Embedded Files
OSCAL: the Open Security Controls Assessment Language
This is how you arrive at the future state of RMF
Providing control-related information in machine-readable formats.
The Open Security Controls Assessment Language (OSCAL) is a NIST-led initiative designed to move cybersecurity compliance from a slow, paper-based "check-the-box" activity to a high-speed, automated mission capability.
For a military executive, here is how OSCAL impacts operational readiness and risk management:
1. From Compliance to "Continuous Readiness"
1. From Compliance to "Continuous Readiness"
Currently, most security authorizations (like RMF packages) rely on static Word or Excel documents that are out of date the moment they are signed.
The OSCAL Shift: It converts these documents into machine-readable data (XML, JSON, YAML).
The Result: Instead of waiting months for a manual audit, leadership can see the real-time security posture of a system. It shifts the focus from "documentation" to "defensibility."
2. Accelerating the ATO Process
The "Authority to Operate" (ATO) process is often a bottleneck for deploying new capabilities to the warfighter.
Automation: Because OSCAL is data-centric, security tools can "talk" to each other. An assessment tool can automatically check a system and update the Security Assessment Report (SAR) without manual data entry.
Speed: It can reduce audit durations from months to minutes, allowing faster deployment of critical software and weapon systems.
3. Interoperability Across the Joint Force
3. Interoperability Across the Joint Force
In a multi-service environment, sharing risk data is notoriously difficult because every agency uses different templates.
Standardization: OSCAL provides a universal language for security controls.
The Benefit: A security baseline developed by the Air Force can be digitally ingested and understood by the Army or Navy systems instantly, facilitating "Reciprocity" and joint operations.
4. Policy-as-Code
4. Policy-as-Code
OSCAL allows commanders to operationalize their intent.
Direct Control: Policies and regulatory requirements are baked into the code of the system.
Precision: Leadership can establish and share machine-readable control baselines, ensuring that every system under their command meets the exact same rigorous standards automatically.
Bottom Line: OSCAL is the foundational layer for Continuous Authorization. It replaces administrative overhead with automated oversight, ensuring that cybersecurity keeps pace with the speed of the mission. For more details on the framework, you can explore the OSCAL project overview.
SERVICENOW CAM OSCAL Release version australia
Open Security Controls Assessment Language (OSCAL) provides a standardized way to express control-related information, enabling interoperability, consistency, and automation in IT security. It supports the JSON format only. CAM supports OSCAL version 1.1.2.
OSCAL is a set of machine-readable formats developed by the National Institute of Standards and Technology (NIST). It’s designed to support the automation of security control assessments, compliance reporting, and risk management processes.
CAM supports the export and import of OSCAL data for both Catalog and System Security Plan (SSP) models.
For Developers or people who wish to get better acquainted the WIKI is the answer https://github.com/usnistgov/OSCAL/wiki
OSCAL Java Command Line Tool
A Java tool, providing a command line interface, that performs common operations on Open Security Controls Assessment Language (OSCAL) and Metaschema content.
This open-source, tool offers a convenient way to manipulate OSCAL and Metaschema based content supporting the following operations:
Converting OSCAL content between the OSCAL XML, JSON, and YAML formats.
Validating an OSCAL resources to ensure it is well-formed and valid.
Resolving OSCAL Profiles.
Validating a Metaschema model definition to ensure it is well-formed and valid.
Generating XML and JSON Schemas from a Metaschema model definition.
This work is intended to make it easier for OSCAL and Metaschema content authors to work with related content.
This tool is based on the Metaschema Java Tools and OSCAL Java Library projects.
This effort is part of the National Institute of Standards and Technology (NIST) OSCAL Program.
A simple open source command line tool to support common operations over OSCAL content.
https://github.com/usnistgov/oscal-cli
RESOURCES
RESOURCES
https://github.com/usnistgov/OSCAL/releases
For Developers or people who wish to get better acquainted the WIKI is the answer https://github.com/usnistgov/OSCAL/wiki
GitHub: OSCAL SSP content for technologies shipped by Red Hat
GitHub: OSCAL Compass project
YouTube: OSCAL in Action: Real World Examples of Automating Policy & Compliance - J. Power & H. Braswell
GitHub: ComplianceAsCode Various projects accomplishing compliance through code and automation.
MCP Server for OSCAL
MCP Server for OSCAL
Instant OSCAL expertise for your favorite AI agent
A Model Context Protocol (MCP) server that provides AI assistants (Claude, Cline, Kiro, Claude Code, etc.) with tools to work with NIST's Open Security Controls Assessment Language (OSCAL). Like many early adopters, we needed help implementing OSCAL proofs-of-concept to demonstrate value to business stakeholders. Perhaps due to limited availability of examples in the public domain, we found that most AI agents/LLMs alone produced inconsistent results related to OSCAL. The tools in this MCP server minimized that problem for our use-case and we hope it does the same for you.
Project Status
Project Status
To view the latest release of OSCAL check out GitHub releases. Each release on that page provides a complete summary of the changes made in each release.
The changes made in each release are based on the excellent feedback and contributions that are received from the OSCAL community. The NIST OSCAL team is very thankful for all of it.
Any feedback may be emailed to the NIST OSCAL team at oscal@nist.gov or by creating an issue on the GitHub repository.
Looking forward, the NIST OSCAL team is excited to continue working with the OSCAL community to continue enhancing OSCAL through additional minor releases. Future efforts will include providing a more complete set of documentation for all the OSCAL layers and models, creating more examples, and providing a diverse set of tutorials.
For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.
The NIST team is also maintaining OSCAL content that is updated to the latest OSCAL revision. The OSCAL content repository provides OSCAL examples, in addition to:
The NIST SP 800-53 revision 5 catalog and the security and privacy NIST SP 800-53B baselines.
The NIST SP 800-53 revision 4 catalog and the three NIST SP 800-53 revision 4 baselines - preserved for historic purpose.
The CSF v2.0 catalog.
All of this OSCAL content is provided in XML, JSON and YAML formats.
NIST is also seeking tool developers, vendors, and service providers that would like to implement the OSCAL models in commercial and open-source offerings. NIST is also seeking software and service providers that are willing to work with us to represent control implementation information about their products.
To provide feedback, to ask questions, or to let us know about an OSCAL implementation you are working on, please email the NIST OSCAL team at oscal@nist.gov. You can also post publicly to the OSCAL development list: oscal-dev@list.nist.gov or create an issue on our GitHub repository.
Please find instructions for joining the OSCAL development and update lists on our contacts page. If you have any questions about OSCAL in general or if you would like to get involved in the OSCAL project, please contact us at: oscal@nist.gov or on Gitter.
Documentation:
Catalog, Profile, Component, SSP, SAP, SAR, POA&M:
https://pages.nist.gov/OSCAL/documentation/
Example:
Generic examples:
https://github.com/usnistgov/oscal-content/tree/master/examples
NIST SP 800-53 R4 and Rev5 catalog and baselines (XML & JSON):
https://github.com/usnistgov/oscal-content/tree/master/nist.gov/SP800-53
FedRAMP Automation:
Repository (FedRAMP catalog and baselines (XML & JSON) included) :
https://github.com/GSA/fedramp-automation
https://www.fedramp.gov/using-the-fedramp-oscal-resources-and-templates/
Tools
OSCAL Java Library:
https://github.com/usnistgov/liboscal-java
XSLT Tooling:
https://github.com/usnistgov/oscal-tools/tree/master/xslt
OSCAL Kit:
https://github.com/docker/oscalkit
OSCAL GUI:
https://github.com/brianrufgsa/OSCAL-GUI
OMB'S OPAL:
OSCAL Policy Administration Library (OPAL):
https://github.com/EOP-OMB/opal
Page updated
Google Sites
Report abuse