U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

The Open Security Controls Assessment Language (OSCAL): Schema and Metaschema

Published

Author(s)

Wendell A. Piez

Abstract

The Information Technology Lab at NIST is developing technical standards for documentation related to systems security. The Open Security Controls Assessment Language (OSCAL) defines lightweight schemas, along with related infrastructure, for tagging system security information to support routine tasks like crosschecking, validating against arbitrary constraints, and producing punchlists. OSCAL is not conceived as "another big XML application" but as a metaschema. This approach allows us to simplify the design and maintenance of schemas and related tooling; support generation of documentation; produce multiple parallel schemas for XML, JSON, and YAML; and construct conversion tools more easily. Documents and tools leverage basic HTML, or even Markdown, for simplicity even though it limits the complexity of what can be directly imported. Conversion is simplified by the metaschema approach, even when multiple schemas apply to a single data collection. We hope that these simplifications will lead not only to more documents but also to more useful documents.
Proceedings Title
Proceedings of Balisage: The Markup Conference
Volume
23
Conference Dates
July 29-August 2, 2019
Conference Location
Rockville, MD
Conference Title
Balisage: The Markup Conference 2019
Pub Type
Conferences

Download Paper

https://doi.org/10.4242/BalisageVol23.Piez01
Local Download

Keywords

XML, schema, metaschema, security controls
Documentary standards

Citation

Piez, W. (2019), The Open Security Controls Assessment Language (OSCAL): Schema and Metaschema, Proceedings of Balisage: The Markup Conference, Rockville, MD, [online], https://doi.org/10.4242/BalisageVol23.Piez01 (Accessed May 6, 2026)
Additional citation formats

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created July 30, 2019, Updated May 12, 2020
Was this page helpful?