The Open Security Controls Assessment Language (OSCAL) – a project under development at the National Institute of Standards and Technology (NIST) in collaboration with the General Services Administration’s (GSA) FedRAMP (Federal Risk and Authorization Management Program) program, is creating the foundation for security assessment automation by developing a set of models expressed in standard notations (XML, JSON), offering machine-readable representations of information pertaining to the publication, implementation, and assessment of security and privacy controls.
Dr. Michaela Iorga, NIST senior security technical lead for cloud computing, discussed the goals and progress of the agency’s project, OSCAL at ATARC’s Cloud and Infrastructure Working Group launch on Sept. 4, highlighting how OSCAL enables the development of interoperable automation frameworks and tools for government and industry.
Iorga emphasized how the development of OSCAL is aligned with NIST’s Risk Management Framework rev2 (RMF), and highlighted how OSCAL’s:
- Automated traceability from a selection of security controls through implementation and assessments – including assessment results; and
- unified format for representing multiple security frameworks and for consuming the security data;
are foundational features that make automation, interoperability and machine-assistance features possible.
“OSCAL is like a Rosetta Stone that enables tools and organizations to exchange information via automation,” Iorga said, while pointing out the following goals for the project:
- Producing a set of extensible formats through a community-focused effort with industry that supports a broad range of control-based risk management processes;
- Supporting control-based risk assessment based on data collected using continuous monitoring;
- Ensuring security controls, implementation, and verification processes have full traceability and inherit at the baseline and system interconnection level;
- Standardizing the expression of security artifacts driving crowd-sourced development and improvements across profile and implementation layers;
- Supporting multiple, interoperable, and lossless machine-readable formats; and
- Providing a common means to identify shared resources.
Iorga said the results of OSCAL are very promising, and invited the audience to the NIST’s OSCAL workshop that will be held in November 5-7, 2019 to further learn the details of OSCAL project.