09
ADVANCED
FedRAMP automation (OSCAL)
End-to-end FedRAMP pipeline: SSP generation, automated assessment, POA&M tracking — all OSCAL.
Overview
Complete FedRAMP documentation lifecycle as code. Starting from infrastructure state and control implementation data, the pipeline generates a compliant OSCAL System Security Plan, runs an automated assessment, produces an Assessment Report, and creates and tracks a POA&M.
Implementation
Infrastructure inventory → OSCAL SSP with all 325 Moderate controls documented → automated assessment runners evaluate each control → OSCAL SAR generated with findings → POA&M items created for failures with target dates → continuous ATO workflow with monthly re-assessment on schedule.
Terminal output
[Pipeline] FedRAMP Moderate · rev5
Stage 1: Generate SSP
✓ 325 controls documented
✓ OSCAL SSP v1.1.2 generated
Stage 2: Automated assessment
✓ 301 controls SATISFIED
✗ 24 controls NOT SATISFIED
Stage 3: Generate artifacts
✓ OSCAL SAR generated
✓ POA&M: 24 items created
Artifacts → s3://fedramp-artifacts/
Stack
OSCALPythonTerraformGitHub Actions
Source code
Source repository in the works — check back soon.