27:20:06 - 00:27:22:03
Things
that don't work, things that do work.

00:27:22:03 - 00:27:25:22
We want to be able to have this
be a place for everyone to come together

00:27:25:22 - 00:27:27:13
and collaboratively work on this.

00:27:27:13 - 00:27:30:00
So, it's free to come and get involved.

00:27:30:00 - 00:27:32:24
We would love to have you either
in the actual meetings that we have

00:27:32:24 - 00:27:36:22
every week or, asynchronously,
we have slack channels and mailing lists.

00:27:36:22 - 00:27:40:01
We really want this to be an open,
an industry led effort.

00:27:40:04 - 00:27:43:20
So please do not hesitate to reach out
if you're interested, either directly

00:27:43:20 - 00:27:47:20
to Brian or I or the links
that Brian just covered on the last slide.

00:27:47:20 - 00:27:52:00
So I think, with that,
we will wrap up our presentation

00:27:52:00 - 00:27:55:09
and move to discussion and questions.