OSCAL is a standardized, flexible, open-source language that allows security controls and their associated implementations and assessment methods to be represented in machine-readable formats and easy transformation to human-friendly representations. OSCAL is important because it provides a standards-based foundation for the next generation of compliance processes and tools and allows for better security automation and interoperabilityfor all types of systems. OSCAL benefits both organizations and security professionals—and it helps improve risk management posture, consistency, and interoperability. We have a lot of exciting things in the works...so please visit our website at www.nist.gov/OSCAL for more information.
The OSCAL Assessment Results model is composed of (among other things): observations, risks, and findings. Observations can contain human or machine-generated evidence of compliance or non-compliance.
OSCAL is on the "higher level of abstraction" side, allowing for implementors to collect evidence from a wide variety of tools and processes without prescribing a specific tool output.
For a really simple example of an automated workflow generating Assessment Results documents based off of tool output (in this case, a Python test), check out this case study that our team recently presented on.
Security and Privacy: assurance, audit & accountability, controls assessment, risk assessment, security automation, system authorization, systems security engineering
Technologies: cloud & virtualization