Case Study: OSCAL CPRT Catalog Project

In the Spring of 2023, CyberESI Consulting Group (CyberESI) embarked on a project to create Open Security Controls Assessment Language (OSCAL) content for various higher-level program risk and regulatory “frameworks.”  The project sought to automate the creation of at least one, and hopefully more, OSCAL Catalogs that map two or more frameworks.

Decision: Source of Framework Information

In deciding the source of framework information and structure, the National Institute of Standards and Technology (NIST) Cybersecurity and Privacy Reference Tool (CPRT) was the logical choice.  In recent years, NIST has focused on publishing key framework information in CPRT.  Frameworks in CPRT can be viewed online, exported in various formats, and accessed via application programming interface.  Not only is the framework information available in CPRT, but the framework *structure* is available for both human review and computer processing.

Decision: Approach to Create OSCAL

In planning proof-of-concept software, CyberESI evaluated multiple approaches to create new OSCAL content, including:

  • combining frameworks stored in CPRT with a pre-existing OSCAL NIST SP 800-53 Control Catalog file, and
  • merging frameworks stored in CPRT, including SP 800-53, with other frameworks storage in CPRT.

After performing a trade-off analysis, CyberESI opted for the second approach.  This approach would enable the proof-of-concept to go beyond automating creation of one OSCAL Control Catalog, to automating creation of OSCAL Control Catalogs for *all* frameworks in CPRT.  This choice would also result in an increasing number of OSCAL Control Catalogs over time, as the number of frameworks in CPRT grows.


In Summer of 2023, CyberESI developed and tested a proof-of-concept utility that creates OSCAL Controls Catalogs from any two selected frameworks in CPRT, including SP 800-53.  XML content produced by the proof-of-concept utility was confirmed as well-formed and valid OSCAL according to the OSCAL version 1.1.0 release.  All content from the proof-of-concept effort is available at the CyberESI web site.

Challenges and Future Direction

Lack of key FISMA-related frameworks in CPRT such as SP 800-53A: A manually-created OSCAL Control Catalog that pre-date this project has significant value because it contains both SP 800-53 and SP 800-53A (available in JSON XML YAML).  However, SP 800-53A is not available in CPRT at present such that an equivalent catalog can be auto-generated with the CyberESI proof-of-concept utility.  When SP 800-53A becomes available in CPRT, future efforts need to focus on the extent to which an auto-generated OSCAL Control Catalog is equivalent to the pre-existing manually-created OSCAL Control Catalog.

Parameterization of SP 800-53 and similar frameworks: Another feature of the manually-created pre-existing OSCAL Control Catalog is the parameterization of organization-defined values within controls.  For example, how frequently an organization monitors and scans for vulnerabilities is a value that must be “filled in” to SP 800-53 control RA-5 to customize and subsequently assess RA-5 within that organization.  Future efforts need to focus on parameterizing those values such that computers can understand what values in a given framework need to be completed with organization-defined values.

Identifying content changes and incrementing UUIDs: OSCAL is built on Web 2.0 technologies such as XML.  One promise of Web 2.0 is that rendered web content may originate from any number of authors and web locations.  A universal challenge of Web 2.0 is how to enable computers to know when changes have been made to discrete portions of content.  The NIST OSCAL team has implemented Universally Unique Identifiers (UUID) to enable computers to see when blocks of content (e.g., the ASCI characters that exist between two XML tags) have changed.  Specifically, if a given block of content changes, the UUID associated with that block of content is incremented so computers can recognize that change.  Future efforts need to focus on identifying content changes and incrementing UUIDs.