The National Institute of Standards and Technology hosted on Tuesday, March 1st, and Wednesday, March 2nd, 2022, the third workshop in the series focusing on the Open Security Controls Assessment Language (OSCAL).
Setting the foundation for security automation, with particular focus on the continuous authorization to operate (ATO) processes and continuous monitoring, OSCAL provides machine-readable representations of control catalogs, control baselines or profiles, system security plans, assessment plans, assessment results, and plan of actions and milestones, in a set of formats expressed in XML, JSON, and YAML.
Day one of the workshop will highlight OSCAL 1.0.0 layers and models, with the goal to familiarize the audience with the OSCAL architecture, formats, how these models can be used to support security assessment automation, continuous monitoring, continuous ATO and development, security and operations (DevSecOps). Additionally, the audience will be introduced to the NIST SP 800-53 (Rev4 and Rev5) catalogs, assessment objectives, and associated baselines in OSCAL.
Day two of the workshop will explore OSCAL-based automation solutions, starting with the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office’s (PMO) efforts to digitalize authorization packages submitted in OSCAL, will present FedRAMP’s updated OSCAL resources that include a comprehensive set of guides for additional deliverables.
Based on the responses received to our Call for Proposals (see below), NIST’s team was able to organize an inspiring event that demonstrates OSCAL's international adoption and brings in front of our audience some of the most prestigious names that share the same passion for new advancements in security automation. A complete list of speakers and their bio (in the order of their scheduled talks) can be found here.
The OSCAL project and this workshop series are aligned with NIST’s mission of promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST works to maximize its impact and mission fulfillment by positioning itself to anticipate future technology trends and develop the most important measurements and standards products that are aligned with industry drivers and needs.
The workshop will provide attendees an opportunity to familiarize themselves and build skills in the development and use of OSCAL. We encourage developers of control-oriented security tools and organizations that want to use or create OSCAL-based information, to register and attend the workshop.
Who should attend:
Matthew Scholl, Chief, Computer Security Division, NIST
André Mendez, CIO, DoC
Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST
David Waltermire, OSCAL Technical Director, NIST
Zach Baldwin, Program Manager for Strategy, Innovation, and Technology, FedRAMP, GSA
Gary Gapinski, Security and XML Engineer, Flexion Inc.
Thomas Volpe Sr., CIO, VITG Inc.
Alexander (AJ) Stein, OSCAL team member, NIST
Dr. Wendell Piez, OSCAL team member, NIST
Jasson Walker, President, cFocus Software
Ray Gauss, Director of Innovation, Easy Dynamics
Dr. Wendell Piez, OSCAL team member, NIST
Jasson Walker, President, cFocus Software
Gaurav (GP) Pal, Principal/SME, StackArmorMartin Rieger, Chief Solutions Officer, StackArmor
Alexander (AJ) Stein, OSCAL team member, NIST
Nikita Wootten, OSCAL team member, NIST
Victoria Pillitteri, Group Manager, ITL/CSD, NIST
Jasson Walker, President, cFocus Software
Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST
Anca Sailer, SME, STSM, IBM Research
Vikas Agarwal, Ph.D., Senior Researcher, SME, IBM Research
Lou DeGenaro, Senior Engineer, IBM Research
Dr. Jesus Luna Garcia, Bosch, Germany
Matthew Donkin, SME, AWS
Douglas Boldt, Solutions Architect, AWS
Ramon Burks, CSS Assistant Director, DoJ/CSAM
Adam Oline, Technical Lead, CyberBalance, LLC, DoJ/CSAM
Nikita Wootten, OSCAL team member, NIST
Max Aulakh, Managing Director, Ignyte Assurance Platform
Valinder Mangat, CIO, DRT Strategies
J. Travis Howerton, Co-Founder and CTO, RegScale
Jet Ryan, XACTA Solutions Architect, Telos
Anca Sailer, SME, STSM, IBM Research
Jaya Ramanathan, Ph.D., Chief Security and Governance Architect, Red Hat
Jim Bugwadia, CEO, NirmataRobert Ficcaglia, CTO, SunStone Secure
Adam Brand, Managing Director, KPMG
Thomas Nash, Director, KPMG
Vikas Khosla, Chief Digital Health Officer, Intraprise Health
Conner Phillippi, Senior Compliance Solutions Manager, Product Manager, Secureframe
Apostolos Delis, Software Engineer, Secureframe
David Waltermire, OSCAL Technical Director, NIST
Matthew Scholl, Chief, Computer Security Division, NIST
The 2022 NIST OSCAL Workshop program committee is seeking timely, topical, and thought-provoking presentations or demonstrations highlighting OSCAL-based security assessment automation processes or Governance Risk and Compliance (GRC) tools supporting OSCAL formats for integration into such processes.
We encourage proposals from a diverse array of organizations and individuals with different perspectives, from the public and private sectors, international bodies, assessment and authorization (A&A), or certification and authorization (C&A) providers.
Submissions must incorporate, in addition to the title, speaker information (bio and photo), a brief abstract, and proof of OSCAL support or integration into the tool, process, or solution.
Proposals will be evaluated and selected based on the quality of the written proposal, the topic proposed the proof of OSCAL integration.
Submission Deadline: midnight, EST, January 31, 2022.
Submit your proposal via email to oscal2022@nist.gov, with the subject line: “OSCAL 2022 CFP”.
Accepted Proposals Notification: no later than midnight, EST, February 16, 2022.
2019: Open Security Controls Assessment Language (OSCAL) Workshop
2021: 2nd Open Security Controls Assessment Language (OSCAL) Workshop
Starts: March 01, 2022 - 11:00 AM EST
Ends: March 02, 2022 - 05:00 PM EST
Format: Virtual Type: Workshop
Attendance Type: Open to public
Audience Type: Industry,Government,Academia
Virtual event
Security and Privacy: controls assessment, general security & privacy, privacy controls, security automation, security controls, system authorization