Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

OSCAL (federal context)

The federal use of Open Security Controls Assessment Language as the machine-readable authorization artifact format for FedRAMP 20x and DoD cATO programs. OSCAL renders System Security Plans, assessment plans, assessment results, and Plans of Action and Milestones as structured XML, JSON, or YAML rather than narrative PDFs. The federal value is composability: a control implemented once at the cloud platform layer can be inherited and referenced (not copied) by every tenant authorization above it, and a vulnerability in a shared control surfaces in every dependent authorization automatically. OSCAL is the foundation FedRAMP 20x is built on.