About OSCALNIST, in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results...Control-based information expressed using OSCAL formats allows you to:* Easily access control information from security and privacy control catalogs* Establish and share machine-readable control baselines* Maintain and share actionable, up-to-date information about how controls are implemented in your systems* Automate the monitoring and assessment of your system control implementation effectivenessAutomated Control-Based Assessment Supporting Control-Based Risk Management with Standardized Formats -- NIST is developing the Open Security Controls Assessment Language (OSCAL) as a standardized, data-centric framework that can be applied to an information system for documenting and assessing its security controls. Today, security controls and control baselines are represented in proprietary formats, requiring data conversion and manual effort to describe their implementation. An important goal of OSCAL is to move the security controls and control baselines from a text-based and manual approach (using word processors or spreadsheets) to a set of standardized and machine-readable formats.National Institute of Standards and TechnologyNIST_36a9a026-66b6-11e0-86fc-e93d7a64ea2aSecurity ProfessionalsYou are responsible for documenting security controls and how they are applied within a system. -- With systems security information represented in OSCAL, security professionals will be able to automate security assessment, auditing, and continuous monitoring processes...There are a number of complicating factors contributing to the challenges faced by information system security professionals today.* Multiple regulatory standards and frameworks, which change over time;* Regulatory standards and frameworks overlap in scope and can often conflict or be difficult to manage together; and* Information systems are increasing in size and complexity. ^To address information security and privacy risks, the implementation of selected controls need to be verified and shown to be effective. To provide assurance of a system's security and privacy posture, the control implementation of a system must be both correctly described, assessed, and authorized. These tasks are resource-intensive, and often challenging to perform within budget constraints given the complexity of the problem.The standardized formats provided by the OSCAL project help to streamline and standardize the processes of documenting, implementing and assessing security controls. The automation enabled by the OSCAL formats will reduce complexity, decrease implementation costs, and enable the simultaneous, continuous assessment of a system's security against multiple sets of requirements. Additionally, paperwork will be significantly reduced.Security-Related Information AssessorsYou are responsible for assessing security-related information produced by others.Security-Related Tool DevelopersYou build tools and utilities to help other players, enabling them to do more work more consistently, thoroughly, accurately and easily.Policy AuthorsYou write policy documents (catalogs or profiles/baselines/overlays) defining, characterizing and customizing security controls for others to use.Standardized and machine-readable security controls_94f46014-ba38-11ea-a5e2-d1710283ea00To provide security control information in machine-readable formats._94f461c2-ba38-11ea-a5e2-d1710283ea00Data-CentricityTransitions the legacy approach to security plan generation and management (Word and Excel documents) to a data-centric approach based on common data standards such as XML/JSON.ExtensibilityPuts security compliance data to work by allowing an extensible architecture that expresses security controls in both machine and human readable formats.IntegrationAllows tool developers to implement APIs and provide a standards-based foundation for next generation compliance tools.AutomationApply the benefits of the data-centric approach to automate existing processes that are resource intensive.PrinciplesOSCAL Design Principles -- To address these goals, the OSCAL project is guided by the following design principles.InteroperabilityInteroperable Data Formats -- Produce a set of interoperable, extensible, machine-readable formats through a community-focused effort that supports a broad range of control-based risk management processes.TranslationProvide XML-, JSON-, and YAML-based formats that allow for lossless translations between XML, JSON, and YAML representations.IdentificationProvide a common means to identify and version shared resources.StandardizationStandardize the expression of assessment artifacts, driving crowd-sourced development and improvement across profile and implementation layers.RelevanceBe Relevant Now, Enable a Better Future -- Align OSCAL models with current, practical information, and support advanced structures that provide for greater automation and verification.TraceabilityEnsure security controls, implementation, and assessment processes have full traceability to the selected control baseline and across system boundaries for interconnected systems and common control providers.AdoptionProvide a path for early adoption and ongoing evolution around how OSCAL will be used.EvolutionPaperworkDecrease Paperwork_94f462b2-ba38-11ea-a5e2-d1710283ea001Information Security ProfessionalsInformation Security VendorsDrive a large decrease in the paperwork burden for both information security professionals and vendors.Catalogs, Frameworks & InformationNormalize the representation of security control catalogs, regulatory frameworks, and system information using precise, machine readable formats._94f463fc-ba38-11ea-a5e2-d1710283ea001.1Information SharingAllow the sharing of control implementation information across communities._94f464ec-ba38-11ea-a5e2-d1710283ea001.2Security AssessmentsImprove System Security Assessments_94f465c8-ba38-11ea-a5e2-d1710283ea002Improve the efficiency, accuracy, and consistency of system security assessments.Requirements & TraceabilityAssess a system's security control implementation against several sets of requirements simultaneously and ensure traceability between the requirements._94f466b8-ba38-11ea-a5e2-d1710283ea002.1ConsistencyEnable assessments to be performed consistently, regardless of system type._94f4679e-ba38-11ea-a5e2-d1710283ea002.2ContinuityEnable Continuous Assessment_94f46884-ba38-11ea-a5e2-d1710283ea003Allow a system's security state to be assessed more often, ideally continuously, driving continuous assurance.Labor & TimeDrive a large decrease in assessment-related labor, decreasing assessment and authorization time._94f46974-ba38-11ea-a5e2-d1710283ea003.1EffectivenessSupport the assessment of control implementation effectiveness based on data collected using a continuous monitoring capability._94f46a5a-ba38-11ea-a5e2-d1710283ea003.22020-06-032020-06-29https://pages.nist.gov/OSCAL/OwenAmburOwen.Ambur@verizon.net