Milestones, Approach and Status
The OSCAL Foundation's FedRAMP Technical Focus Group (TFG) is enabling FedRAMP stakeholders to adopt OSCAL for FedRAMP package deliverables. The following is our plan of work:
Milestones
- Phase 0 Establish Resources and Form Team [Complete]
- Phase 1 MVP FedRAMP System Security Plans (SSP) [In Progress]
- Phase 2 MVP FedRAMP Plan of Action and Milestones (POA&M) [Next]
- Phase 3 MVP FedRAMP Security Assessment Plans and Reports (SAP and SAR)
- Phase 4 Non-MVP Topics and Refinement of MVP Topic
- Phase 5 GovRAMP, DoD/FedRAMP+, DoD Impact Levels, CMMC and Related Variants
Target Dates
- March
31:15: Full Draft MVP SSPand POA&M Representation - April: Socialize with FedRAMP PMO and CSP-AB
- April
16 (tentative):15: Presentation at NIST OSCAL Workshop
Approach
Work within each of the above phases occurs in this sequence:
- Define the OSCAL MVP Representation
- Address Validation:
- Communicate Availability
- Expand and Refine Representation
Status Log
Last Updated MarchApril 4,8, 2026
- Form TFG: Complete
- Establish Patterns Library: Complete
- Establish GitHub Repository: Complete
- Migrate prior FedRAMP baselines in OSCAL format to repository: Complete
- Migrate prior FedRAMP OSCAL SSP work into patterns library: Complete
- Formulate communication plan:
In ProgressComplete - Migrate prior FedRAMP OSCAL SSP example: Complete
- Formulate Adoption Paths: Complete
- Review/Refine FedRAMP OSCAl SSP patterns: In Progress
- Review/Refine FedRAMP OSCAL SSP example: In Progress
- Draft "
Executive Summary" and "Getting Started" content: Next - POA&M example and patterns: Next