Skip to main content

This website and its code are not currently under active development: read more details here.

U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Skip to main content

Profile Import Examiner

OSCAL Import Examiner

Checking your OSCAL profile with reference to the NIST SP 800-53 (revision 5) control catalog

(Coming soon - not just profiles but other OSCAL models as well)

Load your OSCAL profile XML file(s) here for instant analysis of its control catalog imports (in your browser)...

Explanation

The Import Examiner reads an arbitrary XML document and reports back:

  • If it is (not) a profile XML document in the OSCAL namespace (i.e., represented to be an OSCAL profile)
  • For an OSCAL profile, we examine its imports. We are interested in two things:
    • Does the import make reference to a file whose name indicates SP800-53 in some form?
    • How do its controls appear in reference to SP800-53 or to other control selections including baselines made from it?
  • Included is support for checking your control selections against four sources: the (full) SP 800-53 control catalog; and three control sets derived from it, i.e. the NIST HIGH, MODERATE and LOW control baselines.
  • In later versions we plan support of testing imports in other OSCAL documents as well as testing constraints over OSCAL data in general, with respect to their imports.

Note: this analysis does not examine the documents actually linked (imported) by your profile. Instead, it examines every import directive as if the SP800-653 Rev 5 catalog (or other selected baseline) were its intended source, and as such can be provided by a known and trusted proxy (document). For reference and comparison, please see the SP 800-53 Rev 5 catalog (copy) in this repository. (It then proceeds, in part, to test this premise.)

Using this analysis you can quickly and easily determine whether your OSCAL profile, considered as a baseline or overlay of Rev 5 or of its overlays (such as the NIST or FedRAMP HIGH, MODERATE or LOW baselines), will resolve correctly into a control selection for an OSCAL processor according to OSCAL profile semantics.

Provided with further back end infrastructure (in the form of appropriate file sets, metadata, and match criteria between import statements and upstream catalogs), this tool can offer the same analysis against arbitrary catalogs. NIST SP 800-53 and its baselines are selected for this demonstration for their ubiquity and ready availability in OSCAL.

A subsequent version of this tool could provide similar import-based analysis of other OSCAL document types including System Security Plans (SSPs) and POA&Ms (Plans of Action and Milestones).

Limitations / tbd:

  • Supports import-control/with-id only, not import-control/matches
  • Does not support import-control/@with-child-controls

The SP 800-53 Import Examiner is an OSCAL demonstration. Use with appropriate caution as disclaimers apply.

Data processing on this page runs entirely in your browser, under SaxonJS. No data is transferred to any other party, monitored or analyzed in any way other than what is displayed.

This page was last updated on March 16, 2023.