Skip to main content

OSCAL Implementation Layer

The OSCAL implementation layer provides models for describing how controls are implemented in a specific system or in distributed component that can be incorporated into a system.

The OSCAL models comprising the implementation layer are:

  1. A Component Definition model, allows for the definition of a set of components that each provide a description of the controls supported by a specific implementation of a hardware, software, or service; or by a given policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).

  2. A System Security Plan (SSP) model that allows the security implementation of an information system to be defined based on an OSCAL profile (or baseline). OSCAL-based SSPs are expressed in a machine-readable formats that can be easily imported into a tool, allowing for increased automation of SSP validation and system assessment. An OSCAL SSP can also be transformed from the machine-readable form to a human-readable version.

  3. Other models may be included in future releases of OSCAL based on community input and need.

The component and SSP models are designed to work together. As specific components are selected for use within a system, the content of the relevant component definition files can be used to populate the use of these components within the SSP model. The SSP model can also be used to represent systems that do not define information at the granularity of a specific component, where component definitions do not exist.

This section contains the following topics:

  • Component Definition Model: XML and JSON format documentation for the OSCAL Component Definition model, which is part of the OSCAL implementation layer in the OSCAL [architecture]](/learnmore/architecture/). These formats model a description of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
  • Representing Test Validation Information: Discussed how test validation information (e.g., ) can be represented for an OSCAL component.
  • System Security Plan Model (SSP): XML and JSON format documentation for the OSCAL System Security Plan (SSP) model, which is part of the OSCAL implementation layer in the OSCAL [architecture]](/learnmore/architecture/). These formats model the control implementation of an information system.

This page was last updated on June 3, 2020.