Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    Presentations 2026
Presentation

From Security Compliance to Resilience: Continuous Assurance with OSCAL

April 16, 2026

Presenters

Michaela Iorga - OSCAL Strategic Outreach Director - NIST
Selena Xiao - Computer Scientist - NIST

Description

This immersive, hands-on training equips cybersecurity professionals, security assessors, and auditors with practical skills for applying the Open Security Controls Assessment Language (OSCAL) in real-world assessment and authorization workflows. Participants move beyond theory to actively codify regulations, implemented controls, and assessment results in OSCAL, enabling repeatable, automatable, and scalable security assessments. Through guided exercises and realistic scenarios, the session demonstrates how OSCAL transforms traditional, point-in-time compliance activities into data-driven, continuous assurance processes aligned with modern risk management, continuous authorization, and resilient system design.

Learning Objectives:

  • Apply OSCAL fundamentals by creating, interpreting, and using OSCAL catalogs, profiles, and assessment artifacts in security assessments and audits.
  • Modernize assessment and audit practices by leveraging OSCAL to automate workflows that support ongoing monitoring, improve accuracy and consistency, and enhance traceability across systems and infrastructure layers.
  • Enable continuous authorization and system resilience by using OSCAL-based assessment data to continuously evaluate control effectiveness and support timely risk-informed decision-making.

System Requirements:

  • Personal computer with an up to date operating system.
  • Additional details will be provided prior to the event on tools that should be installed prior to the workshop.
  • Enable continuous authorization and system resilience by using OSCAL-based assessment data to continuously evaluate control effectiveness and support timely risk-informed decision-making.

Prerequisites:

  • Information Security & Risk Management Foundations, Security Controls and ATO workflows, and Security assessment artifacts (See NIST SP 800-37 and NIST SP 800-53).
  • Participants should be fluent in the following Domains and Required Knowledge:
    • Risk: Threats, vulnerabilities, likelihood, impact, risk
    • Controls: What a security control is, how it mitigates risk
    • NIST: SP 800-53 control families and structure
    • ATO: SSP, SAR, POA&M, continuous monitoring
    • Governance: Who owns controls, who assesses, who authorizes
  • Participants should understand the following concepts:
    • Control IDs
    • Control Enhancements
    • Inheritance and overlays
    • Control implementation statements
  • Students must be able to answer questions like:
    • What is the difference between a control and an implementation statement?
    • What is the role of evidence in a security assessment?
    • How does a POA&M relate to risk?
  • Participants should know what the following documents represent:
    • A System Security Plan (SSP)
    • A Security Assessment Plan (SAP)
    • A Security Assessment Report (SAR)
    • A POA&M
  • Basic understanding of Data Modeling, Structured Data, Schema-driven validation.
  • Basic understanding of the difference between a file format and a formal data model and schemas.
  • Basic understanding of XML format familiarity.
  • Participants must be able to understand XML representation and scope of XSD schemas to validate structured data.

Downloads

Created April 09, 2026