Mats Nählinder
CEO, SunStone Secure
SunStone OSCAL PlugFest
May 15, 2025
At the recent SunStone OSCAL PlugFest, held in May 2025, SunStone Secure CEO and Co-Founder Mats Nählinder opened the event with a clear and urgent message: “We’re here to make OSCAL come alive.”
This PlugFest wasn’t just a one day conference, it was a working session designed to test the interoperability of OSCAL (Open Security Controls Assessment Language) artifacts across different players in the FedRAMP ecosystem. As Mats put it, “We generate something, and the rest of us try to read it… so we can get all of the bugs out—or some of them at least.”
Why PlugFest Now?
Mats acknowledged that when planning for this event, the timing was uncertain. But the recent announcement of FedRAMP 20X, which emphasizes automation and machine-readable ATO submissions, proved the moment was right.
“Now OSCAL is more relevant than ever, because FedRAMP 20X is saying automated ATOs are the way forward.”
Yet, he noted, OSCAL’s formal mandate has been rolled back, making it more important than ever for the community itself to demonstrate that OSCAL delivers value. That’s where PlugFest came in, building momentum through collaboration, testing, and shared solutions.
SunStone’s OSCAL-First Approach
SunStone is a Compliance-as-a-Service (CaaS) provider specializing in NIST frameworks and FedRAMP. With over a dozen FedRAMP projects underway (and many already listed on the FedRAMP Marketplace), SunStone has built a modern, automated compliance platform with OSCAL at its core.
Here’s how:
- Digital Twins for Compliance: SunStone builds a compliance-specific digital twin of each customer’s system, not for functionality, but for control mapping and telemetry.
- Automation-Driven Efficiency: All compliance data—evidence, control testing, and documentation—is ingested and structured using an OSCAL-native schema.
- Rapid Implementation: SunStone has completed full FedRAMP system builds and made them assessment-ready in as little as 30 days, with more typical timelines ranging from 60 to 90 days.
- Cost-Effective Results: The full pre-assessment phase (including documentation, gap analysis, remediation, and software) can cost under $50,000.
- ConMon Savings: Ongoing compliance monitoring reduces staffing needs by up to 80%.
“We’re not a tools vendor per se,” Mats emphasized, “but we’ve built automation tooling internally that makes us far more efficient.”
Leading by Example: OSCAL Submission to FedRAMP 20X
In a major announcement, Mats shared that SunStone will be submitting its full ATO package to FedRAMP 20X entirely in OSCAL—including automated testing results via the KSI (Knowledge, Skills, and Implementation) rig.
“We will, within days, submit our platform to the FedRAMP 20X ATO—and it will be in OSCAL, automatically tested, and continuously updated.”
What’s Next?
The PlugFest agenda included presentations from OSCAL experts at IBM and Schellman, as well as a deep dive from SunStone CTO Robert Ficcaglia on how participants would collaborate and test OSCAL documents in real time.
Mats closed with a nod to SunStone’s broader goal: pushing for ecosystem-wide automation and compatibility.
“Our OSCAL works in our environment. Now we want to make sure the rest of the ecosystem works with it too.”
About SunStone Secure
SunStone helps cloud service providers achieve and maintain compliance faster through automation, OSCAL-native architecture, and deep expertise in FedRAMP and other NIST frameworks.