Open Security Controls Assessment Language (OSCAL)
NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, XML-, JSON-, and YAML-based formats that provide a standardized representations of information pertaining to the publication, implementation, and assessment of security controls. OSCAL is being developed through a collaborative approach with the public. Public contributions to this project are welcome.
With this effort, we are stressing the agile development of a set of minimal formats that are both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types.
If you are interested in contributing to the development of OSCAL, refer to the contributor guidance for more information.
OSCAL 1.0.0 was released on June 7, 2021. The full announcement can be found below:
The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.0. This first official, major release of OSCAL provides a stable OSCAL 1.0.0 for wide-scale implementation. This release marks an important milestone for the OSCAL project and for the earlier adopters and implementers of security automation with OSCAL.
This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.
For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.
There are also release notes containing a summary of changes in this and previous releases.
These changes were made based on all the excellent feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.
The NIST team is also maintaining OSCAL content that is updated to the latest OSCAL revision. The OSCAL content repository provides OSCAL examples, in addition to:
- The NIST SP 800-53 revision 5 catalog and the security and privacy NIST SP 800-53B baselines.
- The NIST SP 800-53 revision 4 catalog and the three NIST SP 800-53 revision 4 baselines.
- The FedRAMP SP 800-53 revision 4 baselines. Please note, these baselines are also available on GSA/fedramp-automation repository.
All of this OSCAL content is provided in XML, JSON and YAML formats.
The NIST team will continue the development in collaboration with the OSCAL community. Future efforts will include providing a more complete set of documentation for all the OSCAL layers and models, creating more examples, and providing a diverse set of tutorials.
NIST is also seeking tool developers, vendors, and service providers that would like to implement the OSCAL 1.0.0 models in commercial and open-source offerings. To provide feedback, to ask questions, or to let us know about an OSCAL implementation you are working on, please email the NIST OSCAL team at [email protected]. You can also post publicly to the OSCAL development list: [email protected] or create an issue on our GitHub repository.
Please find instructions for joining the OSCAL development and update lists on our contacts page.
NIST is seeking software and service providers that are willing to work with us to represent control implementation information about their products. Please email us at [email protected] if you are interested.