Goals of the OSCAL Project
The OSCAL project is working to address the following goals:
Drive a large decrease in the paperwork burden for both information security professionals and vendors.
- Normalize the representation of security control catalogs, regulatory frameworks, and system information using precise, machine readable formats.
- Allow the sharing of control implementation information across communities.
Improve System Security Assessments
Improve the efficiency, accuracy, and consistency of system security assessments.
- Assess a system's security control implementation against several sets of requirements simultaneously and ensure traceability between the requirements.
- Enable assessments to be performed consistently, regardless of system type.
Enable Continuous Assessment
Allow a system's security state to be assessed more often, ideally continuously, driving continuous assurance.
- Drive a large decrease in assessment-related labor, decreasing assessment and authorization time.
- Support the assessment of control implementation effectiveness based on data collected using a continuous monitoring capability.
OSCAL Design Principles
To address these goals, the OSCAL project is guided by the following design principles.
Interoperable Data Formats
Produce a set of interoperable, extensible, machine-readable formats through a community-focused effort that supports a broad range of control-based risk management processes.
- Provide XML-, JSON-, and YAML-based formats that allow for lossless translations between XML, JSON, and YAML representations.
- Provide a common means to identify and version shared resources.
- Standardize the expression of assessment artifacts, driving crowd-sourced development and improvement across profile and implementation layers.
Be Relevant Now, Enable a Better Future
Align OSCAL models with current, practical information, and support advanced structures that provide for greater automation and verification.
- Ensure security controls, implementation, and assessment processes have full traceability to the selected control baseline and across system boundaries for interconnected systems and common control providers.
- Provide a path for early adoption and ongoing evolution around how OSCAL will be used.