OSCAL Blog Posts Archive
Explore Past OSCAL Blogs Packed With Expert Insights
Discover a comprehensive archive of OSCAL blog posts featuring practical guidance, relevant updates, and in-depth analysis to support effective security compliance. These articles cover a range of topics suited for both newcomers and experienced practitioners in the field.
Jump to read blogs from: 2025, 2023, 2021
2025
August 26, 2025
-- Presented By:
- Selena Xiao, Computer Scientist, NIST
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
The recent workshop hosted by the NIST OSCAL Team featured a compelling presentation by Selena Xiao on *CAPORDINO: A Data Converter to OSCAL Catalogs*. The session provided valuable insights into how CAPORDINO (Cybersecurity and Privacy Open Reference Datasets in OSCAL) contributes to advancing security automation, particularly in the areas of secure software development and patch management, meeting the requirements of Executive Order 14144.
As cybersecurity systems continue to grow in complexity, so does the need for scalable, automated methods of conducting security assessments. CAPORDINO addresses this challenge by converting structured security reference data into OSCAL, a standardized, machine-readable format. The result is an approach that supports continuous assessment with reduced reliance on manual processes.
A significant focus of the presentation was CAPORDINO's use of the Cybersecurity and Privacy Reference Tool (CPRT), which aggregates security guidance from various NIST security frameworks. CPRT provides this data in a structured JSON format, serving as a foundation for conversion into OSCAL documents. This structured format ensures compatibility with both automated systems and human readability.
CAPORDINO's conversion process is built around two key stages: mapping and conversion. CAPORDINO first accesses specific CPRT security reference data through CPRT API HTTP requests, retrieving the necessary data, and uses a JSON processing library to map that data into its corresponding Java objects. From there, multiple classes handle the conversion into OSCAL-formatted XML documents, which are well-structured catalogs that retain all core information from the original references.
What emerged from the workshop was a clear demonstration of how tools like CAPORDINO contribute to modernizing security assessment workflows. Rather than replacing human oversight, automation in this context enhances accuracy, consistency, and speed which are all critical as organizations scale their cybersecurity efforts.
This workshop offered a strong example of innovation in cybersecurity. CAPORDINO represents a step forward in reducing the burden of manual documentation while aligning with industry standards for secure system development.
August 1, 2025
-- Presented By:
- Stephen Banghart, Technical Coordinator, OSCAL Foundation
- Anca Sailer, Distinguished Engineer, IBM Research
- Vikas Agarwal, Senior Technical Staff Member, IBM Research - India
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
At the NIST OSCAL 37th Monthly Workshop, Stephen Banghart, Anca Sailer, and Vikas Agarwal delivered a compelling presentation on 'Collaboratively Maturing the OSCAL Control Mapping Model at the OSCAL Foundation'. The workshop provided a comprehensive introduction to the OSCAL Mapping Model, a powerful tool that streamlines security assessments and continuous compliance by automating the mapping of security controls between different frameworks.
The OSCAL Mapping Model is a game changer in security assessments and compliance automation. By enabling the creation of a crosswalk between various control frameworks, it facilitates comparisons and mappings between them. As technology advances rapidly, having a robust and secure security posture is crucial. However, traditional security assessment processes often struggle to scale, which is where the NIST OSCAL team, OSCAL-Compass, and OSCAL Foundation come in, working together to implement a new use case for OSCAL with the Mapping Model. This leverages existing security postures to bootstrap a new mapping model, making it easier for organizations to adapt to changing security requirements...
Continue reading here.
The ability to map security frameworks is essential for organizations to analyze their compliance with different frameworks. With the OSCAL Mapping Model, users can automate this process, gaining valuable insights into how their current framework aligns with others. The presenters worked through the Mapping Model's use cases, demonstrating how organizations can utilize it to map controls from one security framework to another. This capability benefits a range of stakeholders, including security analysts, who can create detailed guidance and mapping documents to illustrate the relationships between frameworks.
A prototype of the OSCAL Mapping Model is currently being tested, featuring a mapping collection and schema that captures various security fields to demonstrate compliance between source and target control frameworks. The mapping collection includes fields such as 'provenance', which captures common fields across different mappings, and a 'method' field, which indicates the type of method used to map controls (automated, semi-automated, or manual). Additionally, a 'confidence score' field provides an indication of the accuracy and confidence of the produced mapping. On the other hand, the mapping schema captures information about the source and target catalogs/profiles, including a map array structure that specifies the source and target controls being mapped. It also captures the relationship between these controls, including equivalency and gaps (controls that are not mapped or partially mapped). The source and target gap summaries provide a detailed list of specific controls that require attention, enabling users to evaluate and plan for further compliance.
The presenters concluded their presentation by sharing insightful proposals for extending the OSCAL Mapping Model. These include enhancing the 'method' field to allow for user-defined values beyond automated, semi-automated, and manual. Another proposal suggests introducing a 'coverage' field to indicate the extent to which a control is compliant with another, providing a clear understanding of the overlap between controls and the additional work required to achieve complete mapping and compliance.
As the technology landscape continues to evolve, the need for efficient and effective security assessment and compliance automation has never been more pressing. The OSCAL Mapping Model discussed in this workshop is a powerful tool that addresses this need, and the presentation by Banghart, Sailer, and Agarwal demonstrated its potential to revolutionize the way organizations approach security compliance. With the OSCAL community driving innovation and collaboration, the OSCAL Mapping Model is poised to play a vital role in shaping the future of security assessments and compliance processes.
June 26, 2025
-- Presented By:
- Mats Nahlinder, CEO & Co-Founder, Sunstone Secure
- Robert Ficcaglia, CTO and Co-Founder, Sunstone Secure
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
Attending the OSCAL Monthly Workshop titled "OSCAL - A 'FastTrack' to agency contracting" was an insightful experience, especially in understanding how compliance and procurement processes can be improved through automation and standardization. The workshop, presented by Mats Nahlinder and Robert Ficcaglia, founders of Sunstone Secure, opened my eyes to the practical challenges agencies face in vendor evaluation and system procurement, and how OSCAL can be a game changer. Their focus on FedRAMP, a government-wide program that standardizes cloud service security assessments, made the topic very relevant.
One key takeaway was the exploration of the current pain points in agency procurement. Despite certifications like SOC-2 or FedRAMP levels, there is often little insight into the actual quality and maturity of a cloud service provider's security posture. This disconnect leads to high risks for agencies, who may contract services that are not fully compliant or mature enough, sometimes only realizing this after the deal is signed. The presenters highlighted how OSCAL can address this by providing a structured, data-driven, and risk-focused approach to evaluating vendors before procurement, rather than relying on broad certifications or fixed risk levels...
Continue reading here.
The workshop also emphasized how agencies can use OSCAL profiles to define their own risk posture by mapping security controls to frameworks like MITRE ATT&CK, which helps tailor compliance requirements to actual threats. This risk-based posture then becomes the foundation of the RFP process, where agencies specify Key Security Indicators (KSIs) in OSCAL format. Vendors respond with concrete, measurable data about how their systems perform against these KSIs, enabling agencies to make more informed, transparent, and traceable decisions. This approach promises to streamline the procurement cycle by making compliance assessment more precise and tailored.
What fascinated me most was the demonstration of Sunstone's Artemis digital twin platform. This AI-powered system collects documentation in OSCAL format to automatically generate comprehensive compliance packages, test plans, and audit evidence. The digital twin can simulate attack scenarios and vendor security postures before contracts are signed, essentially allowing agencies to "test drive" vendors' security readiness. This kind of automation not only boosts efficiency, but also improves accuracy and reduces third-party risks, which are crucial for federal agencies managing sensitive data.
Overall, the workshop provided a valuable perspective on how OSCAL is evolving beyond just a technical specification to become a practical tool for risk-driven procurement and continuous monitoring. As a student, it was encouraging to see the blend of standards, AI, and real-world applications come together to solve complex cybersecurity challenges. The ability to customize security controls, measure effectiveness through KSIs, and simulate risk scenarios through a digital twin represents a promising direction for the future of agency contracting. This workshop not only deepened my understanding of cybersecurity compliance but also sparked an interest in how data-driven decision-making and automation can reshape the government acquisition process.
May 27, 2025
-- Presented By:
- Chris Vermeulen, Principal Engineer, Container Solutions
- Ian Miell, Partner, Container Solutions
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
This month, I attended a workshop titled "Automated OSCAL-based evidence gathering with The Continuous Compliance Framework", presented by Chris Vermeulen and Ian Miell from Container Solutions. As someone new to the world of compliance automation, I found the session to be a valuable introduction to how modern organizations are tackling the challenges of regulatory mapping in complex systems. The Continuous Compliance Framework (CCF) is an open source tool that automates the collection of compliance evidence through distributed agents. These agents run on different systems and environments, gathering data and feeding it into a centralized API, all while remaining secure and lightweight.
One of the most interesting concepts discussed was how CCF identifies and maps “subjects” and “components” without relying on centralized identifiers like UUIDs. Instead, it uses attribute-based mapping to determine if two pieces of evidence relate to the same subject, allowing the system to correlate data from various sources efficiently. This makes compliance tracking much more manageable, especially in large scale, distributed environments where manual mapping would be time-consuming and prone to errors. I appreciated how the framework is designed to scale across environments, from GitHub repositories to Linux hosts, making it highly flexible and practical.
Another highlight was seeing how CCF integrates with the OSCAL format. The team demonstrated an in-progress editor for building system security plans directly within the framework, complete with visual tools like diagram editors for network and component layouts. This approach not only simplifies documentation but also ensures that compliance data is machine-readable and easy to export. Overall, the workshop gave me a clearer understanding of the future of compliance automation and how thoughtful tooling can turn a complex process into something far more manageable.
April 16, 2025
-- Presented By:
- Brian Ruf, Independent Consultant, RufRisk
- Pirooz Javan, CTO, Easy Dynamics
- Juan Risso, Lead Software Engineer, Easy Dynamics
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
I had the chance to attend a fascinating workshop titled "OSCAL Catalogs: Create Easily and Use Broadly," presented by experts Brian Ruf (RufRisk), Priooz Javan (Easy Dynamics), and Juan Risso (Easy Dynamics). The session gave a deep dive into OSCAL and its use in various industries. While I initially thought OSCAL was focused solely on cybersecurity compliance frameworks, I quickly learned that its applications can stretch far beyond that, offering a powerful tool for managing a wide variety of regulatory and requirement-based scenarios...
At its core, OSCAL was created to handle cybersecurity requirements, including well-known frameworks such as NIST SP 800-53 and SOC 2. These are essential standards in managing cybersecurity risk and compliance, but the workshop revealed that OSCAL can be applied much more broadly. It turns out OSCAL is highly versatile and can be used to manage virtually any type of requirement (including products, services, or processes) across multiple industries. The ability to define requirements clearly, track their implementation, and assess compliance can be a game-changer for industries like healthcare, manufacturing, financial services, and even construction. What was particularly intriguing was the emphasis on machine-readable data. Traditionally, compliance requirements are stored in formats like PDFs or Word documents, which are difficult to track and are often prone to errors. OSCAL solves this problem by structuring data in a way that machines can easily process, enabling automation and reducing human error. The presenters explained that by starting with OSCAL, organizations can seamlessly convert human-readable formats like HTML, Word, and Excel into machine-readable data, ensuring that compliance documents are both accessible and actionable. This concept of bridging the gap between machine-readable and human-readable data was one of the most important takeaways from the workshop. The workshop also featured a live demonstration of the Comply Zero platform, which is built around OSCAL and helps manage compliance lifecycles. In the demo, we saw how OSCAL catalogs can be created, managed, and assessed through an intuitive interface. The ability to define controls, parameters, and assessment objectives, and link them together, showcased how OSCAL can help organizations streamline their compliance processes. One of the key points made during the workshop was the idea that OSCAL’s machine-readable format enables automation and more efficient tracking of compliance efforts. As regulations become more complex, tools like OSCAL will be essential in managing and evaluating compliance in real time, minimizing the risks of human error, and reducing the time spent manually cross-referencing documents. This is especially critical in industries where compliance is not just a best practice but a legal requirement. Starting with OSCAL allows organizations to build a solid foundation for automation, and the ability to generate reports and assessments more easily means that stakeholders can focus on the actual outcomes rather than the complexity of the paperwork. Overall, this workshop was incredibly informative. I walked away with a much deeper understanding of how OSCAL works and how it is revolutionizing the way industries track and assess compliance requirements. It became clear to me that OSCAL is more than just a tool for cybersecurity—it’s a versatile solution with broad potential applications in fields like healthcare, construction, manufacturing, and finance. As a student, I’m excited about the possibilities this open standard offers for the future of compliance management.Continue reading here.
The European Cyber Security Organization convenes “Actions Beyond Words: Automating Audits for Streamlined Cybersecurity Policy Compliance in Europe”
An awareness session on OSCAL for the European cybersecurity practitioners
April 9, 2025
- Cristian Michael Tracci, Senior Manager, Policy Analysis and Outreach ([email protected])
Click here for the event agenda and more information:
Location
- Online
Date and time:
- 23 April 2025, 15:00 CEST /9:00 EDT
Registration:
Agenda
| Time | Session | Speakers |
|---|---|---|
| 10 min | Opening Remarks | ECSO |
| 40 min | Continuous Proactive Security with OSCAL: Going Beyond ‘Shift Left’ | Michaela Iorga, Supervisory Computer Engineer, Secure Systems and Applications Group, National Institute of Standards and Technology (NIST) |
| 20 min | Build with OSCAL: Use-cases for adoption and beyond | Fritz Kunstler, Principal Security Engineer, Amazon Web Services (AWS) |
| 20 min | OSCAL and European Cybersecurity Public Policy | Cristian Tracci, Senior Manager, Policy Analysis and Outreach Stream, ECSO |
| 30 min | Cobalt EU Initiative for Automated Compliance | Antonio Skarmeta, Full Professor, and Sara Nieves Matheu Garcia, Assistant Professor, University of Murcia |
| 30 min | Open Discussion Moderated by ECSO |
Learn more about ECSO at ecs-org.eu
March 19, 2025
-- Presented By:
- Anca Sailer, Distinguished Engineer, IBM TJ Watson
- Hirokuni Kitahara, Research Scientist, IBM Tokyo
- Saki Takano, Research Scientist, IBM Tokyo
- Takumi Yanagawa, Research Advisory Software Developer, IBM Tokyo
- Yuji Watanabe, Research Senior Technical Staff, IBM Tokyo
-- Blog by: Marilyn Nguyen (NIST Pathways, IT Student Trainee) [email protected]
I recently attended the OSCAL workshop titled "OSCAL-based AI-augmented CISO agent", hosted by our partners at IBM. The focus of the session was on leveraging OSCAL for AI-augmented compliance automation and policy validation. Over the past five years, IBM has made OSCAL a key part of their strategy for expressing security and compliance requirements across various domains, including infrastructure, data, AI, applications, and business processes.
During the workshop, I learned about IBM's 4-step compliance lifecycle, with a particular emphasis on the assessment phase. The session detailed how IBM bridges authored compliance controls with real-time validation through their Compliance to Policy (C2P) framework. I was particularly impressed by how C2P uses OSCAL component definitions and a plug-in based architecture to generate technology-specific policies, such as Ansible playbooks or Kyverno rules. These policies are then deployed in actual or pre-deployment environments for validation. What really stood out to me was how the C2P core interprets OSCAL structures, mapping controls to relevant policies, and generating validation results into standardized OSCAL assessment outputs. This system seems like a game-changer for organizations looking to streamline their compliance processes.
Overall, the workshop gave me a deep dive into how structured compliance data, combined with Gen-AI and automated tools, can create a seamless and scalable compliance pipeline. I left the session with a solid understanding of how IBM is applying these technologies to modern cloud-native and AI-integrated systems. It's exciting to see how AI and automation are playing a key role in shaping the future of compliance.
February 7, 2025
-- John Banghart [email protected]
The ability to automate security assessments to information technology systems is critical. It removes the possibility of human error and assists in overall security compliance. The Open Security Controls Assessment Language (OSCAL) is a machine-readable language that automates, simplifies, and standardizes these assessments.
OSCAL was originally developed by the National Institute of Standards and Technology (NIST) in collaboration with FedRAMP and industry, and aims to improve the efficiency, timeliness, accuracy, and consistency of system security assessments and significantly reduce the associated paperwork. To carry this work forward, the OSCAL Foundation has launched to advance the development and adoption of OSCAL by industry and government.
The Foundation will focus on six objectives: adoption, education, community, development, extension, and internationalization. The OSCAL Foundation will bring together communities to collaborate on advancing the use of the standard. The foundation has been created to offer support and resources for OSCAL and its community to increase adoption, new use cases, and integration into the globally recognized compliance standards.
“NIST developed OSCAL to standardize the digitization of foundational risk management artifacts in support of the automated assessment and monitoring of system controls,” said Dr. Michaela Iorga of NIST. “OSCAL seeds the evolution of next-generation compliance processes and tools to facilitate interoperability, reliability, and cost-effectiveness with minimal human interaction. The OSCAL Foundation will bring the community support that we need to accelerate OSCAL adoption across the globe.”
The Foundation will host a kickoff event on Tuesday February 11th at 1 p.m. at Venable LLP in Washington, D.C. with a webinar viewing option available. Registration is required. More information is available here.Click here for the event agenda and more information:
Location
Civiletti Center 600 Massachusetts Ave NW Washington, DC 20001
Registration
Agenda
| Time | Session |
|---|---|
| 1:00 p.m. - 1:10 p.m. ET: | Introduction: John Banghart, Venable |
| 1:10 p.m. - 1:30 p.m. ET: | Keynote: Hart Rossman, VP, Amazon |
| 1:30 p.m. - 2:10 p.m. ET: | Panel discussion: The FedRAMP OSCAL Use Case |
| (Moderator) Pirooz Javan, Easy Dynamics | |
| Brian Ruf, RufRisk | |
| Travis Howerton, RegScale | |
| 2:10 p.m. - 2:50 p.m. ET | Panel discussion: The Global OSCAL Use Case |
| (Moderator) Michaela Iorga, NIST | |
| Vikram Khare, Google | |
| Matt Weinberg, AWS | |
| Jim Reavis, Cloud Security Alliance | |
| 2:50 p.m. - 3:30 p.m. ET | Panel discussion: Financial Services, OSCAL Use Case |
| (Moderator) Josh Magri, Cyber Risk Institute | |
| Julie Rohlena, US Bank | |
| Elisabeth Nottingham, JPMorgan Chase | |
| John Goodman, Cyber Risk Institute | |
| 3:30 p.m. - 4:00 p.m. ET | Discussion of Upcoming Foundation Technical Activities and Q&A |
| John Banghart, OSCAL Foundation | |
| Ross Nodurft, OSCAL Foundation | |
| Stephen Banghart, OSCAL Foundation | |
| 4:00 p.m. - 4:05 p.m. ET | Closing Remarks |
| 4:05 p.m. - 6:00 p.m. ET | Reception & Networking |
Learn more about the OSCAL Foundation at OSCALFoundation.org.
2023
September 6, 2023
-- Dr. Michaela Iorga, Director, OSCAL Program [email protected]
Welcome to the Open Security Controls Assessment Language (OSCAL) Blog, open to the NIST OSCAL Team and to the community!
If you work closely with us, you might have noticed we finished a large code repository reorganization alongside the release of OSCAL v1.1.0 and the subsequent OSCAL v1.1.1 release. The OSCAL Project was in a desperate need of some internal restructuring, a fall cleaning of sorts. As an OSCAL user, the differences should not affect affect you, but we will still summarize some key changes for you.
One may wonder why we reorganized our code repositories only recently. Our answer is simple: we started small (more than six years ago!) and wanted to keep everything in one place to reduce the maintenance overhead. As we expanded our work, we needed to separate code repositories to get better organized.Click here to learn about what we changed:
- The OSCAL website's source code (known as OSCAL pages) moved to its own repository, OSCAL-Pages.
- The OSCAL reference documentation's source code moved to its own repository, OSCAL-Reference.
- The Metaschema tooling's source code, which we use to process OSCAL models and generate documentation, moved to its own repo, metaschema-xslt.
- The generated JSON and XML schemas for the models and converters for JSON-XML and XML-JSON conversion are only published as part of releases, they are not saved in the OSCAL repo like source code anymore. We also simplified the build process, making it easier for community members to prototype and propose changes to the OSCAL models.
The NIST OSCAL Team officially maintains those new repos in addition to the existing OSCAL, oscal-content, liboscal-java, and oscal-cli repositories. As priorities shifted, we have paused development on oscal-cat, the catalog authoring tool, and oscal-tools, a library of XSLT transformations for OSCAL developer use cases. Those projects are archived and remain available for reference and demonstration.
For an up-to-date description of all projects and their relationship to one another, please take a moment and review the OSCAL project structure on our website.
Moving forward, the NIST team will author future blog posts as needed. If you have an OSCAL topic you would like to read about or you want to guest-author a blog post, you can email the NIST OSCAL team your proposal and the team will work with you to approve and publish the blog post.
2021
July 7, 2021
-- Easy Dynamics
Discover how open standards like OSCAL are transforming security compliance by stremalining processes and improving transparency. This article by Easy Dynamics explores the benefits of adopting open frameworks to innovate and simplify regulatory requirements in today's complex cybersecurity landscape.
The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project
May 19, 2021
-- Dr. Michaela Iorga, Director, OSCAL Program [email protected]
This blog by Dr. Michaela Iorga discusses the importance of building a foundation of interoperable and portable security automation. It explains how standardized approaches can improve cybersecurity by making security tools and processes more consistent and adaptable across diverse environments. The article highlights key efforts to advance automation that supports stronger, more scalable defenses.