The Department of Veterans Affairs (VA) announced on Tuesday that it is the first Federal agency to submit its Open Security Assessment Language (OSCAL) format System Security Plan (SSP) to the General Services Administration (GSA) – far ahead of the White House’s July 2026 deadline to do so.
The submission meets a requirement set under the White House Office of Management and Budget’s (OMB) July 2024 guidance to overhaul GSA’s Federal Risk and Authorization Management Program (FedRAMP).
That memo gave Federal agencies two years to ensure that governance, risk, and compliance (GRC) tools and system-inventory tools can produce and ingest machine-readable authorization packages using OSCAL “or any succeeding protocol as defined by FedRAMP.”
“Submitting the first agency authorization package in OSCAL (to FedRAMP), is a great milestone for the Federal government’s security automation and continuous ATO journey, and I personally congratulate the Veterans Affairs team for its pioneering work in streamlining the agency’s risk management process,” said Michaela Iorga, director of the OSCAL program at the National Institute of Standards and Technology (NIST).
“The outcome of the hard work and dedication of the VA team is marking the beginning of a new era in cybersecurity for the Federal government,” Iorga said.
OSCAL is a common machine-readable language that FedRAMP and NIST are using to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services and products. Formats for OSCAL-templated documents include eXtensible Markup Language (XML), JavaScript Object Notation (JSON), and Yet Another Markup Language (YAML).
The VA said this standardized approach “unlocks the potential for end-to-end automation and will enable VA to go through the risk management process” in as little as one day – the current process to achieve an Authority to Operate (ATO) can take over a year.
With OSCAL-based risk management automation, the VA said it can alleviate the documentation burden for system teams and bring new technology to bear more quickly to benefit veterans.
“Our efforts to evolve automation are essential to advancing cybersecurity capabilities at the speed of innovation,” said Amber Pearson, deputy chief information security officer at the VA. “As a leader in Federal information security, we constantly mature enterprise security with continuous improvements like OSCAL and through our partnerships across the public and private sector.”
As other agencies move to the adoption of OSCAL and risk management automation, the VA offered some helpful takeaways from its own journey.
For instance, the VA said it followed FedRAMP and NIST documentation, “leaning on the federally led workshops and NIST leadership when challenges arose.”
The agency also said its security team worked section by section in the existing SSP Word document and translated the system information (points of contact, identifying information, leveraged authorizations for system), generating unique identifiers for each component.
During the process, the VA said it exchanged lessons learned and observations with the FedRAMP team. Once it submitted the OSCAL-formatted plan to GSA, the VA met with the GSA FedRAMP OSCAL team to review and validate it according to their documentation.
“With a pilot effort now under our belt, we are aiming to exceed the White House’s requirements and implement OSCAL across the enterprise over the coming years to address the OMB deadline and continue to lead Federal agencies in the adoption and implementation of the latest cybersecurity standards and innovations,” the VA said.
