Explore the Latest Insights from Our OSCAL Community

Stay up-to-date with the newest blog posts from our OSCAL community members. Below you'll find a list of recent blog titles, simply click on any title to dive straight into the post you're interested in:

• How CAPORDINO Converts Security Data into OSCAL Catalogs: A Student's Perspective -- 08/26/2025 -- Read More
• Inside the OSCAL Mapping Model: A Student's Perspective -- 08/1/2025 -- Read More
• Test-Driving Compliance: A Student's Perspective on OSCAL & Government Procurement -- 06/26/2025 -- Read More

2025/08/26

How CAPORDINO Converts Security Data into OSCAL Catalogs: A Student's Perspective

-- Presented By:

• Selena Xiao, Computer Scientist, NIST

-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]

The recent workshop hosted by the NIST OSCAL Team featured a compelling presentation by Selena Xiao on CAPORDINO: A Data Converter to OSCAL Catalogs. The session provided valuable insights into how CAPORDINO (Cybersecurity and Privacy Open Reference Datasets in OSCAL) contributes to advancing security automation, particularly in the areas of secure software development and patch management, meeting the requirements of Executive Order 14144.

As cybersecurity systems continue to grow in complexity, so does the need for scalable, automated methods of conducting security assessments. CAPORDINO addresses this challenge by converting structured security reference data into OSCAL, a standardized, machine-readable format. The result is an approach that supports continuous assessment with reduced reliance on manual processes.

A significant focus of the presentation was CAPORDINO's use of the Cybersecurity and Privacy Reference Tool (CPRT), which aggregates security guidance from various NIST security frameworks. CPRT provides this data in a structured JSON format, serving as a foundation for conversion into OSCAL documents. This structured format ensures compatibility with both automated systems and human readability.

CAPORDINO's conversion process is built around two key stages: mapping and conversion. CAPORDINO first accesses specific CPRT security reference data through CPRT API HTTP requests, retrieving the necessary data, and uses a JSON processing library to map that data into its corresponding Java objects. From there, multiple classes handle the conversion into OSCAL-formatted XML documents, which are well-structured catalogs that retain all core information from the original references.

What emerged from the workshop was a clear demonstration of how tools like CAPORDINO contribute to modernizing security assessment workflows. Rather than replacing human oversight, automation in this context enhances accuracy, consistency, and speed which are all critical as organizations scale their cybersecurity efforts.

This workshop offered a strong example of innovation in cybersecurity. CAPORDINO represents a step forward in reducing the burden of manual documentation while aligning with industry standards for secure system development.

Location:

• Online

Date and Time:

• 20 August 2025, 11:00 AM - 12:00 PM EDT

View this August 2025 workshop recording and other files here.

Learn more about the OSCAL Monthly Workshop series here.

2025/8/1

Inside the OSCAL Mapping Model: A Student's Perspective

-- Presented By:

• Stephen Banghart, Technical Coordinator, OSCAL Foundation
• Anca Sailer, Distinguished Engineer, IBM Research
• Vikas Agarwal, Senior Technical Staff Member, IBM Research - India

-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]

At the NIST OSCAL 37th Monthly Workshop, Stephen Banghart, Anca Sailer, and Vikas Agarwal delivered a compelling presentation on 'Collaboratively Maturing the OSCAL Control Mapping Model at the OSCAL Foundation'. The workshop provided a comprehensive introduction to the OSCAL Mapping Model, a powerful tool that streamlines security assessments and continuous compliance by automating the mapping of security controls between different frameworks.

The OSCAL Mapping Model is a game changer in security assessments and compliance automation. By enabling the creation of a crosswalk between various control frameworks, it facilitates comparisons and mappings between them. As technology advances rapidly, having a robust and secure security posture is crucial. However, traditional security assessment processes often struggle to scale, which is where the NIST OSCAL team, OSCAL-Compass, and OSCAL Foundation come in, working together to implement a new use case for OSCAL with the Mapping Model. This leverages existing security postures to bootstrap a new mapping model, making it easier for organizations to adapt to changing security requirements.

The ability to map security frameworks is essential for organizations to analyze their compliance with different frameworks. With the OSCAL Mapping Model, users can automate this process, gaining valuable insights into how their current framework aligns with others. The presenters worked through the Mapping Model's use cases, demonstrating how organizations can utilize it to map controls from one security framework to another. This capability benefits a range of stakeholders, including security analysts, who can create detailed guidance and mapping documents to illustrate the relationships between frameworks.

A prototype of the OSCAL Mapping Model is currently being tested, featuring a mapping collection and schema that captures various security fields to demonstrate compliance between source and target control frameworks. The mapping collection includes fields such as 'provenance', which captures common fields across different mappings, and a 'method' field, which indicates the type of method used to map controls (automated, semi-automated, or manual). Additionally, a 'confidence score' field provides an indication of the accuracy and confidence of the produced mapping. On the other hand, the mapping schema captures information about the source and target catalogs/profiles, including a map array structure that specifies the source and target controls being mapped. It also captures the relationship between these controls, including equivalency and gaps (controls that are not mapped or partially mapped). The source and target gap summaries provide a detailed list of specific controls that require attention, enabling users to evaluate and plan for further compliance.

The presenters concluded their presentation by sharing insightful proposals for extending the OSCAL Mapping Model. These include enhancing the 'method' field to allow for user-defined values beyond automated, semi-automated, and manual. Another proposal suggests introducing a 'coverage' field to indicate the extent to which a control is compliant with another, providing a clear understanding of the overlap between controls and the additional work required to achieve complete mapping and compliance.

As the technology landscape continues to evolve, the need for efficient and effective security assessment and compliance automation has never been more pressing. The OSCAL Mapping Model discussed in this workshop is a powerful tool that addresses this need, and the presentation by Banghart, Sailer, and Agarwal demonstrated its potential to revolutionize the way organizations approach security compliance. With the OSCAL community driving innovation and collaboration, the OSCAL Mapping Model is poised to play a vital role in shaping the future of security assessments and compliance processes.

Location:

• Online

Date and Time:

• 16 July 2025, 11:00 AM - 12:00 PM EDT

View this July 2025 workshop recording and other files here.

Learn more about the OSCAL Monthly Workshop series here.

2025/06/26

Test-Driving Compliance: A Student's Perspective on OSCAL & Government Procurement

-- Presented By:

• Mats Nahlinder, CEO & Co-Founder, Sunstone Secure
• Robert Ficcaglia, CTO and Co-Founder, Sunstone Secure

-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]

Attending the OSCAL Monthly Workshop titled "OSCAL - A 'FastTrack' to agency contracting" was an insightful experience, especially in understanding how compliance and procurement processes can be improved through automation and standardization. The workshop, presented by Mats Nahlinder and Robert Ficcaglia, founders of Sunstone Secure, opened my eyes to the practical challenges agencies face in vendor evaluation and system procurement, and how OSCAL can be a game changer. Their focus on FedRAMP, a government-wide program that standardizes cloud service security assessments, made the topic very relevant.

One key takeaway was the exploration of the current pain points in agency procurement. Despite certifications like SOC-2 or FedRAMP levels, there is often little insight into the actual quality and maturity of a cloud service provider's security posture. This disconnect leads to high risks for agencies, who may contract services that are not fully compliant or mature enough, sometimes only realizing this after the deal is signed. The presenters highlighted how OSCAL can address this by providing a structured, data-driven, and risk-focused approach to evaluating vendors before procurement, rather than relying on broad certifications or fixed risk levels.

The workshop also emphasized how agencies can use OSCAL profiles to define their own risk posture by mapping security controls to frameworks like MITRE ATT&CK, which helps tailor compliance requirements to actual threats. This risk-based posture then becomes the foundation of the RFP process, where agencies specify Key Security Indicators (KSIs) in OSCAL format. Vendors respond with concrete, measurable data about how their systems perform against these KSIs, enabling agencies to make more informed, transparent, and traceable decisions. This approach promises to streamline the procurement cycle by making compliance assessment more precise and tailored.

What fascinated me most was the demonstration of Sunstone's Artemis digital twin platform. This AI-powered system collects documentation in OSCAL format to automatically generate comprehensive compliance packages, test plans, and audit evidence. The digital twin can simulate attack scenarios and vendor security postures before contracts are signed, essentially allowing agencies to "test drive" vendors' security readiness. This kind of automation not only boosts efficiency, but also improves accuracy and reduces third-party risks, which are crucial for federal agencies managing sensitive data.

Overall, the workshop provided a valuable perspective on how OSCAL is evolving beyond just a technical specification to become a practical tool for risk-driven procurement and continuous monitoring. As a student, it was encouraging to see the blend of standards, AI, and real-world applications come together to solve complex cybersecurity challenges. The ability to customize security controls, measure effectiveness through KSIs, and simulate risk scenarios through a digital twin represents a promising direction for the future of agency contracting. This workshop not only deepened my understanding of cybersecurity compliance but also sparked an interest in how data-driven decision-making and automation can reshape the government acquisition process.

Location:

• Online

Date and Time:

• 18 June 2025, 11:00 AM - 12:00 PM EDT

View this June 2025 workshop recording and other files here.

Learn more about the OSCAL Monthly Workshop series here.