OSCAL Blog Posts Archive
Explore Past OSCAL Blogs Packed With Expert Insights
Discover a comprehensive archive of OSCAL blog posts featuring practical guidance, relevant updates, and in-depth analysis to support effective security compliance. These articles cover a range of topics suited for both newcomers and experienced practitioners in the field.
Jump to read blogs from: 2025, 2023, 2021
2025
May 27, 2025
-- Presented By:
- Chris Vermeulen, Principal Engineer, Container Solutions
- Ian Miell, Partner, Container Solutions
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
This month, I attended a workshop titled "Automated OSCAL-based evidence gathering with The Continuous Compliance Framework", presented by Chris Vermeulen and Ian Miell from Container Solutions. As someone new to the world of compliance automation, I found the session to be a valuable introduction to how modern organizations are tackling the challenges of regulatory mapping in complex systems. The Continuous Compliance Framework (CCF) is an open source tool that automates the collection of compliance evidence through distributed agents. These agents run on different systems and environments, gathering data and feeding it into a centralized API, all while remaining secure and lightweight.
One of the most interesting concepts discussed was how CCF identifies and maps “subjects” and “components” without relying on centralized identifiers like UUIDs. Instead, it uses attribute-based mapping to determine if two pieces of evidence relate to the same subject, allowing the system to correlate data from various sources efficiently. This makes compliance tracking much more manageable, especially in large scale, distributed environments where manual mapping would be time-consuming and prone to errors. I appreciated how the framework is designed to scale across environments, from GitHub repositories to Linux hosts, making it highly flexible and practical.
Another highlight was seeing how CCF integrates with the OSCAL format. The team demonstrated an in-progress editor for building system security plans directly within the framework, complete with visual tools like diagram editors for network and component layouts. This approach not only simplifies documentation but also ensures that compliance data is machine-readable and easy to export. Overall, the workshop gave me a clearer understanding of the future of compliance automation and how thoughtful tooling can turn a complex process into something far more manageable.
April 16, 2025
-- Presented By:
- Brian Ruf, Independent Consultant, RufRisk
- Pirooz Javan, CTO, Easy Dynamics
- Juan Risso, Lead Software Engineer, Easy Dynamics
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
I had the chance to attend a fascinating workshop titled "OSCAL Catalogs: Create Easily and Use Broadly," presented by experts Brian Ruf (RufRisk), Priooz Javan (Easy Dynamics), and Juan Risso (Easy Dynamics). The session gave a deep dive into OSCAL and its use in various industries. While I initially thought OSCAL was focused solely on cybersecurity compliance frameworks, I quickly learned that its applications can stretch far beyond that, offering a powerful tool for managing a wide variety of regulatory and requirement-based scenarios...
At its core, OSCAL was created to handle cybersecurity requirements, including well-known frameworks such as NIST SP 800-53 and SOC 2. These are essential standards in managing cybersecurity risk and compliance, but the workshop revealed that OSCAL can be applied much more broadly. It turns out OSCAL is highly versatile and can be used to manage virtually any type of requirement (including products, services, or processes) across multiple industries. The ability to define requirements clearly, track their implementation, and assess compliance can be a game-changer for industries like healthcare, manufacturing, financial services, and even construction. What was particularly intriguing was the emphasis on machine-readable data. Traditionally, compliance requirements are stored in formats like PDFs or Word documents, which are difficult to track and are often prone to errors. OSCAL solves this problem by structuring data in a way that machines can easily process, enabling automation and reducing human error. The presenters explained that by starting with OSCAL, organizations can seamlessly convert human-readable formats like HTML, Word, and Excel into machine-readable data, ensuring that compliance documents are both accessible and actionable. This concept of bridging the gap between machine-readable and human-readable data was one of the most important takeaways from the workshop. The workshop also featured a live demonstration of the Comply Zero platform, which is built around OSCAL and helps manage compliance lifecycles. In the demo, we saw how OSCAL catalogs can be created, managed, and assessed through an intuitive interface. The ability to define controls, parameters, and assessment objectives, and link them together, showcased how OSCAL can help organizations streamline their compliance processes. One of the key points made during the workshop was the idea that OSCAL’s machine-readable format enables automation and more efficient tracking of compliance efforts. As regulations become more complex, tools like OSCAL will be essential in managing and evaluating compliance in real time, minimizing the risks of human error, and reducing the time spent manually cross-referencing documents. This is especially critical in industries where compliance is not just a best practice but a legal requirement. Starting with OSCAL allows organizations to build a solid foundation for automation, and the ability to generate reports and assessments more easily means that stakeholders can focus on the actual outcomes rather than the complexity of the paperwork. Overall, this workshop was incredibly informative. I walked away with a much deeper understanding of how OSCAL works and how it is revolutionizing the way industries track and assess compliance requirements. It became clear to me that OSCAL is more than just a tool for cybersecurity—it’s a versatile solution with broad potential applications in fields like healthcare, construction, manufacturing, and finance. As a student, I’m excited about the possibilities this open standard offers for the future of compliance management.Continue reading here.
The European Cyber Security Organization convenes “Actions Beyond Words: Automating Audits for Streamlined Cybersecurity Policy Compliance in Europe”
An awareness session on OSCAL for the European cybersecurity practitioners
April 9, 2025
- Cristian Michael Tracci, Senior Manager, Policy Analysis and Outreach ([email protected])
Click here for the event agenda and more information:
Location
- Online
Date and time:
- 23 April 2025, 15:00 CEST /9:00 EDT
Registration:
Agenda
| Time | Session | Speakers |
|---|---|---|
| 10 min | Opening Remarks | ECSO |
| 40 min | Continuous Proactive Security with OSCAL: Going Beyond ‘Shift Left’ | Michaela Iorga, Supervisory Computer Engineer, Secure Systems and Applications Group, National Institute of Standards and Technology (NIST) |
| 20 min | Build with OSCAL: Use-cases for adoption and beyond | Fritz Kunstler, Principal Security Engineer, Amazon Web Services (AWS) |
| 20 min | OSCAL and European Cybersecurity Public Policy | Cristian Tracci, Senior Manager, Policy Analysis and Outreach Stream, ECSO |
| 30 min | Cobalt EU Initiative for Automated Compliance | Antonio Skarmeta, Full Professor, and Sara Nieves Matheu Garcia, Assistant Professor, University of Murcia |
| 30 min | Open Discussion Moderated by ECSO |
Learn more about ECSO at ecs-org.eu
March 19, 2025
-- Presented By:
- Anca Sailer, Distinguished Engineer, IBM TJ Watson
- Hirokuni Kitahara, Research Scientist, IBM Tokyo
- Saki Takano, Research Scientist, IBM Tokyo
- Takumi Yanagawa, Research Advisory Software Developer, IBM Tokyo
- Yuji Watanabe, Research Senior Technical Staff, IBM Tokyo
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
I recently attended the OSCAL workshop titled "OSCAL-based AI-augmented CISO agent", hosted by our partners at IBM. The focus of the session was on leveraging OSCAL for AI-augmented compliance automation and policy validation. Over the past five years, IBM has made OSCAL a key part of their strategy for expressing security and compliance requirements across various domains, including infrastructure, data, AI, applications, and business processes.
During the workshop, I learned about IBM's 4-step compliance lifecycle, with a particular emphasis on the assessment phase. The session detailed how IBM bridges authored compliance controls with real-time validation through their Compliance to Policy (C2P) framework. I was particularly impressed by how C2P uses OSCAL component definitions and a plug-in based architecture to generate technology-specific policies, such as Ansible playbooks or Kyverno rules. These policies are then deployed in actual or pre-deployment environments for validation. What really stood out to me was how the C2P core interprets OSCAL structures, mapping controls to relevant policies, and generating validation results into standardized OSCAL assessment outputs. This system seems like a game-changer for organizations looking to streamline their compliance processes.
Overall, the workshop gave me a deep dive into how structured compliance data, combined with Gen-AI and automated tools, can create a seamless and scalable compliance pipeline. I left the session with a solid understanding of how IBM is applying these technologies to modern cloud-native and AI-integrated systems. It's exciting to see how AI and automation are playing a key role in shaping the future of compliance.
February 7, 2025
-- John Banghart [email protected]
The ability to automate security assessments to information technology systems is critical. It removes the possibility of human error and assists in overall security compliance. The Open Security Controls Assessment Language (OSCAL) is a machine-readable language that automates, simplifies, and standardizes these assessments.
OSCAL was originally developed by the National Institute of Standards and Technology (NIST) in collaboration with FedRAMP and industry, and aims to improve the efficiency, timeliness, accuracy, and consistency of system security assessments and significantly reduce the associated paperwork. To carry this work forward, the OSCAL Foundation has launched to advance the development and adoption of OSCAL by industry and government.
The Foundation will focus on six objectives: adoption, education, community, development, extension, and internationalization. The OSCAL Foundation will bring together communities to collaborate on advancing the use of the standard. The foundation has been created to offer support and resources for OSCAL and its community to increase adoption, new use cases, and integration into the globally recognized compliance standards.
“NIST developed OSCAL to standardize the digitization of foundational risk management artifacts in support of the automated assessment and monitoring of system controls,” said Dr. Michaela Iorga of NIST. “OSCAL seeds the evolution of next-generation compliance processes and tools to facilitate interoperability, reliability, and cost-effectiveness with minimal human interaction. The OSCAL Foundation will bring the community support that we need to accelerate OSCAL adoption across the globe.”
The Foundation will host a kickoff event on Tuesday February 11th at 1 p.m. at Venable LLP in Washington, D.C. with a webinar viewing option available. Registration is required. More information is available here.Click here for the event agenda and more information:
Location
Civiletti Center 600 Massachusetts Ave NW Washington, DC 20001
Registration
Agenda
| Time | Session |
|---|---|
| 1:00 p.m. - 1:10 p.m. ET: | Introduction: John Banghart, Venable |
| 1:10 p.m. - 1:30 p.m. ET: | Keynote: Hart Rossman, VP, Amazon |
| 1:30 p.m. - 2:10 p.m. ET: | Panel discussion: The FedRAMP OSCAL Use Case |
| (Moderator) Pirooz Javan, Easy Dynamics | |
| Brian Ruf, RufRisk | |
| Travis Howerton, RegScale | |
| 2:10 p.m. - 2:50 p.m. ET | Panel discussion: The Global OSCAL Use Case |
| (Moderator) Michaela Iorga, NIST | |
| Vikram Khare, Google | |
| Matt Weinberg, AWS | |
| Jim Reavis, Cloud Security Alliance | |
| 2:50 p.m. - 3:30 p.m. ET | Panel discussion: Financial Services, OSCAL Use Case |
| (Moderator) Josh Magri, Cyber Risk Institute | |
| Julie Rohlena, US Bank | |
| Elisabeth Nottingham, JPMorgan Chase | |
| John Goodman, Cyber Risk Institute | |
| 3:30 p.m. - 4:00 p.m. ET | Discussion of Upcoming Foundation Technical Activities and Q&A |
| John Banghart, OSCAL Foundation | |
| Ross Nodurft, OSCAL Foundation | |
| Stephen Banghart, OSCAL Foundation | |
| 4:00 p.m. - 4:05 p.m. ET | Closing Remarks |
| 4:05 p.m. - 6:00 p.m. ET | Reception & Networking |
Learn more about the OSCAL Foundation at OSCALFoundation.org.
2023
September 6, 2023
-- Dr. Michaela Iorga, Director, OSCAL Program [email protected]
Welcome to the Open Security Controls Assessment Language (OSCAL) Blog, open to the NIST OSCAL Team and to the community!
If you work closely with us, you might have noticed we finished a large code repository reorganization alongside the release of OSCAL v1.1.0 and the subsequent OSCAL v1.1.1 release. The OSCAL Project was in a desperate need of some internal restructuring, a fall cleaning of sorts. As an OSCAL user, the differences should not affect affect you, but we will still summarize some key changes for you.
One may wonder why we reorganized our code repositories only recently. Our answer is simple: we started small (more than six years ago!) and wanted to keep everything in one place to reduce the maintenance overhead. As we expanded our work, we needed to separate code repositories to get better organized.Click here to learn about what we changed:
- The OSCAL website's source code (known as OSCAL pages) moved to its own repository, OSCAL-Pages.
- The OSCAL reference documentation's source code moved to its own repository, OSCAL-Reference.
- The Metaschema tooling's source code, which we use to process OSCAL models and generate documentation, moved to its own repo, metaschema-xslt.
- The generated JSON and XML schemas for the models and converters for JSON-XML and XML-JSON conversion are only published as part of releases, they are not saved in the OSCAL repo like source code anymore. We also simplified the build process, making it easier for community members to prototype and propose changes to the OSCAL models.
The NIST OSCAL Team officially maintains those new repos in addition to the existing OSCAL, oscal-content, liboscal-java, and oscal-cli repositories. As priorities shifted, we have paused development on oscal-cat, the catalog authoring tool, and oscal-tools, a library of XSLT transformations for OSCAL developer use cases. Those projects are archived and remain available for reference and demonstration.
For an up-to-date description of all projects and their relationship to one another, please take a moment and review the OSCAL project structure on our website.
Moving forward, the NIST team will author future blog posts as needed. If you have an OSCAL topic you would like to read about or you want to guest-author a blog post, you can email the NIST OSCAL team your proposal and the team will work with you to approve and publish the blog post.
2021
July 7, 2021
-- Easy Dynamics
Discover how open standards like OSCAL are transforming security compliance by stremalining processes and improving transparency. This article by Easy Dynamics explores the benefits of adopting open frameworks to innovate and simplify regulatory requirements in today's complex cybersecurity landscape.
The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project
May 19, 2021
-- Dr. Michaela Iorga, Director, OSCAL Program [email protected]
This blog by Dr. Michaela Iorga discusses the importance of building a foundation of interoperable and portable security automation. It explains how standardized approaches can improve cybersecurity by making security tools and processes more consistent and adaptable across diverse environments. The article highlights key efforts to advance automation that supports stronger, more scalable defenses.