NIST, in collaboration with the industry, is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls.
The OSCAL website provides an overview of the OSCAL project, including tutorials, concepts, references, downloads, and much more.
OSCAL is organized in a series of layers that each provides a set of models.
A model represents an information structure supporting a specific operational purpose or concept.
Each model is comprised of information structures that form an information model for each OSCAL model. This information model is then bound to multiple serialization formats (i.e., XML, JSON, YAML), which represent a concrete data model. Thus, a data model that defines how to represent an OSCAL information model in a serialized format. While the syntax of each format differs, all formats for a given model represent the same set of information or information model. In this way, OSCAL content expressed in one of the supported formats ( XML, JSON, or YAML) can be translated into any of the other supported formats without data loss.
The OSCAL layers and models are:
The release state of each model, along with download links for the latest versions of XML and JSON schema for each model are provided in the table, below. YAML is also supported through conversion between JSON and YAML. Since YAML is a superset of JSON, some YAML tooling allows JSON schema to be used for YAML validation. In this way, the provided JSON schema supports both JSON and YAML.
Layer | Model | Current State | Reference | Schemas |
---|---|---|---|---|
Control | Catalog | Released | XML, JSON, YAML | XML, JSON/YAML |
Control | Profile | Released | XML, JSON, YAML | XML, JSON/YAML |
Implementation | Component Definition | Released | XML, JSON, YAML | XML, JSON/YAML |
Implementation | System Security Plan | Released | XML, JSON, YAML | XML, JSON/YAML |
Assessment | Assessment Plan | Released | XML, JSON, YAML | XML, JSON/YAML |
Assessment | Assessment Results | Released | XML, JSON, YAML | XML, JSON/YAML |
Assessment | Plan of Action and Milestones | Released | XML, JSON, YAML | XML, JSON/YAML |
The OSCAL GitHub repository holds the actual OSCAL schemas, examples, documentation source files, and other resources. The NIST team welcomes public contributions to this project. If you are interested in contributing, please review the contributor documentation for ideas and information on how to get started.
NIST also maintains several public GitHub repositories associated with the OSCAL project:
OSCAL content maintained by NIST:
https://github.com/usnistgov/oscal-content
OSCAL tools and libraries:
https://github.com/usnistgov/liboscal-java
https://github.com/usnistgov/oscal-deep-diff
OSCAL Metaschema:
https://github.com/usnistgov/metaschema
NIST team welcomes public contributions to this project. If you are interested in contributing, please review the contributor documentation for ideas and information on how to get started.
The NIST OSCAL team is hosting a new series of monthly mini workshops that aims to address topics of interest for our community and to open this forum for its members to present their OSCAL-related work. Unless specifically stated, the workshops will not require a deep, technical understanding of OSCAL, and the dialog is informal, allowing the community to interact with the presenters and with the OSCAL team members.
NIST OSCAL Mini Workshop program committee is seeking timely, topical, and thought-provoking technical presentations or demonstrations highlighting OSCAL editorial tools, OSCAL-based security assessment automation processes, and Governance Risk and Compliance (GRC) tools supporting OSCAL formats for integration into such processes.
NIST does not endorse any of the OSCAL tools or services presented. Presentations or demos promoting such tools or services, as opposed to focusing on the OSCAL-related technical aspects, will not be permitted.
We encourage proposals from a diverse array of organizations and individuals with different perspectives, from the public and private sectors, international bodies, assessment and authorization (A&A), or certification and authorization (C&A) providers.
Please find below the calendar of proposed dates. Before submitting a proposal, please consult the calendar and indicate the preferred date with your submission and the duration of your presentation (30 min or 60 min, including Q&A). We will do our best to update the calendar as soon as a submission is approved.
Submit your proposal via email to oscal@nist.gov, with the subject line: “OSCAL Workshop - [Date: yyyy/mm/dd]”, where the “Date” is the selected date from the calendar below. Please include in your submission a pre-assessment of the OSCAL knowledge level the audience will need using a 4-levels scale with level one (L1/bronze) being equivalent to novice and level four (L4/platinum) being an OSCAL expert.
Meeting URL:
https://bluejeans.com/743906781/9254
Meeting ID: 743 906 781
Participant Passcode: 9254
Phone: +1.202.795.3352 (United States (Washington DC))
(see all numbers - https://www.bluejeans.com/numbers)
- 05/18/2022:
- 06/15/2022:
- 07/13/2022:
- 08/10/2022:
- 09/07/2022:
- 10/05/2022:
- 11/02/2022:
Security and Privacy: assurance, audit & accountability, controls assessment, risk assessment, security automation, system authorization, systems security engineering
Technologies: cloud & virtualization