Skip to content
ATO Pathways
  Log In

OSCAL - Open Security Controls Assessment Language

OSCAL is a domain specific language, and a data model for communicating high-level information about the security audit. Purpose of OSCAL is to allow various compliance frameworks to be expressed in this common language and to allow interoperability of various scanners and GRC tools.

OSCAL is being developed at NIST - National Institute of Standards and Technology in collaboration with the industry.

OSCAL is a set of formats expressed in XML, JSON, and YAML that provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. [OSCAL Project Homepage, Online, 2023-08-25]

Components

OSCAL file formats are organized in 3 logical layers. The Control Layer is used for documentation of requirements, security controls, and policy frameworks. The Implementation Layer applies requirements to a concrete infrastructure and composes System Security Plan (SSP). Lastly, the Assessment Layer is concerned with capturing results and follow-ups of continuously applied SSP.

  • Controls Layer
    • Catalog Model
    • Profile Model
  • Implementation Layer
    • Component Model
    • System Security Plan (SSP) Model
  • Assessment Layer
    • Security Assessment Plan Model (SAP)
    • Security Assessment Results Model (SAR)
    • Plan of Actions and Milestones Model (POA&M)
The following image from OSCAL Homepage is the best visual representation of the data found in various OSCAL documents.

Background

The ATO process is becoming increasingly complex and labor intensive. There are multiple compliance and risk management frameworks (e.g. NIST SP 800-53, FedRAMP, ISO/EIC 27001/2, COBIT 5, CIS Controls, CSA CCM, etc). Many times people find that they have to comply with multiple of them.

Prior to OSCAL, one would have to hop through many loops of paperwork just to get started. Request access to digital rights management solution. Manually copy requisite security documentation into GRC. Manually update documentation on a monthly basis. AWS estimates that it takes at least 4160 hours per year to create and maintain an ATO package. (AWS re:Inforce 2022 - Automating security and compliance with OSCAL)

More specifically FedRAMP ATO previously involved huge Word Document (a template) that would get filled in with information from a particular organization and submitted to FedRAMP authority for ATO. Then it would get manually reviewed and approved. Leaving room for errors and omissions on both ends.

Machine readable language (like OSCAL) is the first step in streamlining and automating the above process.

History

Prior creation of OSCAL, NIST had been providing XML representation for FISMA (NIST SP 800-53) and

Security controls catalogs, system security plans, and assessment plans and results. Security Controls

Adoption

ISO/IEC SC27 working group 1 stated an ambition to release ISO 27002 in OSCAL format.

Australian ISM has been released in OSCAL format

Project Medina is working on OSCAL catalogs for BSI5 and cloud controls

Vendors and service providers are beginning to provide templates (in form OSCAL SSPs or Components) that end users may include in their ATO packages. One such example is Red Hat providing OSCAL components for its products. AWS mentioned they have ambition to eventually provide similar documents for AWS services (think of RDS, or Redshift).

Background

Growing number of organizations (companies and government bodies) find themselves in a situation that they need to implement multiple policies at once. It is rather common to have to implement FISMA, FedRAMP, HIPAA and PCI-DSS at once. We are long past the point where paper based audit scales and we are near the point where specialized GRC and excel sheets no longer

How to get started with OSCAL

The OSCAL content repository on GitHub provides many examples of OSCAL formatted data including both actual data and mockups for demonstration. You can find the examples in XML, JSON, and YAML formats. Additionally, NIST provides a set of walkthrough tutorials that provide step-by-step instructions on how to create OSCAL content of various types. The tutorials cover topics such as creating a basic control catalog, creating a basic profile, and creating a basic component definition.

info alert: This article is a stub.

Last modification was made over 1 year ago.

Key Online Resources

  1. OSCAL, Project Homepage [Online, 2024-04-03]
  2. OSCAL, Github Repository [Online, 2024-04-03]
  3. AWS reInforce 2022 - Automating security and compliance with OSCAL (GRC304), Dr. Michaela Iorga, Conference Talk Recording [Online, 2024-04-03]

Alberto Explains

OSCAL has an ambition to become cyber Esperanto. And so far it is kinda succeeding.

Look, I truly like to make compliments that sound like an insult.