Open Security Controls Assessment Language

The National Institute of Standards and Technology (NIST) Open Security Controls Assessment Language (OSCAL) has a significant and positive impact on organizations that use controls-based approaches to cybersecurity, such as U.S. federal agencies as they address the Federal Information Security Modernization Act of 2014 (FISMA). OSCAL makes control catalogs, control baselines, system security plans (SSP), assessment plans, and assessment results machine-readable. This means OSCAL users can quickly and automatically:

⦁ Update SSPs based on changes to system risk, because their governance, risk, and compliance (GRM) software vendor uses OSCAL,
⦁ Determine the controls impact of implementing a new security technology, because that vendor provided an OSCAL Component Definition, and
⦁ Express compliance/fulfillment of a framework, because an OSCAL Control Catalog mapping is available.

In a recent project, CyberESI Consulting Group automated the creation of OSCAL Control Catalogs for all frameworks listed in the NIST Cybersecurity and Privacy Reference Tool (CPRT).