Developing software to support any federal agency’s mission is a multi-faceted task today.  Cyber threats, development complexity, and meeting operational mission requirements including security boundary continuous monitoring, is growing in complexity and resources.  Additionally, achieving  or maintaining an authorization to operation (ATO) remains a resource intensive task, burdened by very manual RMF processes and systems that don’t provide their security posture without human interaction.  

Enter OSCAL, the Open Security Controls Assessment Language, a potentially major leap forward for all of us focused on getting and maintaining system ATOs. When we look at the obstacles that make the RMF process “crippling” and what needs to happen to automate its major components, a shared language for authorization systems to communicate seems an absolute must. OSCAL is that language. It is standard of standards which puts OSCAL at the top of proprietary and open source languages  

What is OSCAL? (And why does it matter?) 

First released in June of 2021, OSCAL is a set of formats expressed in XML, JSON, and YAML that act as a way for the disparate systems that are used in the RMF process to communicate. Described as a “Rosetta Stone” by NIST, as it serves as a translation engine for proprietary protocols and machine languages. Developed through an open, crowdsource-like, community- based approach, iIt holds the potential to reduce complexity through standards, and ”neither the system owners or assessors nor the adjudicating officials need to learn …or even ‘see’ it” according to NIST.  

An open, shared RMF language would benefit anyone using the RMF process in several different ways. First, a language such as OSCAL by its nature supports a data-driven approach to RMF. We are huge proponents of this as data-driven moves your organization away from human generated documents (e.g. System Security Plans, POA&Ms…)  and manual processes. This also means faster documentation reviews and in turn, faster time to ATO. Second, it reduces the complexity of RMF, especially for cloud service providers and portfolio of systems owners. Complexity is increasing, driven by cloud adoption, making assessing risk more and more disjointed. Lastly, because OSCAL supports multiple frameworks, it offers immense flexibility and speed as implementation standards and control frameworks evolve to address changing technology and threats.   

How will OSCAL benefit my program? 

OSCAL is being introduced by NIST support the NIST 800-53 control catalogs and FedRAMP and CNSS 1253 baseline/Overlay profiles, where many commercial cloud service providers and portfolio executives have a pressing need for a tool with OSCAL capability. However, it’s adoption across the federal government isn’t guaranteed, although more likely it’s not a matter of “if” but of “when”. The support it has from NIST and the open nature of its development means that traction is likely and therefore leaders with security responsibilities can’t ignore it. All federal program managers should be watching closely as its implications are relatively far reaching.  

In the short-term, the benefits are clear for commercial software developers wanting to reduce the RMF process timeline and abstract its security complexity for their systems. However, we at IPKeys think it will clearly benefit many agency and DoD system owners as well. As you’re thinking ahead to the implications of OSCAL, consider these three questions:  

1. Can you drive automation in your RMF processes without a common language such as OSCAL? It is possible, but the amount of development effort will be challenging and the lack of a standard simply adds cost and time to sharing data and information across systems and tools.  

2. What does my timeline look like with and without OSCAL? As other programs begin to leverage OSCAL, the reduction in time to ATO will be significant. While understanding the full benefit of OSCAL requires implementation to receive the beneficial outcomes, contemplating even modest reduction in the your security timeline will allow you to pull more requirements in to your current plans.  

3. Are your partners planning to integrate OSCAL into their existing components? At IPKeys, we see OSCAL as a tremendous enabler for our CLaaS platform, which already marks a huge advancement towards RMF automation. A more data driven approach yields deeper insights and we’re working to integrate OSCAL into our programs now.   

Conclusion 

OSCAL isn’t a silver bullet for RMF automation, but it will likely become a key building block in helping organizations get to and maintain their ATOs and security posture quickly and efficiently. We think it’s a massive and needed step forward for RMF. As you look to industry partners for tools that help you get to an ATO, ensure they are contemplating OSCAL in their plans and that you’ll be able to take full advantage of the technology when it arrives.