Implementing FedRAMP, SSP, POAM, and OSCAL Reporting toolkit

The FedRAMP SSP, POAM, and OSCAL Reporting toolkit is an integrated solution within the Diligent One Platform that helps federal cloud service providers automate the creation and management of key FedRAMP compliance documents. These include the System Security Plan (SSP), the Plan of Action and Milestones (POAM), and machine-readable Open Security Control Assessment Language (OSCAL) outputs. These artifacts are critical for maintaining FedRAMP authorization and are traditionally time-consuming to produce and update. This toolkit automates data collection, normalization, and export processes, reducing manual effort and improving accuracy.

Designed to address the heavy documentation workload, the toolkit simplifies how providers prepare, maintain, and update their SSP and POAM reports. The SSP outlines the provider’s authorization boundary, system architecture, and implementation of hundreds of security controls. The POAM tracks vulnerabilities and remediation efforts and must be updated and submitted regularly to federal regulators.

What is OSCAL?

OSCAL provides standardized, machine-readable formats that help organizations represent cybersecurity documentation, including control catalogs, baselines, system security plans (SSPs), and assessment results. Developed by the National Institute of Standards and Technology (NIST), OSCAL uses XML, JSON, and YAML to support automation, interoperability, and consistency in documenting, exchanging, and evaluating security controls and compliance artifacts.

The FedRAMP authorization process requires CSPs to submit key documents, such as the SSP and POAM, in traditional human-readable formats and OSCAL. By using OSCAL, organizations automate complex reporting and continuous assessment processes, streamline compliance workflows, and accelerate review cycles. Systems can validate and process OSCAL documents programmatically, which reduces manual effort and improves consistency across reviews.

Toolkit components

Upon installation, the toolkit includes several preconfigured robots, project types, results inventories, and questionnaires to support automated report generation and data management.

Robots

SSP Automation Robot

  • Generates a complete System Security Plan (SSP) report by extracting structured data from your Diligent One FedRAMP project and merging it into the Word template.

  • Automates data population for both the main SSP sections (1 through 12) and Appendix A, which details control implementation.

  • Supports exports in both human-readable (Word) and machine-readable (OSCAL) formats.

FedRAMP POAM Automation Robot

  • FedRAMP Security Scan Automation robot

    • Imports vulnerability data directly from CSV exports from security scanners, such as Tenable, Rapid7, and Qualys.

    • Normalizes the data into the POAM inventory within the Results app.

  • FedRAMP SAR Vulnerabilities Automation robot

    Imports vulnerabilities identified in annual Security Assessment Reports (SARs) and maps them to relevant security controls.

  • POAM OSCAL robot

    Converts the POAM inventory into the OSCAL format to support machine-readable regulatory submissions.

Other components

  • Reporting Collection Project Type

    Preconfigured project format in Diligent One designed to centralize and manage all FedRAMP implementation details and compliance artifacts.

  • POAM Results Collection

    Centralized results table for entering, normalizing, and deduplicating vulnerability data, supporting all required FedRAMP reports.

  • POAM Builder Questionnaires

    Inline forms for manually entering vulnerability details that aren’t available from automated scans.