Skip to main content

Goals of the OSCAL Project

The OSCAL project is working to address the following goals:

Decrease Paperwork

Drive a large decrease in the paperwork burden for both information security professionals and vendors.

  • Normalize the representation of security control catalogs, regulatory frameworks, and system information using precise, machine readable formats.
  • Allow the sharing of control implementation information across communities.

Improve System Security Assessments

Improve the efficiency, accuracy, and consistency of system security assessments.

  • Assess a system's security control implementation against several sets of requirements simultaneously and ensure traceability between the requirements.
  • Enable assessments to be performed consistently, regardless of system type.

Enable Continuous Assessment

Allow a system's security state to be assessed more often, ideally continuously, driving continuous assurance.

  • Drive a large decrease in assessment-related labor, decreasing assessment and authorization time.
  • Support the assessment of control implementation effectiveness based on data collected using a continuous monitoring capability.

OSCAL Design Principles

To address these goals, the OSCAL project is guided by the following design principles.

Interoperable Data Formats

Produce a set of interoperable, extensible, machine-readable formats through a community-focused effort that supports a broad range of control-based risk management processes.

  • Provide XML-, JSON-, and YAML-based formats that allow for lossless translations between XML, JSON, and YAML representations.
  • Provide a common means to identify and version shared resources.
  • Standardize the expression of assessment artifacts, driving crowd-sourced development and improvement across profile and implementation layers.

Be Relevant Now, Enable a Better Future

Align OSCAL models with current, practical information, and support advanced structures that provide for greater automation and verification.

  • Ensure security controls, implementation, and assessment processes have full traceability to the selected control baseline and across system boundaries for interconnected systems and common control providers.
  • Provide a path for early adoption and ongoing evolution around how OSCAL will be used.

This page was last updated on April 20, 2021.