Automated Control-Based Assessment

Supporting Control-Based
Risk Management with
Standardized Formats

Learn More

Providing control-related information in machine-readable formats.

NIST, in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results.
data centric


Transitions the legacy approach to security plan generation and management (Word and Excel documents) to a data-centric approach based on common data standards such as XML/JSON.



Puts security compliance data to work by allowing an extensible architecture that expresses security controls in both machine and human readable formats.



Allows tool developers to implement APIs and provide a standards-based foundation for next generation compliance tools.



Apply the benefits of the data-centric approach to automate existing processes that are resource intensive.

Use Information in OSCAL Formats

Control-based information expressed using OSCAL formats allows you to:

  • Easily access control information from security and privacy control catalogs
  • Establish and share machine-readable control baselines
  • Maintain and share actionable, up-to-date information about how controls are implemented in your systems
  • Automate the monitoring and assessment of your system control implementation effectiveness

If you are new to the OSCAL project, we provide learning materials for the project.

This page was last updated on November 8, 2023.