Milestones, Approach and Status
The OSCAL Foundation's FedRAMP Technical Focus Group (TFG) is enabling FedRAMP stakeholders to adopt OSCAL for FedRAMP package deliverables. The following is our plan of work:
Milestones
- Phase 0 Form Team and Establish Resources [Complete]
- Phase 1 MVP FedRAMP System Security Plans (SSP) [In Progress]
- Phase 2 MVP FedRAMP Plan of Action and Milestones (POA&M) [Next]
- Phase 3 MVP FedRAMP Security Assessment Plans and Reports (SAP and SAR)
- Phase 4 Non-MVP Topics and Refinement of MVP Topic
- Phase 5 GovRAMP, DoD/FedRAMP+, DoD Impact Levels, CMMC and Related Variants
- Other Frameworks: PCI CSA, CIS, DSS, SOC 2, ISO-270xx, etc.
Target Dates
- March 15: Full Draft MVP SSP
- April: Socialize with FedRAMP PMO and CSP-AB
- April 15: Presentation at NIST OSCAL Workshop
Approach
Work within each of the above phases occurs in this sequence:
- Define the OSCAL MVP Representation
- Address Validation:
- Communicate Availability
- Expand and Refine Representation
Status Log
Last Updated April 8, 2026
- Form TFG: Complete
- Establish Patterns Library: Complete
- Establish GitHub Repository: Complete
- Migrate prior FedRAMP baselines in OSCAL format to repository: Complete
- Migrate prior FedRAMP OSCAL SSP work into patterns library: Complete
- Formulate communication plan: Complete
- Migrate prior FedRAMP OSCAL SSP example: Complete
- Formulate Adoption Paths: Complete
- Review/Refine FedRAMP OSCAl SSP patterns: In Progress
- Review/Refine FedRAMP OSCAL SSP example: In Progress
- Draft "Getting Started" content: Next
- POA&M example and patterns: Next