Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Open Security Controls Assessment Language (OSCAL): V. 1.0.0, Milestone 1

NIST is pleased to announce the first official release of the Open Security Controls Assessment Language (OSCAL), Version 1.0.0 - Milestone 1. The release.....

NIST is pleased to announce the first official release of the Open Security Controls Assessment Language (OSCAL), Version 1.0.0 - Milestone 1. The release contains:

  • Stable versions of the OSCAL catalog and profile models in XML and JSON formats with associated XML and JSON schemas
  • Draft versions of the NIST SP 800-53, Rev. 4 OSCAL content and FedRAMP baselines in OSCAL XML, JSON, and YAML formats
  • Content converters capable of accurately converting between OSCAL catalog and profile content in OSCAL XML to OSCAL JSON format

The development of OSCAL will continue with primary focus on the finalization of the OSCAL implementation layer, which is intended to support the expression of system security plans (SSPs) in machine-readable OSCAL formats and allow software and service vendors to document the controls implemented in their offerings. Stable versions of this work will be featured in the next release, OSCAL Version 1.0.0 - Milestone 2.

The current experimental OSCAL implementation layer is being validated as part of a pilot with GSA/FedRAMP to ensure that the necessary functionality and adequate flexibility are provided to support a wide variety of SSPs. To further validate the implementation layer's functionality and flexibility, NIST is seeking software and service providers to help represent control implementation information about their products. Please email oscal@nist.gov if you are interested.

Future releases can be found at https://github.com/usnistgov/OSCAL/releases, and additional information on the OSCAL project can be found at https://www.nist.gov/oscal. If you have any questions regarding OSCAL or the Milestone 1 release, or if you would like to become involved with the OSCAL project, please contact oscal@nist.gov

 

Released June 21, 2019, Updated July 9, 2019