NIST, FedRAMP push OSCAL for automated cloud review

The National Institute of Standards and Technology released Version 1.0.0 of the Open Security Controls Assessment Language (OSCAL), a machine-readable language.

The agency has been working with the Federal Risk and Authorization Management Program (FedRAMP) to standardize authorization packages and streamline reviews using OSCAL, a set of machine-readable data exchange formats called OSCAL models.

“Today, security controls and control baselines are represented in proprietary formats, requiring data conversion and manual effort to describe their implementation,” according to NIST. “An important goal of OSCAL is to move the security controls and control baselines from a text-based and manual approach (using word processors or spreadsheets) to a set of standardized and machine-readable formats. With systems security information represented in OSCAL, security professionals will be able to automate security assessment, auditing, and continuous monitoring processes.”

“Neither the system owners or assessors nor the adjudicating officials need to learn OSCAL or have to even ‘see’ it,” Michaela Iorga, senior technical lead of the Computer Security Division at NIST’s Information Technology Laboratory, said in a blog post. “OSCAL is for tools. What they will see is what the OSCAL-enabled tools will deliver — nice user-friendly interfaces or dashboards with all information in front of them. Similar to how Turbotax operates. And they will be able to focus on what they are subject matter experts on: assessing, auditing or adjudicating. If there is a need, human-readable documentation can easily be created from documents in OSCAL.”

The models are provided in three languages — XML, JSON and YAML — that are synchronized so that they can represent the same information, according to NIST. Other organizations can extend OSCAL to address industry-, compliance- or organization-specific content.

The language’s architecture is organized in layers. The lower ones provide information structures that the upper ones reference and use. Each layer has one or more models that represent an information structure supporting a specific purpose. Each model builds on the information provided by the model or models in the lower layer.

“This first official, major release of OSCAL provides a stable OSCAL 1.0.0 for wide-scale implementation,” according to NIST. “This release marks an important milestone for the OSCAL project and for the earlier adopters and implementers of security automation with OSCAL.”

That’s because the release includes updated stable versions of the models in addition to updated tools to convert data between OSCAL, XML and JSON.

Iorga and her team created OSCAL because of her “frustration around the lack of transparency into cloud services’ security posture, in particular, from the cloud consumers’ perspective,” she said in the blog. “OSCAL was envisioned to be the foundation for interoperable and portable security automation in support of Authorization to Operate processes for all types of systems, not just cloud-based systems — a very challenging task. Because of this challenge, our NIST team partnered in 2016 with … FedRAMP to research and develop OSCAL.”

One benefit of the language is that cloud service providers are able to more quickly and accurately create system security plans by validating much of their content before submitting it to the government for review. For agencies, OSCAL will enable them to speed their reviews of FedRAMP authorization packages, while third-party assessment organizations will be able to “automate the planning, execution, and reporting of cloud assessment activities,” according to a June 8 FedRAMP blog post.

OSCAL releases will be incremental, with each milestone focused on stabilizing the layers.

“OSCAL is being designed and created over a series of development epics leveraging an incremental and agile approach,” NIST stated. “Each epic consists of a series of sprints focused on reaching a defined milestone. This approach allows the project team to provide increased value over time at an accelerated pace, by focusing on an 80% solution (Minimally Viable Product (MVP)) that can be implemented in 20% of the time.”

What’s more, the project is community-driven, meaning the public may help in its development.