Automated Control-Based Assessment

Supporting Control-Based
Risk Management with
Standardized Formats

Providing control-related information in machine-readable formats.

The Open Security Controls Assessment Language (OSCAL) is a NIST-led initiative developed in collaboration with industry to modernize and automate the processes of security and compliance. It provides open, machine-readable formats available in XML, JSON, and YAML that streamline control-based risk assessments. By supporting automation, OSCAL dramatically reduces audit durations from months to minutes, minimizes human error, and accelerates compliance with evolving regulations. This enables security professionals to focus on real-world threats rather than spending valuable time on extensive documentation.

Data-centric

Transitions the legacy approach to security plan generation and management (Word and Excel documents) to a data-centric approach based on common data standards such as XML/JSON.

Extensible

Puts security compliance data to work by allowing an extensible architecture that expresses security controls in both machine and human readable formats.

Integrated

Allows tool developers to implement APIs and provide a standards-based foundation for next generation compliance tools.

Automated

Apply the benefits of the data-centric approach to automate existing processes that are resource intensive.

Use Information in OSCAL Formats

Control-based information expressed using OSCAL formats allows you to:

Easily access control information from security and privacy control catalogs
Establish and share machine-readable control baselines
Maintain and share actionable, up-to-date information about how controls are implemented in your systems
Automate the monitoring and assessment of your system control implementation effectiveness

If you are new to the OSCAL project, we provide learning materials for the project.