VA First Federal Agency to Submit OSCAL System Security Plan Ahead of White House Deadline

Automating cybersecurity risk management is a long-term goal across Federal Agencies. With the publication of the latest memo from The White House, Modernizing the Federal Risk and Authorization Management Program (FedRAMP), all Federal Agencies must take massive strides to automate risk management by translating their text-based documentation (e.g., System Security Plans) into Open Security Assessment Language (OSCAL) format by July 2026.

With the deadline less than two years away, what inroads have already been made at VA to prepare for the adoption of OSCAL format?

VA is already established as the federal leader in OSCAL formatted documentation. This calendar year, VA became the first federal agency to submit a FedRAMP-templated OSCAL format System Security Plan (SSP) to GSA, which puts VA at the forefront of the Federal OSCAL conversation and paves the way for other Federal Agencies to achieve this level of maturity.

Our early adoption and testing of OSCAL with the luminaries in the field like Dr. Michaela Iorga, the founders of the standard the National Institute of Standards and Technology (NIST), and the FedRAMP office within GSA proves we’re not sitting back and watching innovation happen — rather we’re driving the conversation.

“Submitting the first agency authorization package in OSCAL (to FedRAMP), is a great milestone for the federal government’s security automation and continuous ATO journey, and I personally congratulate the Veterans Affairs team for its pioneering work in streamlining the agency’s risk management process,” said Dr. Michaela Iorga, Director of the OSCAL program at NIST. “The outcome of the hard work and dedication of the VA team is marking the beginning of a new era in cybersecurity for the federal government.”

Benefits of OSCAL

OSCAL is a standardized framework used across the public and private sector for documenting, sharing, and automating security controls information across different technology platforms using a traceable, machine-readable data format for security information. This standardization unlocks the potential for end-to-end automation and will enable VA to go through the risk management process (i.e., authorization process) in as little as one day, when the current process takes up to and over one calendar year. Formats for OSCAL-templated documents include eXtensible Markup Language (XML), JavaScript Object Notation (JSON), and Yet Another Markup Language (YAML).

A July 25, 2024, Office of Management and Budget (OMB) memo states “Within 24 months of the issuance of this memorandum, agencies shall ensure that agency governance, risk, and compliance and system-inventory tools can ingest and produce machine-readable authorization and continuous monitoring artifacts using OSCAL, or any succeeding protocol as identified by FedRAMP.”

Benefits include:

• OSCAL enables us to automate the time consuming and repetitive compliance tasks that are an integral part of risk management. This means human teams can focus on managing real system risks and accelerates the authorization process to a point where VA will be able to achieve an Authority to Operate (ATO) in one day.
• Once implemented, OSCAL enables enterprises to simplify and streamline the process of managing security controls, assessments, and authorization for information systems. It reduces the need for rework by enabling the reuse of security packages for reference and sharing organizational security baselines across different entities. Additionally, it enables automated checks to identify and resolve errors, gaps, and inconsistencies across packages. OSCAL also enables integration with security tools to drive the continuous monitoring and reporting of a system’s ever-changing risk posture.
• The machine-readable format of OSCAL-formatted security documents will streamline and automate their publication, implementation, assessment, and authorization of security controls.
• It will replace the traditional approach of writing security plans manually using word processers for many. It will make the entire process of creating plans and complying with security controls faster, easier, more accurate, and comprehensive by no longer relying on manual development and compliance checks.

As cyber threats to our national security get smarter and more sophisticated every year, now, more than ever, we must be vigilant not to underestimate the threat facing VA, Veterans, their families, caregivers, and survivors. Automating risk management will significantly enhance the government’s security planning, controls, and compliance; enhance the federal cyber posture; increase efficiencies and preciseness; and decrease risks.

The Business Need

As VA strives to create a seamless, world-class digital experience for employees, Veterans, families, caregivers, and survivors, cybersecurity excellence is a top priority to increase VA’s security preparedness, minimize risk of a major security incident, and strengthen procedures enabling the Department to identify and respond rapidly and decisively to new security threats and incidents.

“Our efforts to evolve automation are essential to advancing cybersecurity capabilities at the speed of innovation. As a leader in federal information security, we constantly mature enterprise security with continuous improvements like OSCAL and through our partnerships across the public and private sector,” says Amber Pearson, Deputy Chief Information Security Officer.

Specifically, business needs we hope to address with OSCAL-based risk management automation are to:

• Lower the level of effort for system teams needing to update documentation.
• Bring new technology to Veteran use faster, providing the latest and greatest technology faster.

Before OSCAL risk management automation, it can take one year to get new software and technology deployed at VA medical centers to enhance care for Veterans by the time all security requirements are met.

After OSCAL, will reduce the time to authorization for a critical innovative piece of medical technology from a year to a single day.

Before OSCAL risk management automation, system security documentation is a manual process that involves creating and updating documents for each system across the enterprise and doing manual compliance checks against the documents.

After OSCAL, will provide easily completed, updated, and reused plans and enable more precise checks via automation so developers and security teams no longer need to manually perform the tasks and can focus on more strategic concerns.

Before OSCAL risk management automation, imagine you’re on your way to work, rattling around the same challenge in your head you’ve been thinking about for a while, and half-listening to a podcast. When something clicks – the solution to an issue that’s been blocking you and your team for months. You get the necessary approvals, acquire the solution, and get the ball rolling, but the authorization process takes many months and up to a year to complete before the solution is implemented.

After OSCAL, you’ll be able to deploy that solution the same day, week, or month with the same level of security rigor as what used to take teams months or even years. That’s all thanks to use of machine readable, open standard documentation for systems, which enables teams to securely deploy at the speed of innovation.

VA OSCAL Takeaways for All

By looking at how VA implemented the first federal government OSCAL-formatted security plan, other agencies can find helpful takeaways as they move to the adoption of OSCAL and risk management automation.

In May, VA’s Office of Information Security translated a traditional 426-page text-based System Security Plan into over 23,000 lines of machine-readable JavaScript Object Notation (JSON) code, aligned with OSCAL data requirements, and submitted it to GSA, the first federal agency to do so.

The intent for VA to develop the government’s first OSCAL security plan was to:

• See what it takes to translate a security plan to OSCAL and provide lessons learned for VA and other agencies.
• Show FedRAMP what one would look like and provide FedRAMP a resource and test plan they can use to mature and validate their data scheme.

VA’s approach and takeaways from developing the government’s first OSCAL security plan include:

• We chose the plan we did for OSCAL because the plan belongs to a Critical System, which are the systems deemed most essential to the operation of our services and mission.
• We followed FedRAMP and NIST documentation, leaning on the federally led workshops and NIST leadership when challenges arose.
• We leveraged OSCAL JSON file for proving out the OSCAL-CLI (command line interface) validation software and tools.
• Our security team went section by section in the existing System Security Plan Word document and translated the system information (points of contact, identifying information, leveraged authorizations for system), generating universally unique identifiers for each component and facilitating references to ensure connections between the responsible party between one system control is the Information System Security Officer.
• During the process, we exchanged lessons learned and observations directly with FedRAMP, such as issues with the implementation guide, suggestions for improvements, and how our team did the translation process, serving as a test case for what other agencies might encounter, so FedRAMP has awareness and can address issues proactively.
• Once the plan is in OSCAL, security plan development and maintenance consist of automated updates of necessary portions at the component level, with cascading updates across related parts via universally unique identifiers (UUID) reference.
• Completing the plan at the beginning of the process got our security team to think more about what OSCAL adoption might look like in practice.
• After submitting the OSCAL-formatted plan to GSA, we met with the GSA FedRAMP OSCAL team to review and validate according to their documentation.
• This first OSCAL-formatted document provides a foundation for us to translate other systems to OSCAL and begin testing the efficacy of automated solutions, including validation checks, automatic translators, automated export and import features.
• Since April we’ve been active contributors in early adopter workshops that bring together the OSCAL community of interest (GSA, NIST, VA, Department of Defense, and others) to work through FedRAMP OSCAL specifications and methodology. Led by GSA, the workshops are held to iron out the details and share lessons learned on OSCAL translation and implementation.
• With a pilot effort now under our belt, we are aiming to exceed the White Houses’ requirements and implement OSCAL across the enterprise over the coming years to address the OMB deadline and continue to lead Federal Agencies in the adoption and implementation of the latest cybersecurity standards and innovations.

Expanding OSCAL Enterprise-Wide

We are now looking at how to make OSCAL expand and really pay off in our environment, approaching the development of the technical capability by:

• Working with internal developers to mature our current governance, risk, and compliance tool with the capability to export and ingest system documents in FedRAMP and NIST-templated OSCAL formats.
• Conducting pilots and proof of concepts to understand the full scope of industry OSCAL-oriented solutions available to large federal agencies and what is on the timeline for those vendors.
• Continuing to collaborate with FedRAMP to recommend improvements to FedRAMP guidance, workshop findings from FedRAMP’s validation of the VA OIS OSCAL System Security Plan and introduce VA to additional leaders in the OSCAL space (e.g. DOD, Cloud Service Providers, and Cybersecurity Solution Vendors).

Where can we learn more about OSCAL?

FedRAMP and NIST both maintain GitHub Repositories with educational materials, guidance, and tools for learning more about OSCAL and how system stakeholders can begin to translate their systems.

---