Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

2nd Open Security Controls Assessment Language (OSCAL) Workshop

Video Recordings of the Event

OSCAL Session 1
OSCAL Session 1
OSCAL Session 2
OSCAL Session 2
OSCAL Session 3
OSCAL Session 3

The National Institute of Standards and Technology will be hosting on Tuesday, February 2 and Wednesday, February 3, 2021, the second workshop in a new series focusing on the Open Security Controls Assessment Language (OSCAL).

Setting the foundation for security automation, OSCAL provides machine-readable representations of control catalogs, control baselines, system security plans, assessment plans and assessment results in a set of formats expressed in XML, JSON, and YAML.

Day one of the workshop will highlight OSCAL layers and models, with the goal  to familiarize the audience with the OSCAL architecture, formats, and with the NIST SP 800-53 Rev5 catalog and baselines in OSCAL. Day two will explore the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office’s (PMO) efforts to digitalize authorization packages submitted in OSCAL, will present FedRAMP’s updated OSCAL resources that include a comprehensive set of guides for additional deliverables. During both days of the event, we will have a few time slots reserved for participants to give presentations. Attendees interested in being considered to present during the workshop are encouraged to review the Call for Proposals below for additional information and instructions.

The OSCAL project, along with this workshop series, align with NIST’s mission of promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST works to maximize its impact and mission fulfillment by positioning itself to anticipate future technology trends and develop the most important measurements and standards products that are aligned with industry drivers and needs.

The workshop will provide attendees an opportunity to familiarize themselves and build skills in the  development and use of OSCAL. We encourage developers of control-oriented security tools, and organizations that want to use or create OSCAL-based information, to register and attend the workshop.

Who should attend:

  • Leaders in digital transformation and security automation from the government, private, and academic sectors;
  • Vendors of security automation tools who are considering implementing OSCAL formats in their tools;
  • Participants in standard development organizations focusing on developing and publishing control catalogs and baselines;
  • System owners from the government, private, and academic sectors who want to streamline the documentation of controls used in their information systems.

Call for Proposals

The 2021 NIST OSCAL Workshop program committee is seeking timely, topical, and thought-provoking presentations or demonstrations highlighting OSCAL-based security assessment automation processes or Governance Risk and Compliance (GRC) tools supporting OSCAL formats for integration into such processes.

We encourage proposals from a diverse array of organizations and individuals with different perspectives, from the public and private sectors, international bodies, assessment and authorization (A&A) or certification and authorization (C&A) providers.

Submissions must incorporate, in addition to the title, speaker information (bio and photo), a brief abstract and a proof of OSCAL support or integration into the tool, process or solution.

Proposals will be evaluated and selected based on the quality of the written proposal, the topic proposed, the proof of OSCAL integration.

Submission Deadline: midnight, ET, January 4th, 2021
Submit your proposal via email to oscal2021 [at] (oscal2021[at]nist[dot]gov), with the subject line: “OSCAL 2021 CFP”

CPE Credits

Attendees are always welcome to self-report to their authoritative certification bodies to request CEUs/CLEs. During registration you will receive a letter along with your registration confirmation for self-reporting purpose. 

NOTE: The "Certification Number" is the attendee personal certification number for all certification(s) requiring continuous professional improvement (or have CPE requirements). Please feel free to use the form and submit to the organization that sponsors your certification, demonstrating your Continuing Professional Education-CPE.

Agenda (PDF)

  • February 2: 11:00am - 4:30pm EST
  • February 3: 11:00am - 4:00pm EST


Day 1

Welcome, Introduction and Administrative issues

        Matthew Scholl, Chief, Computer Security Division, NIST

Next Generation Security Assessment - Visionary Keynote

        Victoria Pillitteri, FISMA Lead, NIST

What is OSCAL and Who Needs It

        Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST

Coffee Break with Q&A


        David Waltermire, OSCAL Technical Director, NIST

OSCAL Models: Assessment Planning, Results and POA&M

        Brian Ruf, OSCAL Team Member, NIST / FedRAMP

Active Lunch Break (Parallel Tracks)

Break - Bring your lunch bag

Track 1: OSCAL tools integration and interoperability

     Greg Elin, Founder and CEO, GovReady
     Travis Howerton, CTO, C2 Labs

Track 2: Automating FedRAMP System Security Plan Development Using OSCAL

     Jasson Walker, President & CEO, cFocus Software                                      

Track 3: Automation for DER-Risk Manager using OSCAL

      Paul Wand, Cybersecurity Visualization Engineer, NREL   
Anuj Sanghvi, Cybersecurity Researcher, NREL

Track 4: Leveraging Compliance Automation for our Cloud-First World

      Scott Schwan, Co-founder & CEO, Shujinko  
      Rick Harwood, VP of Engineering, Shujinko                                   

Track 5: Entertainment

       Bring your lunch and watch NIST documentaries

Break - Reconvening

OSCAL Content (SP 800-53 Rev5, SP 800-53B and beyond)

       Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST

CMS and What Makes an Agency Ready for Security Automation with OSCAL: A Vendors View

       Greg Elin, Founder and CEO, GovReady

Risk Management for Distributed Energy Resources

     Anuj Sanghvi, Cybersecurity Researcher, NREL

Day 1 Closing Remarks and Adjourn

Networking: Birds of a feather

        Virtual BYO Cocktail and Round Table Discussion  


Welcome, Introduction and Administrative issues

        Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST

FedRAMP Automation Roadmap

      Zach Baldwin, Program Manager, FedRAMP/ GSA
Brian Ruf, SME, FedRAMP/ GSA/Noblis
Alexander Stein, SME, Flexion Inc

Virtual Coffee Break

Paving the road towards continuous certification: Leveraging OSCAL into the EU-wide cloud security certification scheme

      Prof Dr. Jesus Luna, Cloud Security Expert, Robert Bosch GmbH

Xacta 360 Implementation of OSCAL Increases Efficiency of A&A Processes

      Milica Green, Compliance SME, Telos
Hugh Barrett, VP Technical Solutions, Telos

Active Lunch Break (Parallel Tracks)

 Break - Bring your lunch bag

Track 1: What Does a Working OSCAL Component Library Really Look Like

      Omar Abed & Tom Wood, CivicActions/GovReady
      Greg Elin,
Founder and CEO, GovReady

Track 2: Cyber Security Controls: Data portability between vendor tools using NIST OSCAL                                                                                                                                                                                                                      

      Travis Howerton, CTO, C2 Labs

Track 3: Automating and ATO for a blockchain system using OSCAL

       Jasson Walker, President and CEO, cFocus Softwar

Track 4:  Entertainment - Bring your lunch and watch NIST documentaries

Break - Reconvening

Enabling continuous risk visibility – the role for OSCAL in revolutionizing third party security

      Jonathan Dambrot, Global Third-Party Security Lead, KPMG
      Adam Brand, Managing Director, KPMG

Compliance Testle – An Open-Source Opinionated Implementation of OSCAL

      Anca Sailer, Senior Technical Staff Member in Hybrid Cloud Compliance, IBM Research
      Chris Butler, Senior Technical Staff Member in Hybrid Cloud Compliance, IBM Research

Day 2 Closing Remarks and Adjourn

Networking: Birds of a feather

        Virtual BYO Cocktail and Round Table Discussion  

Created December 3, 2020, Updated March 10, 2021