OSCAL CPRT Catalog Project
The National Institute of Standards and Technology (NIST) Open Security Controls Assessment Language (OSCAL) has a significant and positive impact on organizations that use controls-based approaches to cybersecurity, such as U.S. federal agencies as they address the Federal Information Security Modernization Act of 2014 (FISMA).
In a recent project (case study), CyberESI Consulting Group automated the creation of OSCAL Control Catalogs for all frameworks listed in the NIST Cybersecurity and Privacy Reference Tool (CPRT). The resulting OSCAL Control Catalog mappings help OSCAL users express compliance/fulfillment of frameworks that are relevant to their organization.
Through CPRT, these frameworks are available in JSON and Excel) format and often have mapping metadata derived from the NIST Online Informative References Program (OLIR) and other sources.
CyberESI Consulting Group uses the CPRT data, and when available CPRT mapping metadata, to automatically create OSCAL Controls Catalogs and associated mapping files. Those files have been validated as well-formed data formats and valid OSCAL.
| Reference Dataset |
Publication Title |
OSCAL Controls Catalog |
OSCAL Mapping File |
| Cybersecurity Framework v2.0.0 |
The NIST Cybersecurity Framework 2.0 Draft, Version 2.0 |
Download (.xml) |
|
| SP 800-221A |
Technology and Information Risk Outcomes, Draft |
Download (.xml) |
Download (to csf1.1) |
| SSDF |
Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1 |
Download (.xml) |
|
| NISTIR 8286B |
IoT Non-Technical Supporting Capability Core Baseline, Final |
Download (.xml) |
|
| SP 800-53 Rev 5 |
Security and Privacy Controls for Information Systems and Organizations, 5.1.0 |
Download (.xml) |
Download (to csf1.1) |
| NISTIR 8259A |
IoT Device Cybersecurity Capability Core Baseline, Final |
Download (.xml) |
|
| SP 800-171 Rev 2 |
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 2 |
Download (.xml) |
Download (to csf1.1) |
| Privacy Framework |
NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 |
Download (.xml) |
Download (to csf1.1) |
| Cybersecurity Framework v1.1 |
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 |
Download (.xml) |
Download (to Privacy FW)
Download (to 800-53r5)
Download (to 800-53r4)
Download (to 171r2)
Download (to 171r1)
Download (to 221a) |
| SP 800-171 Rev 1 |
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 1 |
Download (.xml) |
Download (to csf1.1) |
| SP 800-53 Rev 4 |
Security and Privacy Controls for Federal Information Systems and Organizations, 4.0.0 |
Download (.xml) |
Download (to csf1.1) |
This content made possible by a grant from the National Institute of Standards and Technology [GRANT13691361]. Per Code of Federal Regulations 200.315(b), CyberESI Consulting Group, Incorporated retains the copyright to the content hosted on this page with all rights reserved.
