OSCAL Blog Posts
Explore the Latest Insights from Our OSCAL Community
Stay up-to-date with the newest blog posts from our OSCAL community members. Below you'll find a list of recent blog titles, simply click on any title to dive straight into the post you're interested in:
- Learn OSCAL Through an Immersive Online Escape Room Experience -- 04/24/2026 -- Read More
- OSCAL Adoption for FedRAMP: Insights Learned and Path Going Forward -- 04/23/2026 -- Read More
- A Student’s Take on OSCAL Innovation: Exploring the OSCAL Pocket Guide -- 04/02/2026 -- Read More
- OSCAL Plugfest & Sailing Ahead with NIST OSCAL: The Next Game Plan -- 11/19/2025 -- Read More
2026/04/24
Learn OSCAL Through an Immersive Online Escape Room Experience
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
The NIST OSCAL Team is excited to share an immersive online escape room experience designed to help community members learn OSCAL in a hands-on, engaging way. Rather than traditional presentations or documentation walkthroughs, this escape room invites participants to actively apply OSCAL concepts in realistic scenarios. By solving challenges and progressing through the experience, users will gain a deeper, more practical understanding of how OSCAL supports modern security assessment and authorization workflows.
The escape room was introduced on April 16, 2026, at the ISACA Future Tech DC 2026 event at George Mason University (Arlington, VA Campus). Hosted and presented by Dr. Michaela Iorga (NIST) and Selena Xiao (NIST), the OSCAL Escape Room workshop involved hands-on training that allowed participants to codify regulations, implemented controls, and assessment results using OSCAL. Through guided interactive exercises, attendees learned how OSCAL enables repeatable, automatable, and scalable security assessments, transforming compliance into a continuous, data-driven process.
In the virtual escape room, participants have just 30 minutes to unravel corrupted OSCAL data, solve complex challenges, and restore critical artifacts after a devastating cyberattack. As the damage escalates and the workload spirals out of control, every second counts.
→ Take a shot at the OSCAL Escape Room by visiting: https://pages.nist.gov/OSCALER/
→ Visit OSCAL's CSRC webpage to access the workshop presentation and additional resources related to the escape room.
2026/04/23
OSCAL Adoption for FedRAMP: Insights Learned and Path Going Forward
-- Presented By:
- Brian Ruf, FedRAMP Technology Focus Group Lead, OSCAL Foundation
- Stephen Banghart, Technical Coordinator, OSCAL Foundation
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
In OSCAL's recent monthly workshop, Brian Ruf and Stephan Banghart from the OSCAL Foundation highlighted their efforts to make FedRAMP security artifacts machine-readable and OSCAL-compliant. A key theme throughout the session was improving interoperability and ensuring that security documentation can be consistently understood and used across different agencies and organizations.
One of the most interesting takeaways was the feedback gathered from various U.S. government agencies. While OSCAL offers a high degree of flexibility in how information can be structured and mapped, that same flexibility can make adoption a bit challenging. Agencies noted that transitioning from traditional formats like Word documents and spreadsheets to fully machine-readable OSCAL artifacts can feel like a big jump, especially with tooling being limited.
To address this challenge, the OSCAL Foundation is taking a phased approach. Their current focus is on the FedRAMP System Security Plan and their goal is to provide clearer guidance on how SSPs should be represented in OSCAL so that implementations are more consistent and interoperable.
Another aspect that stood out was the emphasis on incremental adoption. Instead of requiring organizations to fully convert their documentation all at once, the OSCAL Foundation introduced two adoption paths: a retrofit path for converting existing legacy documents and a native path for organizations that are starting fresh. This approach allows users to begin with simpler, flat representations of their data and gradually transition to more structured component-based models over time.
The presenters also shared several resources for the community to get support in adoption, including a GitHub repository containing examples of OSCAL representations. These tools aim to make it easier for organizations to get started and build familiarity with the standard.
Overall, this insightful workshop highlighted both the challenges and ongoing efforts to make OSCAL adoption more accessible by focusing on guidance and incremental progress.
Workshop Location:
- Online
Workshop Date and Time:
- 15 April 2026, 11:00 AM - 12:00 PM EDT
View this April 2026 workshop recording and other files here.
Learn more about the OSCAL Monthly Workshop series here.
2026/04/02
A Student’s Take on OSCAL Innovation: Exploring the OSCAL Pocket Guide
-- Presented By:
- Tevin Harris, Federal Employee, Founder of euCann
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
During OSCAL's March 2026 workshop, Tevin Harris from euCann LLC delivered an insightful and engaging presentation, including a live demo of the OSCAL Pocket Guide, a mobile OSCAL-based application that provides on-demand access to the OSCAL Catalog. Harris opened by highlighting a familiar challenge faced by many cybersecurity professionals: the long, tedious process of manually assessing paper-based security artifacts such as PDFs and spreadsheets. With multiple versions and formats of security frameworks, some often spanning hundreds of pages, manual assessment becomes highly inefficient.
OSCAL addresses this issue by standardizing these artifacts into automatable, machine-readable formats, enabling continuous compliance and streamlined assessments. To further support OSCAL adoption and provide a more intuitive user experience, Harris developed the OSCAL Pocket Guide. The application allows users to easily browse OSCAL catalogs, analyze controls, navigate various framework models, review assessment objectives and artifacts, and explore parameters and implementation guidance.
Currently available on iOS, Android, and macOS devices, the application leverages data frameworks and formats based on OSCAL JSON documents. It does not require an internet connection, as it operates entirely offline with documents downloaded directly to the user's device. The app is powered by six core frameworks: SP 800-53 Revision 5, NIST CSF 2.0, SP 800-171 Revision 3, SP 800-218 (SSDF), the AI RMF Playbook, and Harris's own customized OSCAL SP 800-61 Volume II.
The OSCAL Pocket Guide features an intuitive interface that allows users to explore different frameworks and the modules that make them up. Built using a Flutter UI layer and core OSCAL services, the application supports document parsing, exporting, and secure local storage via encrypted SQLite. It is offered in two versions: a free version, and a Pro version priced at $10, which includes advanced multi-criteria filtering and control comparison capabilities.
During the demonstration, I was particularly impressed by the application's ease of use and thoughtful design. Clear navigation and well-organized tabs guide users through OSCAL-based frameworks and their respective control modules. Features such as favoriting frequently accessed controls, applying baseline filters, sorting by control IDs, and displaying parameters inline further enhance the app's usability.
The application continues to evolve, with future updates expected to include a web interface and cloud-based capabilities, such as a retrieval-augmented generation (RAG) chatbot. This feature will enable users to ask questions about NIST catalog items and receive real-time, OSCAL-informed responses related to controls and frameworks.
Overall, the OSCAL Pocket Guide is a promising tool that simplifies interaction with complex OSCAL data, making it more accessible through a clean, user-friendly interface while supporting deeper exploration of its technical capabilities.
Workshop Location:
- Online
Workshop Date and Time:
- 18 March 2026, 11:00 AM - 12:00 PM EDT
View this March 2026 workshop recording and other files here.
Learn more about the OSCAL Monthly Workshop series here.
2025/11/19
OSCAL Plugfest & Sailing Ahead with NIST OSCAL: The Next Game Plan
As cloud environments grow more complex and interconnected, traditional compliance practices such as inefficient manual checks, paper-based audits, and proprietary formats are struggling to keep up. Security teams are often buried in fragmented documents, making it harder to track how controls apply across hybrid systems. The result? Slow, error prone processes that don't scale with today's fast-moving digital world.
That is where OSCAL comes in.
Developed by NIST and industry partners, the Open Security Controls Assessment Language (OSCAL) is transforming how cybersecurity compliance is managed. It standardizes how security information is documented and shared, making it machine-readable, and far more efficient.
Think of OSCAL like the shipping container of cybersecurity. Before containerization, transporting goods was chaotic and inefficient, each shipment required repackaging at each transfer point. Then came a standard format that transformed global trade. OSCAL does the same for compliance data, making it portable, structured, and ready for automation across platforms and organizations.
Why organizations are adopting OSCAL:
- Faster, more accurate security assessments
- Easier automation and tool integration
- Reduced manual workload and fewer errors
- Improved collaboration and reuse of standardized controls
With the launch of the OSCAL Foundation, the initiative is expanding globally, supported by federal agencies, global tech leaders, and a fast-growing community. OSCAL is also well-suited for adoption in healthcare, finance, and the National Retail Federation (NRF), where automated, standardized compliance can simplify regulatory complexity and boost efficiency.
In a world where compliance must be agile, and resilient, OSCAL offers a foundation built for the future.
Learn more about OSCAL from the official OSCAL website, review how others used OSCAL in their automated risk management solutions by watching their talks and demos, or dive deeper in the GitHub repositories maintained by NIST.
Upcoming: Join the Community at the OSCAL Plugfest!
For those interested in seeing OSCAL innovation in action or want to contribute to it firsthand, the OSCAL Foundation is hosting an OSCAL Plugfest in Washington, DC. It will be a hands-on event, bringing together OSCAL users, vendors, and the broader community to collaborate on real-world technical challenges. Participants will tackle complex problems, share expertise, and help advance the OSCAL ecosystem.
Date: Monday, December 15, 2025
Location: Venable, 600 Massachusetts Ave NW, Washington, DC
Morning Session (9:30 AM - 12:00 PM, Invitation-Only): A technical hackathon where experts will test OSCAL tools and content in a collaborative interoperability workshop. A key activity will focus on the OSCAL Mapping Model and recent official updates to the NIST specification led by the OSCAL Foundation. To request participation in the hackathon, contact [email protected].
Afternoon Session (12:00 PM - 4:00 PM, In-person and online via Zoom, must register): Presentations and discussions on OSCAL as both a technical standard and a practical solution for government and industry challenges.