Open Security Controls Assessment Language (OSCAL)
We are pleased to announce the publication of OSCAL 1.0.0 Release Candidate (RC) 2. This is the second full draft release of OSCAL 1.0.0 which is made available for public review and feedback before releasing the final OSCAL 1.0.0.
Please provide feedback by May 7, 2021 by emailing the NIST OSCAL team at [email protected] or by creating an issue on our GitHub repository.
The OSCAL 1.0.0 RC 2 includes:
Changes in this release are focused on the following major areas:
prop
that now allows an optional remarks
and uuid
.task
and action
have been combined.local-definitions
in the assessment plan, assessment results, and POA&M models has been simplified and made more consistent.<any>
and JSON additonalProperties
for arbitrary extensions based on community discussion. Extended data can still be provided using link
declarations to external content. This decision can be revisited in future revisions once there is more implementation experience with the OSCAL models.link
relations: latest-version
, predecessor-version
, and successor-version
to allow an OSCAL document to link to latest, previous, and next document revisions.To download this release, click on Assets below and download either the .zip or the *.tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.
These changes were made based on all the excellent feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.
We are pleased to announce the publication of OSCAL 1.0.0 Release Candidate 1 (RC1). This is a full draft release of OSCAL 1.0.0 which is made available for public review and feedback before releasing the final OSCAL 1.0.0.
The OSCAL 1.0.0 RC1 includes:
These changes were made based on all the excellent feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.
The NIST team is also maintaining OSCAL content that is updated to the latest OSCAL 1.0.0 RC1. The OSCAL content repository provides OSCAL examples, in addition to the final NIST SP 800-53 revision 5 catalog and the final security and privacy NIST SP 800-53B baselines. All this content is provided in XML, JSON and YAML formats, including the following:
To download this release, click on Assets below and download either the .zip or the *.tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.
The OSCAL team is working to release OSCAL 1.0.0 FINAL. To this end, we appreciate any feedback you have on the updated RC1 models. Receiving your comments is instrumental for our team to make the OSCAL 1.0.0 FINAL release as robust as is feasible, and to address any gaps that might cause backwards compatibilities between future OSCAL minor releases (e.g., 1.1.0, 1.2.0) and OSCAL 1.0.0.
At our end, we will continue the development of OSCAL focusing our full attention on providing a more complete set of documentation for all the OSCAL layers and models, creating more examples, and providing a diverse set of tutorials.
NIST is also seeking tool developers, vendors, and service providers that would like to implement the OSCAL 1.0.0 models in commercial and open-source offerings. To provide feedback, to ask questions, or to let us know about an OSCAL implementation you are working on, please email the NIST OSCAL team at [email protected]. You can also post publicly to the OSCAL development list: [email protected] or create an issue on our GitHub repository.
Please find instructions for joining the OSCAL development and update lists on our contacts page.
We are pleased to announce the release of OSCAL 1.0.0 Milestone 3. This is the third official milestone pre-release of OSCAL, and marks the last pre-release milestone for OSCAL v1. At this point we have drafts of all the models we intended to produce for OSCAL v1 and will now start working towards producing a full initial release of OSCAL v1, which will be v1.0.0.
This release contains:
To download this release, click on "Assets" below and download either the .zip or the .tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.
The OSCAL team will continue the development of OSCAL focusing our full attention on providing a more complete set of documentation for all the OSCAL layers and models, creating more examples, and providing a diverse set of tutorials. We will continue to collect feedback from the community on the OSCAL models. We are also seeking tool developers, vendors, and service providers that would like to implement the OSCAL models in commercial and open source offerings. To provide feedback, to ask questions, or to let us know about an OSCAL implementation you are working on, please email the NIST OSCAL team at [email protected]. You can also post publicly to the OSCAL development list: [email protected].
There are instructions for joining the OSCAL development and update lists on our contacts page.
We are pleased to announce the release of OSCAL 1.0.0 Milestone 2. This is the second official release of OSCAL, and marks another important milestone for the OSCAL project.
This release contains: • A new system security plan (SSP) model that allows organizations to document the security and privacy control implementation of their systems using a rich OSCAL model. • Updated stable versions of the OSCAL catalog and profile models, along with associated XML and JSON schemas. • Updated content in OSCAL XML, JSON, and YAML formats for the NIST SP 800-53 revision 4 catalog, and for the three NIST and four FedRAMP baselines. • Provides tools to convert OSCAL catalog, profile, and SSP content between OSCAL XML and JSON formats.
To download this release, click on "Assets" below and download either the .zip or the .tar.bz2 bundle. These bundles contain the resources described above. There is also release notes containing a summary of changes in this release.
The OSCAL team will continue the development of OSCAL focusing our full attention on finalizing the Component model as part of the implementation layer. The OSCAL Component model will allow organizations producing hardware, software, services, policies, processes, and proceedures to document information on the controls implemented in these offerings. Organizations can import component definitions into an OSCAL SSP, saving time and improving the richness of the documented system implementation. Stable versions of this work will be featured in our next release, OSCAL 1.0.0 Milestone 3.
We are seeking feedback from the community on the current OSCAL Catalog, Profile, and SSP models. We are also seeking tool developers and vendors that would like to implement these models in commercial and open source offerings. To further validate the implementation layer's functionality and flexibility, NIST is seeking software and service providers that are willing to work with us to represent control implementation information about their products. To provide feedback or to ask questions, please email the NIST OSCAL team at [email protected]. You can also post publicly to the OSCAL development list: [email protected].
There are instructions for joining the OSCAL development and update lists on our contributing page.
We are pleased to announce the release of OSCAL 1.0.0 Milestone 1. As the first official release of OSCAL, this release marks an important milestone for the OSCAL project.
The release contains:
To download this release, click on "Assets" below and download either the .zip or the .tar.bz2 bundle. These bundles contain the resources described above.