Milestones, Approach and Status

The OSCAL Foundation's FedRAMP Technical Focus Group (TFG) is enabling FedRAMP stakeholders to adopt OSCAL for FedRAMP package deliverables. The following is our plan of work:

Milestones

• Phase 0: Form Team and Establish Resources [Complete]
• Phase 1: FedRAMP System Security Plans (SSP) [In Progress]
• Phase 2: FedRAMP Plan of Action and Milestones (POA&M) [Re-evaluating priority in light FedRAMP Notice 9 Item #3]
• Phase 3: FedRAMP Security Assessment Plans and Reports (SAP and SAR)
• Phase 4: Advanced and Refinement
• Phase 5: FedRAMP Adjacent Frameworks (GovRAMP, DoD/FedRAMP+, DoD Impact Levels, CMMC and Related Variants)
• Future:: Other Frameworks (PCI CSA, CIS, DSS, SOC 2, ISO-270xx, etc.)

Target Dates

• March 31: Full Draft SSP
• April: Socialize with FedRAMP PMO and CSP-AB
• April 15: Presentation at NIST OSCAL Workshop

Approach

Work within each of the above phases occurs in this sequence:

1. Define the OSCAL MVP Representation
2. Address Validation:
3. Communicate Availability
4. Expand and Refine Representation

Status Log

Last Updated April 8, 2026

• Form TFG: Complete
• Establish Patterns Library: Complete
• Establish GitHub Repository: Complete
• Migrate prior FedRAMP baselines in OSCAL format to repository: Complete
• Migrate prior FedRAMP OSCAL SSP work into patterns library: Complete
• Formulate communication plan: Complete
• Migrate prior FedRAMP OSCAL SSP example: Complete
• Formulate Adoption Paths: Complete
• Review/Refine FedRAMP OSCAl SSP patterns: In Progress
• Review/Refine FedRAMP OSCAL SSP example: In Progress
• Draft "Getting Started" content: Next
• POA&M example and patterns: Next