Milestones, Approach and Status

The OSCAL Foundation's FedRAMP Technical Focus Group (TFG) is enabling FedRAMP stakeholders to adopt OSCAL for FedRAMP package deliverables. The following is our plan of work: 
 Milestones 
 
 Phase 0 : Form Team and Establish Resources [ Complete ] 
 Phase 1 : FedRAMP System Security Plans (SSP) [ In Progress ] 
 Phase 2 : FedRAMP Plan of Action and Milestones (POA&M) [ Re-evaluating priority in light FedRAMP Notice 9 Item #3 ] 
 Phase 3 : FedRAMP Security Assessment Plans and Reports (SAP and SAR) 
 Phase 4 : Advanced and Refinement 
 Phase 5 : FedRAMP Adjacent Frameworks (GovRAMP, DoD/FedRAMP+, DoD Impact Levels, CMMC and Related Variants) 
 Future :: Other Frameworks (PCI CSA, CIS, DSS, SOC 2, ISO-270xx, etc.) 
 
 Target Dates 
 
 March 31: Full Draft SSP 
 April: Socialize with FedRAMP PMO and CSP-AB 
 April 15: Presentation at NIST OSCAL Workshop 
 
 Approach 
 Work within each of the above phases occurs in this sequence: 
 
 Define the OSCAL MVP Representation 
 Address Validation : 
 Communicate Availability 
 Expand and Refine Representation 
 
 Status Log 
 Last Updated April 8, 2026 
 
 Form TFG: Complete 
 Establish Patterns Library: Complete 
 Establish GitHub Repository: Complete 
 Migrate prior FedRAMP baselines in OSCAL format to repository: Complete 
 Migrate prior FedRAMP OSCAL SSP work into patterns library: Complete 
 Formulate communication plan: Complete 
 Migrate prior FedRAMP OSCAL SSP example: Complete 
 Formulate Adoption Paths: Complete 
 Review/Refine FedRAMP OSCAl SSP patterns: In Progress 
 Review/Refine FedRAMP OSCAL SSP example: In Progress 
 Draft "Getting Started" content: Next 
 POA&M example and patterns: Next