U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST has developed the Open Security Controls Assessment Language (OSCAL 1.0.0)

Share

             NIST has developed the Open Security Controls Assessment Language, which is a multi-format framework that allows security professionals to automate security assessment, auditing, and continuous monitoring processes, making systems’ authorization-to-operate processes and the overall risk management easier. Today, security professionals are faced with several challenges that are resource intensive such as systems’ complexity, paper-based assessment processes that do not scale well or proprietary automation solutions that are not interoperable and overlapping standards and regulatory frameworks.

The development of OSCAL sets the foundation for system security automation, which supports the risk management process and simultaneously supports a full spectrum of roles involved in this process, ranging from security professionals to policy authors. This first official, major release of OSCAL, readily available for download here, provides a stable OSCAL 1.0.0 for wide-scale implementation. The OSCAL 1.0.0 reveal is a major achievement for the OSCAL project and for the earlier adopters and implementers of security automation with OSCAL.

With the release of OSCAL 1.0.0, NIST also makes available the NIST OSCAL specification generated dynamically on the OSCAL website, and the SP 800-53, SP 800-53A and baselines, Rev. 4 and Rev. 5 in OSCAL.  In response, a growing number of commercial and free community tools and services have come into existence or are under development.

OSCAL 1.0.0, the product of OSCAL community collaboration under NIST’s leadership in collaboration with GSA/FedRAMP, was created from community feedback to serve international constituents. The updates included with OSCAL 1.0.0 comprises stable versions of the following:

  • Catalog and Profile models
  • Component definition model
  • System Security Plan
  • Assessment plan
  • Assessment results
  • Plan of Action & Milestones

The sectors that will see some of the greatest improvement because of OSCAL 1.0.0 are agencies, cloud service providers, and third-party assessment organizations.

As always, the NIST OSCAL team is appreciative of all the insightful feedback received to date.

For questions, please contact us at oscal [at] nist.gov (oscal[at]nist[dot]gov) or on Gitter chat room. If interested in collaborating with us and with other community members, please join our oscal-dev [at] nist.gov mailing list.

Information technology
Released June 15, 2021