FedRAMP Accelerated.
Automation is the key to faster authorization
FedRAMP is rapidly transforming to a digital model for submitting authorization information. Everything must be machine generated and machine readable.
DRTConfidence helps CSPs meet all the emerging FedRAMP requirements, expeditiously and completely.
FedRAMP is Modernizing at a Fast Pace
FedRAMP has remained laser focused on delivery: eliminating the traditional Rev5 backlog and reducing final review time to under 30 days, developing a model with automation-based assessment process key security indicators, and adopting machine generated & machine readable submissions.
GSA announces the development of FedRAMP 20x, a new assessment and authorization path based on the authority and goals set forth in the FedRAMP Authorization Act and M-24-15. This program is designed for CSPs that are beginning their journey of getting FedRAMP authorized. Learn More
Rev5 FedRAMP Certified cloud service offerings can produce modern validated authorization data with machine generated telemetry leveraging OSCAL, that agencies can automatically consume, to make both initial and ongoing authorization decisions. Learn More
The Open Security Controls Assessment Language (OSCAL) is a NIST-led initiative developed in collaboration with industry to modernize and automate the processes of security and compliance. By supporting automation, OSCAL dramatically reduces audit durations from months to minutes, minimizes human error, and accelerates compliance with evolving regulations. Learn More
Why OSCAL is Important
Global Standard
National Institute of Standards and Technology (NIST) has developed the OSCAL standard to address machine readable security assessments and authorization. This standard is being adopted globally by many security accreditation organizations.
FedRAMP has provided extensions to this standard to meet US Federal Government requirements.
Interoperability
As OSCAL adoption grows, it will allow for the security accreditation information to be exchanged and consumed by many stakeholders in a standardized manner.
This improves interoperability and migration to other OSCAL based platforms avoiding vendor lock-in.
Avoid Rework
Adoption of any vendor specific data formats that are not defined by a global standards body will like result in vendor lock-in and potential rework in the future to migrate to a global standard.
This rework can cause loss of accreditation and additional costs.
Better Quality
A structured data format like OSCAL improves the data integrity and hence the quality of the documentation, that is being submitted to authorizing officials.
While this requires technical integration, it will significantly reduce human labor and improve turnaround time.
Continuous Monitoring
Machine generated and machine readable deterministic data sets allow for an effortless Continuous Monitoring framework to ensure accreditations are not at risk.
This significantly reduces manual effort and secures the accreditation.
Faster Reviews
A standardized and higher quality data set that is machine readable allows for a significant number of review steps to be automated.
This allows for a faster and more meaningful review of the accreditation information.
Our Success Story
We teamed up with DNAnexus (CSP) and Schellman (3PAO) to successfully deliver the first annual authorization package in OSCAL format to FedRAMP. The submission passed all the validations without errors or exceptions in the reported artifacts.
“DRTConfidence was easily able to convert our SSP in the OSCAL structured data format.”
Loren Buhle, Vice President of Risk, Quality, and Compliance for DNAnexus
“Managing 300-400+ controls, vulnerability data, and findings in spreadsheets and Word documents has been the persistent challenge of managing FedRAMP assessments and the multiple interlinked documents. The benefits of OSCAL’s machine-readable format starts with quality checks and gives all parties insight into the state of an organization’s risks and control implementations.”
Doug Barbin, Managing Principal and Chief Growth Officer at Schellman
Upcoming Deadlines
April 15th 2026
FedRAMP will finalize all requirements as per RFC0024 and these will go into effect immediately for all CSPs and 3PAOs that are working with NIST 800-53 rev5 based authorization packages
September 30th 2026
Requirements for adopting machine-readable authorization packages take effect; failure to meet these requirements by this date will result in public notification, that the provider has failed to meet this requirement and is pending revocation of FedRAMP Certification.
September 30th 2027
Revocation of FedRAMP Certification requiring a completely new initial authorization that meets all FedRAMP requirements for new assessments and authorizations at that time.
Achieve Upcoming Deadlines
Cloud Service Providers
- Convert your existing documents into OSCAL
- Leverage APIs to update telemetry information
- Validate the documentation to ensure they meet all FedRAMP requirements
- Publish and Archive a trial submission
- Make your first machine-readable submission to FedRAMP
30 Days from Start
Third Party Assessment Organizations
- Import OSCAL based SSP from your customer
- Develop assessment plans in OSCAL
- Initiate SARs by referencing the OSCAL SSP
- Validate the SAP and SAR ensuring it meets all FedRAMP requirements
- Publish archive a trial submission
- Make your first machine-readable submission to FedRAMP
60 Days from Start