Skip to main content

OSCAL's Fall Cleaning

Welcome to the Open Security Controls Assessment Language (OSCAL) Blog, open to the NIST OSCAL Team and to the community!

If you work closely with us, you might have noticed we finished a large code repository reorganization alongside the release of OSCAL v1.1.0 and the subsequent [OSCAL v1.1.1 release] (https://github.com/usnistgov/OSCAL/releases/tag/v1.1.1). The OSCAL Project was in a desperate need of some internal restructuring, a fall cleaning of sorts. As an OSCAL user, the differences should not affect affect you, but we will still summarize some key changes for you.

One may wonder why we reorganized our code repos only recently. Our answer is simple: we started small (more than six years ago!) and wanted to keep everything in one place to reduce the maintenance overhead. As we expanded our work, we needed to separate code repos to get better organized.

Here is what changed:

  • The OSCAL website's source code (known as OSCAL pages) moved to its own repo, OSCAL-Pages.
  • The OSCAL reference documentation's source code moved to its own repo, OSCAL-Reference.
  • The Metaschema tooling's source code, which we use to process OSCAL models and generate documentation, moved to its own repo, metaschema-xslt.
  • The generated JSON and XML schemas for the models and converters for JSON-XML and XML-JSON conversion are only published as part of releases, they are not saved in the OSCAL repo like source code anymore. We also simplified the build process, making it easier for community members to prototype and propose changes to the OSCAL models.

The NIST OSCAL Team officially maintains those new repos in addition to the existing OSCAL, oscal-content, liboscal-java, and oscal-cli repos. As priorities shifted, we have paused development on oscal-cat, the catalog authoring tool, and oscal-tools, a library of XSLT transformations for OSCAL developer use cases. Those projects are archived and remain available for reference and demonstration.

For an up-to-date description of all projects and their relationship to one another, please take a moment and review the OSCAL project structure on our website.

Moving forward, the NIST team will author future blog posts as needed. If you have an OSCAL topic you would like to read about or you want to guest-author a blog, you can email the NIST OSCAL team your proposal and the team will work with you to approve and post the blog.

This page was last updated on November 8, 2023.