Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

3rd Open Security Controls Assessment Language (OSCAL) Workshop

The National Institute of Standards and Technology hosted on Tuesday, March 1st, and Wednesday, March 2nd, 2022, the third workshop in the series focusing on the Open Security Controls Assessment Language (OSCAL).

Setting the foundation for security automation, with particular focus on the continuous authorization to operate (ATO) processes and continuous monitoring, OSCAL provides machine-readable representations of control catalogs, control baselines or profiles, system security plans, assessment plans, assessment results, and plan of actions and milestones, in a set of formats expressed in XML, JSON, and YAML.

Day one of the workshop will highlight OSCAL 1.0.0 layers and models, with the goal to familiarize the audience with the OSCAL architecture, formats, how these models can be used to support security assessment automation, continuous monitoring, continuous ATO and development, security and operations (DevSecOps). Additionally, the audience will be introduced to the NIST SP 800-53 (Rev4 and Rev5) catalogs, assessment objectives, and associated baselines in OSCAL.

Day two of the workshop will explore OSCAL-based automation solutions, starting with the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office’s (PMO) efforts to digitalize authorization packages submitted in OSCAL, will present FedRAMP’s updated OSCAL resources that include a comprehensive set of guides for additional deliverables.

Based on the responses received to our Call for Proposals (see below), NIST’s team was able to organize an inspiring event that demonstrates OSCAL's international adoption and brings in front of our audience some of the most prestigious names that share the same passion for new advancements in security automation. A complete list of speakers and their bio (in the order of their scheduled talks) can be found here.

The OSCAL project and this workshop series are aligned with NIST’s mission of promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST works to maximize its impact and mission fulfillment by positioning itself to anticipate future technology trends and develop the most important measurements and standards products that are aligned with industry drivers and needs.

The workshop will provide attendees an opportunity to familiarize themselves and build skills in the development and use of OSCAL. We encourage developers of control-oriented security tools and organizations that want to use or create OSCAL-based information, to register and attend the workshop.

Who should attend:

  • Leaders in digital transformation and security automation from the government, private, and academic sectors;
  • Vendors of security automation tools who are considering implementing OSCAL formats in their tools;
  • Participants in standard development organizations focusing on developing and publishing control catalogs and baselines;
  • System owners from the government, private, and academic sectors, who want to streamline the documentation of controls used in their information systems.




March 1, 2022:
Welcome, Introduction and Administrative issues (no slides) - video:D1,Part1

      Matthew Scholl, Chief, Computer Security Division, NIST

Visionary Keynote (no slides) - video: D1,Part1(T09:47)

      André Mendez, CIO, DoC

What is OSCAL and Who Needs It? - video: D1,Part1(T34:57)

      Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST

      David Waltermire, OSCAL Technical Director, NIST

FedRAMP Automation - video: D1,Part2

      Zach Baldwin, Program Manager for Strategy, Innovation, and Technology, FedRAMP, GSA

      Gary Gapinski, Security and XML Engineer, Flexion Inc. 

      Thomas Volpe Sr., CIO, VITG Inc.

Parallel Tracks
Track 1: OSCAL from Zero to Automation Hero - video: D1,Track1

      Alexander (AJ) Stein, OSCAL team member, NIST 

      Dr. Wendell Piez, OSCAL team member, NIST

Track 2: Achieving Continuous Authorization to Operate (ATO) with OSCAL - video: D1,Track2

      Jasson Walker, President, cFocus Software

Track 3: DevSecComp(liance)Ops with OSCAL - video: D1,Track3

      Ray Gauss, Director of Innovation, Easy Dynamics

Track 4: OSCAL Tools: Open Source XSLT for OSCAL - video: D1,Track4

      Dr. Wendell Piez, OSCAL team member, NIST

Track 5: Leveraged Authorizations to Operate - video: D1,Track5

      Jasson Walker, President, cFocus Software

Track 6: Accelerating FedRAMP, FISMA and CMMC ATO’s with OSCAL - video: D1,Track6

      Gaurav (GP) Pal, Principal/SME, StackArmorMartin Rieger, Chief Solutions Officer, StackArmor

Bloss@m - Security Assessment Automation with OSCAL - video:D2,Part3

       Alexander (AJ) Stein, OSCAL team member, NIST

       Nikita Wootten, OSCAL team member, NIST

NIST SP 800-53: Empowered by OSCAL - video:D1,Part3(T:28:41)

      Victoria Pillitteri, Group Manager, ITL/CSD, NIST

Automate the Transition to NIST SP 800-53 Rev. 5 with OSCAL- video:D1,Part4

      Jasson Walker, President, cFocus Software

March 1, 2022:
Opening Remarks (no slides) - video:D2,Part1

      Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST

Exchange Protocol for Third Party Tool Integrations via OSCAL (IBM) - video:D2,Part1(T05:48)

      Anca Sailer, SME, STSM, IBM Research

      Vikas Agarwal, Ph.D., Senior Researcher, SME, IBM Research 

      Lou DeGenaro, Senior Engineer, IBM Research

Initial Experiences with OSCAL and Continuous Monitoring in the EU Cybersecurity Certification Scheme for Cloud Services - video:D2,Part1(T36:50)

      Dr. Jesus Luna Garcia, Bosch, Germany

AWS and Implementation of OSCAL video:D2,Part2

      Matthew Donkin, SME, AWS

      Douglas Boldt, Solutions Architect, AWS

Adopting OSCAL to Deliver the Latest NIST SP 800-53 Control Catalog to the CSAM Community - video:D2,Part2(T26:46)

      Ramon Burks, CSS Assistant Director, DoJ/CSAM

      Adam Oline, Technical Lead, CyberBalance, LLC, DoJ/CSAM

Parallel Tracks
Track 1: OSCAL Deep Diff Tool - video: D2,Track1

       Nikita Wootten, OSCAL team member, NIST

Track 2: Ignyte Assurance Platform OSCAL Component Aggregation Techniques - video: D2,Track2

      Max Aulakh, Managing Director, Ignyte Assurance Platform

Track 3: “TURBOTAX-STYLE” Authoring of OSCAL Files - video: D2,Track3 

      Valinder Mangat, CIO, DRT Strategies

Track 4:  Entertainment – NIST documentaries
Track 5: Continuous ATO Demonstration Using OSCAL with Automated Assessments and Risk Modeling - video: D2,Track5

      J. Travis Howerton, Co-Founder and CTO, RegScale

Track 6: Getting a Head Start on Automating Your FedRAMP ATO Using OSCAL in Xacta360 - video: D2,Track6

      Jet Ryan, XACTA Solutions Architect, Telos

Kubernetes Policy Result Standardization via OSCAL (IBM) - video:D2,Part3

      Anca Sailer, SME, STSM, IBM Research

      Jaya Ramanathan, Ph.D., Chief Security and Governance Architect, Red Hat

      Jim Bugwadia, CEO, NirmataRobert Ficcaglia, CTO, SunStone Secure

Leading with OSCAL: The Crystallization of OSCAL-enabled Commercial Sector Use Case - video:D2,Part3(T30:12)

      Adam Brand, Managing Director, KPMG 

      Thomas Nash, Director, KPMG

The Applicability of OSCAL for Healthcare - video:D2,Part3(T59:10)

      Vikas Khosla, Chief Digital Health Officer, Intraprise Health

Continuous, Automated Compliance with OSCAL - video:D2,Part4

      Conner Phillippi, Senior Compliance Solutions Manager, Product Manager, Secureframe 

      Apostolos Delis, Software Engineer, Secureframe

OSCAL Roadmap: From Strategy to Vision - video:D2,Part4(T29:10)

      David Waltermire, OSCAL Technical Director, NIST

Closing Remarks and Adjourn (no slides) - video:D2,Part4(T50:02)

      Matthew Scholl, Chief, Computer Security Division, NIST


The 2022 NIST OSCAL Workshop program committee is seeking timely, topical, and thought-provoking presentations or demonstrations highlighting OSCAL-based security assessment automation processes or Governance Risk and Compliance (GRC) tools supporting OSCAL formats for integration into such processes.

We encourage proposals from a diverse array of organizations and individuals with different perspectives, from the public and private sectors, international bodies, assessment and authorization (A&A), or certification and authorization (C&A) providers.

Submissions must incorporate, in addition to the title, speaker information (bio and photo), a brief abstract, and proof of OSCAL support or integration into the tool, process, or solution.

Proposals will be evaluated and selected based on the quality of the written proposal, the topic proposed the proof of OSCAL integration.

Submission Deadline: midnight, EST, January 31, 2022.
Submit your proposal via email to, with the subject line: “OSCAL 2022 CFP”.
Accepted Proposals Notification: no later than midnight, EST, February 16, 2022.


Dr. Michaela Iorga

Links to previous OSCAL workshops from this series:

2019: Open Security Controls Assessment Language (OSCAL) Workshop

2021: 2nd Open Security Controls Assessment Language (OSCAL) Workshop 


Created December 08, 2021, Updated April 17, 2023