09 ADVANCED

FedRAMP automation (OSCAL)

End-to-end FedRAMP pipeline: SSP generation, automated assessment, POA&M tracking — all OSCAL.

Overview

Complete FedRAMP documentation lifecycle as code. Starting from infrastructure state and control implementation data, the pipeline generates a compliant OSCAL System Security Plan, runs an automated assessment, produces an Assessment Report, and creates and tracks a POA&M.

Implementation

Infrastructure inventory → OSCAL SSP with all 325 Moderate controls documented → automated assessment runners evaluate each control → OSCAL SAR generated with findings → POA&M items created for failures with target dates → continuous ATO workflow with monthly re-assessment on schedule.

Terminal output

fedramp-automation-oscal.py

[Pipeline] FedRAMP Moderate · rev5 Stage 1: Generate SSP ✓ 325 controls documented ✓ OSCAL SSP v1.1.2 generated Stage 2: Automated assessment ✓ 301 controls SATISFIED ✗ 24 controls NOT SATISFIED Stage 3: Generate artifacts ✓ OSCAL SAR generated ✓ POA&M: 24 items created Artifacts → s3://fedramp-artifacts/

Stack

OSCALPythonTerraformGitHub Actions

Source code

Full implementation, tests, and documentation available on GitHub.

View on GitHub ↗