The National Institute of Standards and Technology (NIST) has developed the Open Security Controls Assessment Language (OSCAL) to provide security control related information in a machine-readable format. This new standard allows for a data-centric approach to compliance that is integrated, extensible, and automated. At C2 Labs, we are trusted DevSecOps experts that help our clients automate everything. As automation experts, we were excited by NIST's vision for security compliance automation and wanted to be an early adopter of the OSCAL standard.
Continuing on our previous OSCAL proof of concept, we have now successfully loaded NIST 800-53 Rev 4 (a pre-requisite for FedRAMP) along with the following FedRAMP profiles based on artifacts from the OSCAL repository on GitHub:
- NIST 800-53 Revision 4, full Catalog of Controls
- High Baseline
- Moderate Baseline
- Low Baseline
- FedRAMP High Baseline
- FedRAMP Moderate Baseline
- FedRAMP Low Baseline
- FedRAMP Low Impact - SaaS Baseline
This integration allows Cloud Service Providers (CSPs) to easily create new Information System Security Plans (ISSPs) based off FedRAMP baselines using our automated and free compliance platform. Best of all, there was no copying and pasting or manual data entry; just pure machine to machine translation between the OSCAL JSON files and the Atlasity APIs (for example Python integration code, see our Open Source Atlasify GitHub Repository).
In addition, we published some derived artifacts of flattened JSON that contain normalized control information and aligned them to the published NIST baselines. If you are a beginner and the NIST OSCAL seems a bit intimidating, the flattened JSON files should give you a more approachable data set to parse and integrate.
While we are excited about adding FedRAMP support, we know that it is just the beginning of the ATLASITY, FedRAMP, and OSCAL journey. NIST continues to innovate on the OSCAL standard and we plan to continue our integration with future Security Assessment Plans (SAPs), Security Assessment Reports (SARs), and other OSCAL models as they are finalized. In addition, future versions of Atlasity will allow you to export your ISSP in OSCAL format allowing for a streamlined and automated FedRAMP review that should save CSPs both time and money.
Contact Us today to learn more about how C2 Labs can help your CSP meet the FedRAMP requirements leveraging the new OSCAL standard. If you are ready to save time and money in getting your FedRAMP authorization, schedule a free demo today to discover how you can join our Atlasity Open BETA program to free your organization from bureaucracy by simplifying compliance.