Skip to main content

This website and its code are not currently under active development: read more details here.

U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Skip to main content

About OSCAL Tools

This site is an open resource available for use and study by developers and organizations in the public and private sectors who wish to explore the Open Security Controls Assessment Language (OSCAL).

All software presented or documented on this site, unless stated otherwise, is subject to the terms of the NIST Disclaimer Statement, copied verbatim below (as of October 25 2021).

This site offers documentation and demonstration applications supporting and related to OSCAL --

  • As a launchpad for understanding
  • As a proving ground: an opportunity to test and demonstrate OSCAL technologies, specifications, and concepts

In particular it is necessary to consider when if ever it is appropriate to use these technologies to address actual data processing needs in the field. Conceived for the purposes of R&D, the applications are not equally mature and may not be maintained consistently (depending on the case), and some may not even be fully usable or conformant (if and as specifications continue to evolve). If appearing here, an application should be said (unless stated otherwise) to come without warranty, as detailed in the disclaimer below.

That being said, real cupcakes can be baked in a toy oven, and in addition to showing capabilities, each project here should document its own version(s) and dependencies, for users to assess. Our development model (relying on public repositories for long-term access and maintenance management) encourages users to fork, modify and adapt.

Site Organization

These site contents are arranged in two parallel branches, Projects and Demos. Projects pages will sometimes link to Demos pages. Demos pages should always link to Projects pages. (This reflects how some but not all projects have demonstrations to be served.) Source code for both is maintained in the Github repository - which also contains functioning code not documented on this site but described in readme documentation in the usual way. Specific projects and/or demos may be supported by manual, semi-automated or automated (CI/CD) build processes.

A link is also provided in the main menu to the OSCAL web site where normative specifications can be found.

Site and Project Maintenance Model

This site is presented as a point of access and source of information regarding tools and demonstrations stored in (and in some cases, served from) its repository, or elsewhere. Each project has its own development and maintenance plan appropriate to its deployment and objectives.

This information should be given on pages describing each project or in the readme files of the respective code bases themselves. Similarly, while users are urged to use the Github Issues boards to report bugs and pose questions, it is likely that this feedback will be passed to the appropriate project owner or developer, with responses provided accordingly through those channels or others. Community channels such as public meetings, the Github repository Discussions support or resources such as the OSCAL Gitter "Lobby" (real-time chat) are the best ways of determining the activity level and responsiveness for any given OSCAL-related initiative.

Check our Issues page in the Github repository

Learn more about OSCAL

This site is offered as an effort parallel to the main OSCAL development project, intended to complement and further catalyze that activity. Accordingly we hope it will grow and evolve as long as OSCAL does.

NIST Disclaimer Statement

Any mention of commercial products within NIST web pages is for information only; it does not imply recommendation or endorsement by NIST.

Use of NIST Information

These web pages are provided as a public service by the National Institute of Standards and Technology (NIST). With the exception of material marked as copyrighted, information presented on these pages is considered public information and may be distributed or copied. Use of appropriate byline/photo/image credits is requested.

Software Disclaimer

NIST-developed software is provided by NIST as a public service. You may use, copy and distribute copies of the software in any medium, provided that you keep intact this entire notice. You may improve, modify and create derivative works of the software or any portion of the software, and you may copy and distribute such modifications or works. Modified works should carry a notice stating that you changed the software and should note the date and nature of any such change. Please explicitly acknowledge the National Institute of Standards and Technology as the source of the software.

NIST-developed software is expressly provided "AS IS." NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED, IN FACT OR ARISING BY OPERATION OF LAW, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY. NIST NEITHER REPRESENTS NOR WARRANTS THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ANY DEFECTS WILL BE CORRECTED. NIST DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF THE SOFTWARE OR THE RESULTS THEREOF, INCLUDING BUT NOT LIMITED TO THE CORRECTNESS, ACCURACY, RELIABILITY, OR USEFULNESS OF THE SOFTWARE.

You are solely responsible for determining the appropriateness of using and distributing the software and you assume all risks associated with its use, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or equipment, and the unavailability or interruption of operation. This software is not intended to be used in any situation where a failure could cause risk of injury or damage to property. The software developed by NIST employees is not subject to copyright protection within the United States.

See the NIST Privacy, Security Notice, and Accessibility Statement

More information about copyright, fair use and licensing for SRD, data and software

Other OSCAL Tools

The main OSCAL documentation site is the primary authoritative reference for OSCAL models, syntax, semantics and operational constraints, with tutorials and links. See its Tools and Contribute pages in particular.

This page was last updated on March 16, 2023.