Milestones, Approach and Status
The OSCAL Foundation's FedRAMP Technical Focus Group (TFG) is enabling FedRAMP stakeholders to adopt OSCAL for FedRAMP package deliverables. The following is our plan of work:
Milestones
- Phase 0 Establish Resources and Form Team [Complete]
- Phase 1 MVP FedRAMP System Security Plans (SSP) [In Progress]
- Phase 2 MVP FedRAMP Plan of Action and Milestones (POA&M) [Next]
- Phase 3 MVP FedRAMP Security Assessment Plans and Reports (SAP and SAR)
- Phase 4 Non-MVP Topics and Refinement of MVP Topic
Target Dates
- March 31: Full Draft MVP SSP and POA&M Representation
- April: Socialize with FedRAMP PMO
- April 16 (tentative): Presentation at NIST OSCAL Workshop
Approach
Work within each of the above phases occurs in this sequence:
- Define the OSCAL MVP Representation
- Address Validation:
- Communicate Availability
- Expand and Refine Representation
Status Log
Last Updated March 4, 2026
- Form TFG: Complete
- Establish Patterns Library: Complete
- Establish GitHub Repository: Complete
- Migrate prior FedRAMP baselines in OSCAL format to repository: Complete
- Migrate prior FedRAMP OSCAL SSP work into patterns library: Complete
- Formulate communication plan: In Progress
- Migrate prior FedRAMP OSCAL SSP example: Complete
- Review/Refine FedRAMP OSCAl SSP patterns: In Progress
- Review/Refine FedRAMP OSCAL SSP example: In Progress
- Draft "Executive Summary" and "Getting Started" content: Next
- POA&M example and patterns: Next