Open Security Controls Assessment Language OSCAL

OSCAL is a standardized, flexible, open-source language that allows security controls and their associated implementations and assessment methods to be represented in machine-readable formats and easy transformation to human-friendly representations. OSCAL is important because it provides a standards-based foundation for the next generation of compliance processes and tools and allows for better security automation and interoperabilityfor all types of systems. OSCAL benefits both organizations and security professionals—and it helps improve risk management posture, consistency, and interoperability. We have a lot of exciting things in the works...so please visit our website at www.nist.gov/OSCAL for more information.

NIST team is not maintaining any repository of Component Definitions, nor does the team knows of the existence of such repository for public consumption available today. NIST team is aware of different OSCAL community entities interested in creating and maintaining such community-managed repositories. NIST will provide pointers to such repositories as soon as reliable information is available.

The OSCAL Assessment Results model is composed of (among other things): observations, risks, and findings. Observations can contain human or machine-generated evidence of compliance or non-compliance.

OSCAL is on the "higher level of abstraction" side, allowing for implementors to collect evidence from a wide variety of tools and processes without prescribing a specific tool output.

For a really simple example of an automated workflow generating Assessment Results documents based off of tool output (in this case, a Python test), check out this case study that our team recently presented on.