The National Institute of Standards and Technology released Version 1.0.0 of the Open Security Controls Assessment Language (OSCAL), a machine-readable language.
The agency has been working with the Federal Risk and Authorization Management Program (FedRAMP) to standardize authorization packages and streamline reviews using OSCAL, a set of machine-readable data exchange formats called OSCAL models.
āToday, security controls and control baselines are represented in proprietary formats, requiring data conversion and manual effort to describe their implementation,ā according to NIST. āAn important goal of OSCAL is to move the security controls and control baselines from a text-based and manual approach (using word processors or spreadsheets) to a set of standardized and machine-readable formats. With systems security information represented in OSCAL, security professionals will be able to automate security assessment, auditing, and continuous monitoring processes.ā
āNeither the system owners or assessors nor the adjudicating officials need to learnĀ OSCALĀ or have to even āseeā it,ā Michaela Iorga, senior technical lead of the Computer Security Division at NISTās Information Technology Laboratory, said in a blog post.Ā āOSCALĀ is for tools. What they will see is what the OSCAL-enabled tools will deliver — nice user-friendly interfaces or dashboards with all information in front of them. Similar to how Turbotax operates. And they will be able to focus on what they are subject matter experts on: assessing, auditing or adjudicating. If there is a need, human-readable documentation can easily be created from documents inĀ OSCAL.ā
The models are provided in three languages — XML, JSON and YAML — that are synchronized so that they can represent the same information, according to NIST. Other organizations can extend OSCAL to address industry-, compliance- or organization-specific content.
The languageās architecture is organized in layers. The lower ones provide information structures that the upper ones reference and use. Each layer has one or more models that represent an information structure supporting a specific purpose. Each model builds on the information provided by the model or models in the lower layer.
āThis first official, major release of OSCAL provides a stable OSCAL 1.0.0 for wide-scale implementation,ā according to NIST. āThis release marks an important milestone for the OSCAL project and for the earlier adopters and implementers of security automation with OSCAL.ā
Thatās because the release includes updated stable versions of the models in addition to updated tools to convert data between OSCAL, XML and JSON.
Iorga and her team created OSCAL because of her āfrustration around the lack of transparency into cloud servicesā security posture, in particular, from the cloud consumersā perspective,ā she said in the blog. āOSCALĀ was envisioned to be the foundation for interoperable and portable security automation in support of Authorization to Operate processes for all types of systems, not just cloud-based systems — a very challenging task. Because of this challenge, our NIST team partnered in 2016 with ā¦ FedRAMP to research and developĀ OSCAL.ā
One benefit of the language is that cloud service providers are able to more quickly and accurately create system security plans by validating much of their content before submitting it to the government for review. For agencies, OSCAL will enable them to speed their reviews of FedRAMP authorization packages, while third-party assessment organizations will be able to āautomate the planning, execution, and reporting of cloud assessment activities,ā according to a June 8 FedRAMP blog post.
OSCAL releases will be incremental, with each milestone focused on stabilizing the layers.
āOSCAL is being designed and created over a series of development epics leveraging an incremental and agile approach,ā NIST stated. āEach epic consists of a series of sprints focused on reaching a defined milestone. This approach allows the project team to provide increased value over time at an accelerated pace, by focusing on an 80% solution (Minimally Viable Product (MVP)) that can be implemented in 20% of the time.ā
Whatās more, the project is community-driven, meaning the public may help in its development.