[ ] the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
[ ] the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
[ ] the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
[ ] the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
[ ] the FedRAMP SSP OSCAL Template (JSON or XML Format)
[ ] the FedRAMP SAP OSCAL Template (JSON or XML Format)
[ ] the FedRAMP SAR OSCAL Template (JSON or XML Format)
[ ] the FedRAMP POA&M OSCAL Template (JSON or XML Format)
[ ] the FedRAMP OSCAL Validations
What is your feedback?
It is unclear to me and those who I've spoke with on this subject how OSCAL saves time on PMO package reviews. I understand there are some efficiency gains (eliminating redundancies, formatting, and incompleteness) but it's not been quantified and it's not clear if it saves time elsewhere.
Does the FedRAMP PMO prioritize OSCAL-submitted packages (i.e. do they get to jump to the front of the review queue) and save 3-4 months of sitting in a queue?
If it is still a first-in-first-out queue for all packages (OSCAL included), are you able to estimate the time-savings? For example how long would it typically take a reviewer to validate the completeness of a package?
What is the FedRAMP PMO's take on how OSCAL is received by Agencies in lieu of a traditional package?
Can an OSCAL SSP be submitted, but the resulting SAP/SAR/POA&M be in the traditional format if preferred or required by Agencies and 3PAO?
Where, exactly?
I would expect the readme to describe value proposition and quantifiable benefits if possible
Other information
Allowing OSCAL packages to skip to the front of the line saving several months of PMO review would greatly increase the number of interested CSPs and 3PAOs.
This is a ...
question - need to understand something
This relates to ...
What is your feedback?
It is unclear to me and those who I've spoke with on this subject how OSCAL saves time on PMO package reviews. I understand there are some efficiency gains (eliminating redundancies, formatting, and incompleteness) but it's not been quantified and it's not clear if it saves time elsewhere.
Where, exactly?
I would expect the readme to describe value proposition and quantifiable benefits if possible
Other information
Allowing OSCAL packages to skip to the front of the line saving several months of PMO review would greatly increase the number of interested CSPs and 3PAOs.