OSCAL Blog Posts
2025/04/09
OSCAL Continues to Grow Roots in Europe
The European Cyber Security Organization convenes “Actions Beyond Words: Automating Audits for Streamlined Cybersecurity Policy Compliance in Europe”
An awareness session on OSCAL for the European cybersecurity practitioners
-- Cristian Michael Tracci, Senior Manager, Policy Analysis and Outreach policy@ecs-org.eu
The European Cyber Security Organisation (ECSO) organizes an event titled “Actions Beyond Words: Automating Audits for Streamlined Cybersecurity Policy Compliance in Europe.” This session aims to discuss how to automate compliance to cybersecurity policies and security assessment, auditing, and continuous monitoring processes, raising awareness about the Open Security Controls Assessment Language (OSCAL), its applications, and benefits in this domain. It is primarily addressed to the European cybersecurity community, including policymakers, GRC practitioners, and researchers, while also promoting dialogue between like-minded geographies on topics of common interest. Organizations, whether private corporations, government agencies, or supervisory authorities, face significant challenges worldwide in managing compliance with various national and international laws, contractual clauses, and standards. The proliferation of cybersecurity regulations and standards in Europe exacerbates these challenges. Fostering a collaborative approach, in line with its nature as a public-private partnership, ECSO can bring together the private and public sectors, promoting expert debate grounded in substantive discussions and focused on solutions that benefit the entire ecosystem.
Location:
- Online
Date and time:
- 23 April 2025, 15:00 CEST /9:00 EDT
Registration:
Agenda
| Time | Session | Speakers |
|---|---|---|
| 10 min | Opening Remarks | ECSO |
| 40 min | Continuous Proactive Security with OSCAL: Going Beyond ‘Shift Left’ | Michaela Iorga, Supervisory Computer Engineer, Secure Systems and Applications Group, National Institute of Standards and Technology (NIST) |
| 20 min | Build with OSCAL: Use-cases for adoption and beyond | Fritz Kunstler, Principal Security Engineer, Amazon Web Services (AWS) |
| 20 min | OSCAL and European Cybersecurity Public Policy | Cristian Tracci, Senior Manager, Policy Analysis and Outreach Stream, ECSO |
| 30 min | Cobalt EU Initiative for Automated Compliance | Antonio Skarmeta, Full Professor, and Sara Nieves Matheu Garcia, Assistant Professor, University of Murcia |
| 30 min | Open Discussion Moderated by ECSO |
Learn more about ECSO at ecs-org.eu
2025/02/07
OSCAL Foundation launches to move security standard forward
-- John Banghart jfbanghart@venable.com
The ability to automate security assessments to information technology systems is critical. It removes the possibility of human error and assists in overall security compliance. The Open Security Controls Assessment Language (OSCAL) is a machine-readable language that automates, simplifies, and standardizes these assessments. OSCAL was originally developed by the National Institute of Standards and Technology (NIST) in collaboration with FedRAMP and industry, and aims to improve the efficiency, timeliness, accuracy, and consistency of system security assessments and significantly reduce the associated paperwork. To carry this work forward, the OSCAL Foundation has launched to advance the development and adoption of OSCAL by industry and government. The Foundation will focus on six objectives: adoption, education, community, development, extension, and internationalization. The OSCAL Foundation will bring together communities to collaborate on advancing the use of the standard. The foundation has been created to offer support and resources for OSCAL and its community to increase adoption, new use cases, and integration into the globally recognized compliance standards. “NIST developed OSCAL to standardize the digitization of foundational risk management artifacts in support of the automated assessment and monitoring of system controls,” said Dr. Michaela Iorga of NIST. “OSCAL seeds the evolution of next-generation compliance processes and tools to facilitate interoperability, reliability, and cost-effectiveness with minimal human interaction. The OSCAL Foundation will bring the community support that we need to accelerate OSCAL adoption across the globe.” The Foundation will host a kickoff event on Tuesday February 11th at 1 p.m. at Venable LLP in Washington, D.C. with a webinar viewing option available. Registration is required. More information is available here.
Location
Civiletti Center 600 Massachusetts Ave NW Washington, DC 20001
Registration
Agenda
| Time | Session |
|---|---|
| 1:00 p.m. - 1:10 p.m. ET: | Introduction: John Banghart, Venable |
| 1:10 p.m. - 1:30 p.m. ET: | Keynote: Hart Rossman, VP, Amazon |
| 1:30 p.m. - 2:10 p.m. ET: | Panel discussion: The FedRAMP OSCAL Use Case |
| (Moderator) Pirooz Javan, Easy Dynamics | |
| Brian Ruf, RufRisk | |
| Travis Howerton, RegScale | |
| 2:10 p.m. - 2:50 p.m. ET | Panel discussion: The Global OSCAL Use Case |
| (Moderator) Michaela Iorga, NIST | |
| Vikram Khare, Google | |
| Matt Weinberg, AWS | |
| Jim Reavis, Cloud Security Alliance | |
| 2:50 p.m. - 3:30 p.m. ET | Panel discussion: Financial Services, OSCAL Use Case |
| (Moderator) Josh Magri, Cyber Risk Institute | |
| Julie Rohlena, US Bank | |
| Elisabeth Nottingham, JPMorgan Chase | |
| John Goodman, Cyber Risk Institute | |
| 3:30 p.m. - 4:00 p.m. ET | Discussion of Upcoming Foundation Technical Activities and Q&A |
| John Banghart, OSCAL Foundation | |
| Ross Nodurft, OSCAL Foundation | |
| Stephen Banghart, OSCAL Foundation | |
| 4:00 p.m. - 4:05 p.m. ET | Closing Remarks |
| 4:05 p.m. - 6:00 p.m. ET | Reception & Networking |
Learn more about the OSCAL Foundation at OSCALFoundation.org.