Skip to main content

Milestones, Approach and Status

The OSCAL Foundation's FedRAMP Technical Focus Group (TFG) is enabling FedRAMP stakeholders to adopt OSCAL for FedRAMP package deliverables. The following is our plan of work:

Milestones

  • Phase 0: Form Team and Establish Resources [Complete]
  • Phase 1 MVP: FedRAMP System Security Plans (SSP) [In Progress]
  • Phase 2 MVP: FedRAMP Plan of Action and Milestones (POA&M) [Next]
  • Phase 3 MVP: FedRAMP Security Assessment Plans and Reports (SAP and SAR)
  • Phase 4: Non-MVP TopicsAdvanced and Refinement of MVP Topic
  • Phase 5: FedRAMP Adjacent Frameworks (GovRAMP, DoD/FedRAMP+, DoD Impact Levels, CMMC and Related VariantsVariants)
  • Future:: Other Frameworks:Frameworks (PCI CSA, CIS, DSS, SOC 2, ISO-270xx, etc.)

Target Dates

  • March 15:31: Full Draft MVP SSP
  • April: Socialize with FedRAMP PMO and CSP-AB
  • April 15: Presentation at NIST OSCAL Workshop

Approach

Work within each of the above phases occurs in this sequence:

  1. Define the OSCAL MVP Representation
  2. Address Validation:
  3. Communicate Availability
  4. Expand and Refine Representation

Status Log

Last Updated April 8, 2026

  • Form TFG: Complete
  • Establish Patterns Library: Complete
  • Establish GitHub Repository: Complete
  • Migrate prior FedRAMP baselines in OSCAL format to repository: Complete
  • Migrate prior FedRAMP OSCAL SSP work into patterns library: Complete
  • Formulate communication plan: Complete
  • Migrate prior FedRAMP OSCAL SSP example: Complete
  • Formulate Adoption Paths: Complete
  • Review/Refine FedRAMP OSCAl SSP patterns: In Progress
  • Review/Refine FedRAMP OSCAL SSP example: In Progress
  • Draft "Getting Started" content: Next
  • POA&M example and patterns: Next
Back to top