Open Security Controls Assessment Language (OSCAL): V. 1.0.0, Milestone 1
June 21, 2019

NIST is pleased to announce the first official release of the Open Security Controls Assessment Language (OSCAL), Version 1.0.0 - Milestone 1. The release contains:

  • Stable versions of the OSCAL catalog and profile models in XML and JSON formats with associated XML and JSON schemas
  • Draft versions of the NIST SP 800-53, Rev. 4 OSCAL content and FedRAMP baselines in OSCAL XML, JSON, and YAML formats
  • Content converters capable of accurately converting between OSCAL catalog and profile content in OSCAL XML to OSCAL JSON format

The development of OSCAL will continue with primary focus on the finalization of the OSCAL implementation layer, which is intended to support the expression of system security plans (SSPs) in machine-readable OSCAL formats and allow software and service vendors to document the controls implemented in their offerings. Stable versions of this work will be featured in the next release, OSCAL Version 1.0.0 - Milestone 2.

The current experimental OSCAL implementation layer is being validated as part of a pilot with GSA/FedRAMP to ensure that the necessary functionality and adequate flexibility are provided to support a wide variety of SSPs. To further validate the implementation layer's functionality and flexibility, NIST is seeking software and service providers to help represent control implementation information about their products. Please email if you are interested.

Future releases can be found at, and additional information on the OSCAL project can be found at If you have any questions regarding OSCAL or the Milestone 1 release, or if you would like to become involved with the OSCAL project, please contact

Created June 21, 2019, Updated June 22, 2020