U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Computer Security Resource Center

Computer Security Resource Center

This is an archive
(replace .gov by .rip)
Projects

Open Security Controls Assessment Language OSCAL

Overview

NIST, in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls.

The OSCAL website provides an overview of the OSCAL project, including tutorials, concepts, references, downloads, and much more.

OSCAL is organized in a series of layers that each provides a set of models

A model represents an information structure supporting a specific operational purpose or concept.

Each model is comprised of information structures that form an information model for each OSCAL model. This information model is then bound to multiple serialization formats (i.e., XML, JSON, YAML), which represent a concrete data model. Thus, a data model that defines how to represent an OSCAL information model in a serialized format. While the syntax of each format differs, all formats for a given model represent the same set of information or information model. In this way, OSCAL content expressed in one of the supported formats ( XML, JSON, or YAML) can be translated into any of the other supported formats without data loss.

The OSCAL layers and models are:

The release state of each model, along with download links for the latest versions of XML and JSON schema for each model are provided in the table, below. YAML is also supported through conversion between JSON and YAML. Since YAML is a superset of JSON, some YAML tooling allows JSON schema to be used for YAML validation. In this way, the provided JSON schema supports both JSON and YAML.

Layer Model Current State Reference Schemas
Control Catalog Released XML, JSON, YAML XMLJSON/YAML
Control Profile Released XML, JSON, YAML XMLJSON/YAML
Implementation Component Definition Released XML, JSON, YAML XMLJSON/YAML
Implementation System Security Plan Released XML, JSON, YAML XMLJSON/YAML
Assessment Assessment Plan Released XML, JSON, YAML XMLJSON/YAML
Assessment Assessment Results Released XML, JSON, YAML XMLJSON/YAML
Assessment Plan of Action and Milestones Released XML, JSON, YAML XMLJSON/YAML

The OSCAL GitHub repository holds the actual OSCAL schemas, examples, documentation source files, and other resources. The NIST team welcomes public contributions to this project. If you are interested in contributing, please review the contributor documentation for ideas and information on how to get started.

NIST also maintains several public GitHub repositories associated with the OSCAL project:

OSCAL content maintained by NIST:

https://github.com/usnistgov/oscal-content

OSCAL tools and libraries:

https://github.com/usnistgov/liboscal-java

https://github.com/usnistgov/oscal-deep-diff

OSCAL Metaschema:

https://github.com/usnistgov/metaschema

NIST team welcomes public contributions to this project. If you are interested in contributing, please review the contributor documentation for ideas and information on how to get started.

Additional News:

OSCAL Mini Workshop Series

The NIST OSCAL team is hosting a new series of monthly mini workshops that aims to address topics of interest for our community and to open this forum for its members to present their OSCAL-related work. Unless specifically stated, the workshops will not require a deep, technical understanding of OSCAL, and the dialog is informal, allowing the community to interact with the presenters and with the OSCAL team members.

Please see below the call for proposals if you are interested in presenting your OSCAL work. To submit topics for discussion, please email us at oscal@nist.gov.

Join the events:

Meeting URL:

https://bluejeans.com/743906781/9254

Meeting ID: 743 906 781

Participant Passcode: 9254

Phone: +1.202.795.3352 (United States (Washington DC))

(see all numbers - https://www.bluejeans.com/numbers)

Presentations:

- 05/18/2022:

  • Compliance as Code for Big Bang Risk Management Framework (RMF) Control Mapping to Accelerate Department of Defense (DoD) Authorization to Operate (ATO)
    • Maj Camdon Cady, Chief Operating Officer, Platform One, US Airforce
    • Tom Runyon, Defense Unicorns
  • OSCAL Catalog Authoring Tool (CAT)
    • Dmitry Cousin, NIST

- 06/15/2022:

- 07/13/2022:

  • OSCAL Implementation: Early Lessons Learned
    • Matthew Donkin, AWS

- 08/10/2022:

  • Extreme Automation with OSCAL - Exercising the Full OSCAL Stack in a Next Generation GRC
    • Travis Howerton, Co-Founder, RegScale

Contacts

Michaela Iorga
michaela.iorga@nist.gov

David Waltermire
david.waltermire@nist.gov

Created April 24, 2018, Updated July 05, 2022