Open Security Controls Assessment Language OSCAL

NIST, in collaboration with the industry, is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls.

The OSCAL website provides an overview of the OSCAL project, including tutorials, concepts, references, downloads, and much more.

OSCAL is organized in a series of layers that each provides a set of models. 

A model represents an information structure supporting a specific operational purpose or concept.

Each model is comprised of information structures that form an information model for each OSCAL model. This information model is then bound to multiple serialization formats (i.e., XML, JSON, YAML), which represent a concrete data model. Thus, a data model defines how to represent an OSCAL information model in a serialized format. While the syntax of each format differs, all formats for a given model represent the same set of information or information model. In this way, OSCAL content expressed in one of the supported formats ( XML, JSON, or YAML) can be translated into any of the other supported formats without data loss.

The OSCAL layers and models are:

• Control Layer
  • Catalog model 
  •  Profile model 
• Implementation Layer
  • Component Definition model 
  • System Security Plan (SSP) model
• Assessment Layer
  •  Assessment Plan model
  •  Assessment Results model
  •  Plan of Action and Milestones (POA&M) model

The release state of each model, along with download links for the latest versions of XML and JSON schema for each model are provided in the table, below. YAML is also supported through conversion between JSON and YAML. Since YAML is a superset of JSON, some YAML tooling allows JSON schema to be used for YAML validation. In this way, the provided JSON schema supports both JSON and YAML.

The OSCAL GitHub repository holds the actual OSCAL schemas, examples, documentation source files, and other resources. The NIST team welcomes public contributions to this project. If you are interested in contributing, please review the contributor documentation for ideas and information on how to get started.

NIST also maintains several public GitHub repositories associated with the OSCAL project:

OSCAL content maintained by NIST:

OSCAL tools and libraries:

• Converter utilities into JSON from XML and into XML from JSON
• Command line data conversion tool: OSCAL Java CLI
• A Java API for OSCAL
• OSCAL Deep Diff - CLI application and library that can produce schema-agnostic comparisons of JSON artifacts (OSCAL JSON included)
• CSX and XSLT OSCAL Tools 

OSCAL Metaschema:

• Metaschema modeling language - a language developed by NIST, used to generate a schema for a corresponding information model in a format-specific serializable form (e.g., XML, JSON, YAML) expressed as an XML or JSON Schema. OSCAL Schemas are generated using Metaschema modeling language.
• Metaschema Java framework which provides:
  • Java objects for loading and working with XML-based Metaschema constructs. This functionality is provided by the Metaschema XML model.
  • Java bean code generation based on one or more Metaschema using Maven. This functionality is provided by the Metaschema Maven plugin.
  • A Java parser for reading and writing XML, JSON, or YAML into Java beans generated by the Metaschema Java framework. This functionality is provided by the Metaschema Java Binding Parser.
  • XML and JSON schema generation based on a Metaschema provided by Metaschema Schema Generator.

The NIST team welcomes public contributions to this project. If you are interested in contributing, please review the contributor documentation for ideas and information on how to get started.

OSCAL Events:

The NIST OSCAL team is hosting several types of events:

• International, annually-held OSCAL conferences and/or workshops
  • Open Security Controls Assessment Language (OSCAL) Workshop (2019)
  • 2nd Open Security Controls Assessment Language (OSCAL) Workshop (2021)
  • 3rd Open Security Controls Assessment Language (OSCAL) Workshop (2022)
  • 4th Open Security Controls Assessment Language (OSCAL) Conference and Workshop (2023)
• An OSCAL Adopters' Mini Workshop Series opened primarily to our community members to present their OSCAL adoption
• An OSCAL 101 (Educational) Workshop Series 

OSCAL Recurring Public Meetings:

The NIST OSCAL team hosts meetings with the OSCAL community on different topics:

• OSCAL Model Engineering Meeting (MEM): A bi-weekly meeting to discuss OSCAL models, how they are developed, and development efforts by NIST staff and the greater https://pages.nist.gov/OSCAL/contribute/model-engineering-meeting/ OSCAL community using them. The meeting page has meeting information as well as slides and notes from past sessions.
• OSCAL Develop Enhancements, Future Implementations and New Education (DEFINE) Meeting: A monthly meeting on the third Thursday of every month to discuss the research and educational pursuits of OSCAL using an iterative and collaborative approach with the community. The meeting page has meeting information as well as slides and notes from past sessions.

We encourage you to attend these meetings as a way to keep up-to-date on and contribute to the development of OSCAL.

Calendar:

The NIST OSCAL Team has a public calendar for the community to keep current with the meetings above and other public events hosted by the team.

You can access the web version of this calendar by clicking this link or configure your calendar application with this iCalendar (ICS) file.

• Open the calendar on the web to immediately see this month's events without configuring it in an application on your computer or mobile device.
• Configure the calendar in your application of choice with an iCalendar (ICS) file. You can find instructions on the Internet for Google Workspace, Microsoft Office 365, and many more. Download the file.