NIST has developed the Open Security Controls Assessment Language, which is a multi-format framework that allows security professionals to automate security assessment, auditing, and continuous monitoring processes, making systems’ authorization-to-operate processes and the overall risk management easier. Today, security professionals are faced with several challenges that are resource intensive such as systems’ complexity, paper-based assessment processes that do not scale well or proprietary automation solutions that are not interoperable and overlapping standards and regulatory frameworks.
The development of OSCAL sets the foundation for system security automation, which supports the risk management process and simultaneously supports a full spectrum of roles involved in this process, ranging from security professionals to policy authors. This first official, major release of OSCAL, readily available for download here, provides a stable OSCAL 1.0.0 for wide-scale implementation. The OSCAL 1.0.0 reveal is a major achievement for the OSCAL project and for the earlier adopters and implementers of security automation with OSCAL.
With the release of OSCAL 1.0.0, NIST also makes available the NIST OSCAL specification generated dynamically on the OSCAL website, and the SP 800-53, SP 800-53A and baselines, Rev. 4 and Rev. 5 in OSCAL. In response, a growing number of commercial and free community tools and services have come into existence or are under development.
OSCAL 1.0.0, the product of OSCAL community collaboration under NIST’s leadership in collaboration with GSA/FedRAMP, was created from community feedback to serve international constituents. The updates included with OSCAL 1.0.0 comprises stable versions of the following:
- Catalog and Profile models
- Component definition model
- System Security Plan
- Assessment plan
- Assessment results
- Plan of Action & Milestones
The sectors that will see some of the greatest improvement because of OSCAL 1.0.0 are agencies, cloud service providers, and third-party assessment organizations.
As always, the NIST OSCAL team is appreciative of all the insightful feedback received to date.