Skip to main content


The OSCAL models provide standardized formats for exchanging control, control implementation, and control assessment information in XML, JSON, and YAML. These formats allow this information to be exchanged between tools and for individual tools to process exchanged data, supporting analytics, user interaction, and increased automation.

Tools exist that support the use of the OSCAL models. These tools are listed below in the following categories:

  • OSCAL Project provided tools and libraries
  • Open Source Tools provided by 3rd parties

If you have produced a tool that supports the OSCAL formats that you would like to have listed on this page, please contact us.


Certain products may be identified on this web page, but such identification doesn’t imply recommendation by the US National Institute of Standards and Technology or other agencies of the US Government, nor does it imply that the products identified are necessarily the best available for the purpose.

See the NIST Software Disclaimer for more information.

OSCAL Tools and Libraries

Atlasity: Continuous Compliance AutomationC2 LabsAtlasity CE (release 2.0) runs in any environment and supports the development of OSCAL v1.0 content for Catalogs, Profiles, System Security Plans and Components. Additional detail can be found in this blog post: Atlasity Delivers Free Tools to Create OSCAL edition
Compliance trestleIBMA python SDK and command line tool which manipulates OSCAL structures and supports transformation of data into source
control_freakRisk ReduxThis tool seeks to provide folks with a searchable and easy-to-navigate reference for NIST SP 800-53 Revision 5. It is an open-source application from the Risk Redux project, built using parsed content directly from the OSCAL
DRT ConfidenceDRT Strategies Inc.DRTConfidence is a next generation Governance, Risk and Compliance (GRC) solution to help organizations transition to OSCAL and continuous compliance. DRTConfidence is available in FedRAMP High environments and supports all OSCAL artifacts: Catalogs, Profiles, Component Definitions, System Security Plans, Security Assessment Plans, Security Assessment Reports, POAMs and conforms to the OSCAL v1.0.0 specification and its schemas. Additional information can be found at DRT Confidence for FedRAMP.Commercial License
Ignyte Assurance PlatformIgnyte Assurance PlatformModern security risk and compliance orchestration platform for managing near real-time authorization decisions for FedRAMP, Continuous ATOs and CNSSI 1253 packages (ie SSPs, SAP, SARs, POA&Ms, etc...) Allows the ability to build, manage and streamline OSCAL components. OSCAL data model with options for simplified OSCAL data models for commercial, Federal and DoD ATO packages.Commercial License
OSCAL4NEO4JThe OSCAL4NEO4J ProjectThis project features a set of Neo4J cypher scripts which will import OSCAL catalogs and profiles directly from the official Github-repositories into a Neo4J database. Once imported, the information can be queried to gain insight into the structure of those catalogs and baselines. The project aims to add tool support for the implementation and assessment layers by allowing generation of component definitions, system security plans, assessment-plans, assessment-results and POA& source
OSCAL Deep DiffNIST OSCAL ProjectA Typescript-based CLI application and library that produces machine readable and human-consumable comparisons of JSON OSCAL source
OSCAL EditorEasy DynamicsSimple Docker deployment of the OSCAL REST Service and web-based OSCAL React user interface for the OSCAL source
OSCAL Java LibraryNIST OSCAL ProjectA Java-based programming API for reading and writing content conformant to the OSCAL XML, JSON, and YAML based source
OSCAL React Component LibraryEasy DynamicsA library of reusable React components and an example user interface application that provides a direct UI into source
OSCAL REST APIEasy DynamicsAn initial OpenAPI definition of an OSCAL REST API that describes how systems might manipulate catalogs, profiles, components, and source
OSCAL REST ServiceEasy DynamicsInitial implementation of some the OSCAL REST API which persists data as files in local source
Xacta 360TelosXacta 360 is a cyber risk management and compliance analytics platform that enables users to create and submit FedRAMP system security plans (SSPs) in OSCAL format. Future OSCAL capabilities are forthcoming as the standard evolves.license
XML Jelly SandwichWendell Piez (NIST)Interactive XSLT in the browser includes OSCAL source
XSLT ToolingNIST OSCAL ProjectA variety of Extensible Stylesheet Language (XSL) Transformations (XSLT), Cascading Style Sheets (CSS), and related utilities for authoring, converting, and publishing OSCAL content in various source

This page was last updated on July 5, 2022.