The new OMB memo introduces major updates:
- Mandate on OSCAL: FedRAMP now requires using NIST’s OSCAL for machine-readable data. Agencies must be able to produce, accept, and submit materials in this format.
- Artifact Submission: All authorization and continuous monitoring artifacts must be submitted as machine-readable data via APIs.
Surprise for Federal Agencies: OMB’s Presumption of Adequacy mandates acceptance of FedRAMP authorizations and requires OSCAL use in compliance programs. Agencies must provide authorization materials to FedRAMP PMO in OSCAL and ensure their GRC tools can handle OSCAL data.
CSP and Federal Agencies will now need to migrate to OSCAL -Native Tools.
Here is what CSPs and Federal Agencies should look for in GRC Tools
- OSCAL Compatibility: Ensure the tool can produce, transmit, and ingest OSCAL files, including SSP, SAP, SAR, and POA&Ms.
- Automation Capabilities: Look for tools that automate workflows, data sets, custom rules, and email notifications.
- Integration: The tool should integrate seamlessly with FedRAMP’s repository and other agency GRC systems.
- Flexibility: Choose tools that can adapt to frequent updates in OSCAL frameworks and profiles.
- Usability: Ensure the tool can generate both machine-readable and printable documents for manual reviews
[link] [comments]