The Federal Risk and Authorization Management Program (FedRAMP) program management office (PMO) recently published a request for quote (RFQ) for a governance risk and compliance (GRC) solution that intends to implement OSCAL (Open Security Controls Assessment Language) and facilitate compliance activities with cloud vendors. This approach creates tremendous opportunity but also poses challenges for the wider adoption of OSCAL and should be carefully considered as FedRAMP plays a crucial role in the adoption of the OSCAL standard.

Challenge 1: Enhancing OSCAL’s Communication Capabilities

OSCAL is a NIST standard for expressing cybersecurity information at all phases of the compliance lifecycle.  However, the current version of OSCAL does not provide a mechanism for exchanging that information between tools or organizations. As a result, the manual exchange of OSCAL payloads slows down the process and hinders the automation necessary for adjudication and continuous monitoring activities. To address this issue, there is an urgent need for an industry-wide standard protocol for OSCAL data exchange that can enhance efficiency, interoperability and connect governance within and across organizations.

Challenge 2: Avoiding Vendor Lock-In with FedRAMP’s API Strategy

FedRAMP has already taken the important step of identifying the need for an API; however, its current intention to seek a GRC solution with an implemented API risks vendor lock-in to a proprietary solution that may hinder wider adoption of the OSCAL standard. As FedRAMP sets the tone for compliance automation across government, its decisions will have far-reaching implications. Ensuring FedRAMP’s API strategy promotes openness and flexibility while avoiding dependency on single vendors is critical to compliance automation success across the Federal government.

Challenge 3: Aligning with National Cybersecurity Goals

With the final ruling of the Cybersecurity Maturity Model Certification (CMMC) now available and the Office of Management and Budget (OMB) releasing the national Cybersecurity strategy, listing regulatory harmonization as a top priority, there is a need to improve cybersecurity compliance oversight at scale. The FedRAMP Program Management Office (PMO) should consider incorporating a publicly available, open API standard into a larger strategic initiative. This initiative would not only support compliance automation based on the OSCAL standard, but also advance the integration of governance across organizations. This would promote a unified approach to cybersecurity compliance and enhance the collective defense posture through true “connected governance”.

Recommendations

FedRAMP must evolve its strategies to stay ahead. Recognizing the limitations in the current utilization of OSCAL, we propose a series of enhancements aimed at developing a standardized, vendor-neutral API framework. Our recommendations are designed to enhance OSCAL’s utility, promote efficient adoption across organizations, and ensure alignment with national cybersecurity goals. The FedRAMP PMO should evaluate options for an API within the context of broader utility and adoption of the OSCAL standard. Our specific guidance:

1. Develop or adopt an API standard with open licensing or in the public domain: Propose or evangelize a standard API framework for OSCAL data exchange, ideally based on Representational State Transfer (REST) API principles. REST is an API architectural style that provides a standardized way for web services to communicate with each other over the Internet or within an organization’s intranet. RESTful APIs have become increasingly popular due to their simplicity, scalability, and flexibility.
   
   Using a RESTful architecture for the OSCAL information exchange API framework provides several benefits. It allows for easy integration with other systems and applications, as RESTful APIs are designed to be simple and intuitive to use. Additionally, RESTful APIs are platform-independent, which means they can be accessed from any programming language or operating system.
   
   This framework should be vendor-neutral and designed to facilitate easy integration, ensuring that organizations can adopt it without the risk of vendor lock-in.   
   
2. Promote Collaborative Development: Like OSCAL, FedRAMP should partner with NIST and encourage a collaborative approach to the API’s development, involving key stakeholders from government, industry, and academia. This ensures the API meets a broad set of needs and supports a wide range of use cases.
   
3. Ensure Scalability and Flexibility: Design the API to be scalable and flexible, accommodating future changes in compliance requirements and technology. This foresight will help maintain its relevance and utility over time. As FedRAMP looks to satisfy its requirements, a larger initiative, CMMC, is poised to take on nearly 300K organizations within the defense industrial base (DIB). Developing with flexibility and scalability, the FedRAMP transition to machine-readable formats can have significant and broader positive impacts for national security.
   
4. Advocate for Open Standards and Interoperability: Emphasize the importance of open standards and interoperability in the API’s design. FedRAMP should work, in partnership with NIST, to develop and support NIST’s maintenance of the API specification. This will facilitate wider adoption and foster an environment of innovation and continuous improvement.
   
5. Align with National Cybersecurity Initiatives: Ensure that the API strategy aligns with broader national cybersecurity initiatives and frameworks. This alignment will help regulatory harmonization efforts and amplify the impact of improved compliance and governance practices.

To make substantial progress towards its mission and align with national needs, the FedRAMP program must take action to address these challenges and incorporate the recommended enhancements. It is essential to promote the adoption of machine-readable OSCAL data formats, eliminate vendor lock-in, and align API strategies with the broader national need for harmonized cybersecurity regulations. Failure to do so could result in unnecessary delays and setbacks, hindering the program’s ability to achieve its goals.

We believe strongly in the need for an open REST API standard. With this in mind, we have drafted an open-source REST API standard for the FedRAMP PMO and compliance automation community to consider. Whether considering this standard or adopting another, the NIST and FedRAMP PMO must be vendor-neutral, open-source or public domain, OSCAL-aligned, and consider the entire compliance life-cycle.