What is Cybertorch MDR?

Cybertorch is Quzara's FedRAMP High Authorized Managed Extended Detection and Response (MXDR) platform. It provides 24/7 security monitoring, threat detection, incident response, and vulnerability management staffed entirely by U.S. citizens on Azure Government infrastructure.

How does Cybertorch help with CMMC compliance?

Cybertorch allows defense contractors to inherit FedRAMP High Authorized security controls rather than building their own SOC. This accelerates CMMC Level 2 compliance by satisfying continuous monitoring, incident response, and security operations requirements with a proven, audited platform.

Is Cybertorch FedRAMP authorized?

Yes. Cybertorch is FedRAMP High Authorized and operates on Azure Government, authorized for DoD Impact Level 4. It supports Microsoft GCC High environments and meets CMMC, FISMA, and NIST SP 800-171 requirements.

OSCAL Machine-Readable Packages | RFC-0024, September 2026 Deadline, Six Document Types

From PDFs to structured evidence

OSCAL Defined

The Open Security Controls Assessment Language is a NIST-developed set of standards for expressing security controls, system descriptions, assessment plans, results, and plans of action in machine-readable JSON, XML, or YAML. OSCAL is the format that replaces the legacy Word documents, Excel spreadsheets, and PDF attachments that have made up FedRAMP submission packages for the last decade. On January 13, 2026, FedRAMP issued RFC-0024 mandating OSCAL machine-readable packages for all FedRAMP providers by September 2026, not only 20x participants. Every cloud provider in the federal market is on this clock.

OSCAL replaces narrative with structured data. A control implementation is no longer a paragraph of prose; it is a JSON object describing the control identifier, the parameters it uses, the implementation status, the responsible role, links to evidence, and references to inherited components. Software can read it, validate it against published schemas, compare it against the target baseline, and surface deltas. Agencies can write tooling against the standard once and reuse it across every provider whose package is OSCAL-compliant.

Catalog, Profile, Component, SSP, AP/AR, POA&M

The Six OSCAL Document Types

A complete OSCAL submission is not a single file. It is a coordinated set of six interconnected document types, each with a defined schema. The relationships between them are what enables the automation 20x depends on.

Catalog

Describes a control framework such as NIST SP 800-53 Rev 5. NIST publishes the canonical catalogs; providers reference them rather than write them. The Catalog is the universal vocabulary that all other OSCAL documents reference.

Profile

A tailored subset of a Catalog, defining the baseline a system targets. FedRAMP publishes the official Low, Moderate, and High profiles (becoming Classes B, C, and D under CR26). Providers reference these profiles rather than restating them, ensuring the assessed baseline matches the program standard.

Component Definition

Describes a reusable security component, such as a hardened operating system, a managed database service, an authentication module, or an MDR platform, along with the controls that component satisfies. Inheritable services emit component definitions that customers reference in their SSPs. Cybertorch publishes a Component Definition documenting the inheritable controls customers receive from the Class D platform.

System Security Plan (SSP)

The system-specific document describing how a particular cloud service implements its target Profile. The SSP is the artifact that replaces the narrative SSP document under 20x. It references the Profile, lists each control with implementation details, identifies inheritance from Component Definitions, and links to supporting evidence.

Assessment Plan (AP) and Assessment Results (AR)

The 3PAO-facing documents that describe what will be tested and what was found. The Assessment Plan describes the testing methodology; the Assessment Results document the findings. These replace the legacy Security Assessment Plan (SAP) and Security Assessment Report (SAR).

Plan of Action and Milestones (POA&M)

Tracks open findings and remediation plans. Under 20x, the POA&M becomes a continuous artifact rather than a monthly snapshot. The OSCAL POA&M references findings in the Assessment Results, links to remediation evidence, and is updated automatically when findings open or close in the continuous validation pipeline.

How the six documents connect

The OSCAL Submission Lifecycle

A complete OSCAL submission is a coordinated set, not a single file. The relationships between the documents are explicit, machine-readable references that allow tooling to traverse the package automatically. The SSP references the FedRAMP Profile, which references the NIST Catalog. The SSP references Component Definitions for inherited services. The Assessment Results reference the Assessment Plan and the SSP. The POA&M references findings in the Assessment Results. This structure is what enables the automation 20x depends on. A continuous validation pipeline can update the OSCAL POA&M every time a finding is opened or closed without rewriting a Word document. A continuous monitoring system can update the OSCAL SSP every time a control implementation changes, with the change reflected immediately in the submission package. Assessors can subscribe to changes rather than waiting for an annual review window, reviewing evidence continuously rather than in batch. The submission lifecycle under 20x is no longer a sequence of point-in-time deliverables. It is a continuously updated set of machine-readable documents, with the agency consuming the current version on demand. The OSCAL package becomes the system of record for the security posture, not a periodic report about it. For providers that have not yet adopted OSCAL tooling, the September 2026 RFC-0024 deadline is the operational forcing function. The deadline applies whether the provider is pursuing a new authorization, in continuous monitoring on an existing Rev5 authorization, or in any other state. Every cloud provider in the FedRAMP program needs an OSCAL pipeline by that date.

MDR vs EDR vs SIEM vs MSSP vs XDR comparison

The case for automated generation

Why Hand-Writing OSCAL Does Not Scale

OSCAL is machine-readable, but that does not mean it is convenient for humans to write. Hand-writing OSCAL is slower than producing the equivalent Word document, not faster. The practical path is to generate OSCAL from the underlying source-of-truth systems and treat the OSCAL artifact as an output of security operations, not an input.

Volume

A Moderate baseline SSP in OSCAL JSON runs thousands of lines. The Catalog reference alone for NIST SP 800-53 Rev 5 covers approximately 1,000 controls and control enhancements. The full package across SSP, Component Definitions, Assessment Plan, Assessment Results, and POA&M can exceed 10,000 lines of structured data.

Cross-Reference Precision

Every reference in an OSCAL document must be exact: a UUID, a control identifier, a parameter name. A single broken reference fails schema validation. Hand-maintaining these references across thousands of cross-document links is impractical at submission cadence.

Schema Validation

OSCAL is schema-validated by tooling that consumes it. A package that does not validate is not a package. The validation rules are strict: required fields, format constraints, enumerated values. Producing a valid OSCAL package by hand requires deep schema knowledge that compliance teams typically do not have.

Continuous Updates

Under 20x, the OSCAL package is updated continuously, not periodically. A control implementation change triggers an SSP update. A finding triggers a POA&M update. A Significant Change Notice triggers updates across multiple documents. The update cadence is incompatible with manual document editing.

Source-of-Truth Generation

The practical path is to generate OSCAL from the underlying systems: identity providers, configuration management, logging platforms, change management, ticketing. The OSCAL artifact becomes an output of normal security operations, with no separate authoring workflow.

How NISTCompliance.AI Generates OSCAL

NISTCompliance.AI ingests evidence from your control implementations across 800-plus NIST SP 800-53 Rev 5 controls and generates the complete OSCAL package as an output. SSPs are produced from the control evidence rather than written by hand. POA&Ms are maintained continuously as findings open and close. Component Definitions are generated from inherited platform definitions. Assessment artifacts are exportable for 3PAO review. Cross-framework mapping satisfies FedRAMP plus CMMC plus FISMA from one evidence base.

What RFC-0024 actually requires

The September 2026 OSCAL Deadline

RFC-0024 is the most operationally significant RFC of the January 2026 release. It mandates machine-readable submission packages in OSCAL format for all FedRAMP providers by September 2026, not just 20x participants. The mandate's scope, timing, and operational implications are below.

Who Is In Scope Every cloud service provider in the FedRAMP program. The mandate is universal, not limited to 20x participants. Providers in Phase 1 or Phase 2 of 20x, providers pursuing Phase 3 GA, providers on existing Rev5 authorizations in continuous monitoring, providers pursuing new Rev5 authorizations, all are in scope.

What Must Be in OSCAL The submission package, in its entirety. SSP, POA&M, Assessment Plan, Assessment Results, and supporting Component Definitions. The package must validate against the published OSCAL schema and reference the appropriate FedRAMP Profile.

The Deadline September 2026. The exact day within September is defined in the implementation guidance. Providers should plan for the deadline as a hard cutover, not a phased rollout.

What Happens After the Deadline Submission packages that are not in OSCAL format will not be accepted. Continuous monitoring deliverables that are not in OSCAL format will not be accepted. Significant Change Notices that are not integrated with the OSCAL package will not be accepted. The OSCAL format is the submission format, full stop.

OSCAL Versioning The mandated OSCAL version is the current published NIST OSCAL release at the time of submission. NIST publishes updates to the OSCAL specification periodically; providers should track NIST's OSCAL release cadence and align their tooling accordingly. Backwards compatibility is generally maintained but should not be assumed.

What Cloud Providers Should Be Doing Now Three things. First, identify the source-of-truth systems that hold your control evidence today: identity provider, configuration management, logging, change management, vulnerability management. Second, choose an OSCAL generation approach: build internally, contract a service, or adopt a platform like NISTCompliance.AI. Third, run an end-to-end OSCAL generation cycle now to surface schema validation errors and reference precision issues well before the deadline.

How Quzara's Stack Closes the Gap Cybertorch produces the underlying control evidence as a byproduct of normal SOC operations: log retention, incident response artifacts, vulnerability scan results, configuration baseline evidence. NISTCompliance.AI ingests that evidence and generates the OSCAL package: SSP, POA&M, Component Definitions, and cross-references. The two platforms together cover both halves of the September 2026 requirement: evidence production and OSCAL structuring.

Pursuing OSCAL Adoption Before September 2026?

NISTCompliance.AI generates the OSCAL machine-readable packages RFC-0024 requires, across 800-plus NIST SP 800-53 Rev 5 controls, with cross-framework mapping to CMMC Level 2 and FISMA Moderate from one evidence base. Request a demo to see your control evidence converted to a submission-ready OSCAL package.

Common Questions About OSCAL and RFC-0024

What does OSCAL stand for? Open Security Controls Assessment Language. OSCAL is a NIST-developed set of standards for expressing security controls, system descriptions, assessment plans, results, and plans of action in machine-readable JSON, XML, or YAML formats.

Does OSCAL apply only to FedRAMP 20x? No. RFC-0024, issued January 13, 2026, mandates OSCAL machine-readable packages for all FedRAMP providers by September 2026, not just 20x participants. Providers on Rev5 in continuous monitoring are in scope. Providers pursuing new Rev5 authorizations are in scope. Every cloud provider in the federal market is on the OSCAL clock.

What is the September 2026 deadline? RFC-0024 mandates that all FedRAMP providers submit machine-readable OSCAL packages by September 2026. The mandate applies to every provider in the program, not just 20x participants and not just new authorizations. Rev5-authorized services in continuous monitoring must also produce OSCAL packages by the deadline.

What are the six OSCAL document types? Catalog (the control framework, such as NIST SP 800-53 Rev 5), Profile (a tailored subset defining the target baseline), Component Definition (reusable security components and the controls they satisfy), System Security Plan (system-specific implementation documentation), Assessment Plan and Assessment Results (3PAO-facing test plans and findings), and Plan of Action and Milestones (open findings and remediation).

Can I write OSCAL by hand? Technically yes, practically no. A Moderate baseline SSP in OSCAL JSON runs thousands of lines with exact cross-references and unforgiving schema validation. Hand-writing OSCAL is slower than producing the equivalent Word document, not faster. The practical path is to generate OSCAL from the underlying source-of-truth systems.

What is an OSCAL Component Definition? A Component Definition is an OSCAL document that describes a reusable security component (such as an MDR platform, a hardened operating system, or a managed database service) along with the controls that component satisfies. Inheritable services publish Component Definitions that customers reference in their SSPs. Cybertorch publishes a Component Definition documenting the inheritable controls customers receive from the Class D platform.

What is the difference between OSCAL and the legacy SSP? The legacy SSP is a Word document containing narrative descriptions of how each control is implemented. The OSCAL SSP is a JSON object containing structured fields: control identifier, implementation status, responsible role, parameters, inheritance references, and links to evidence. The OSCAL SSP is machine-readable, validatable against a schema, and consumable by tooling. The legacy SSP is none of those things.

How does OSCAL relate to continuous monitoring? Under 20x, OSCAL documents are updated continuously, not periodically. A control implementation change triggers an SSP update. A finding triggers a POA&M update. A Significant Change Notice triggers updates across multiple documents. The OSCAL package is the system of record for the security posture, with continuous monitoring as the production pipeline that updates it.

Do agencies need to adopt OSCAL tooling too? Yes, on a separate timeline. Agencies that consume FedRAMP packages will adopt OSCAL-consuming tooling as the package format transitions. The agency-side adoption is outside the scope of RFC-0024 but is a parallel program workstream.

What is the role of the 3PAO under OSCAL? 3PAOs produce the OSCAL Assessment Plan and Assessment Results as part of their assessment deliverables. Under 20x, the 3PAO role shifts from annual auditor to continuous collaborator, with the OSCAL Assessment Results updated as findings open and close. The Auditor Co-Pilot capability in NISTCompliance.AI is designed for this role: 3PAOs and C3PAOs query the OSCAL package and the underlying evidence in natural language during continuous assessment.

How does NISTCompliance.AI generate OSCAL? NISTCompliance.AI ingests evidence from your control implementations across 800-plus NIST SP 800-53 Rev 5 controls and generates the complete OSCAL package as an output. The platform handles SSP generation, POA&M tracking, Component Definition references for inherited platforms, and cross-framework mapping that satisfies FedRAMP plus CMMC plus FISMA from a single evidence base. OSCAL is produced from the control evidence rather than written by hand.

What if my OSCAL package fails schema validation? A package that does not validate is not a package. FedRAMP will not accept a submission that fails OSCAL schema validation. The schema constraints are strict: required fields, format constraints, enumerated values, exact cross-references. Providers should run end-to-end OSCAL generation cycles now to surface validation issues well before the September 2026 deadline.