Current work is happening in the master branch.
NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, formatted, XML- and JSON-based formats that provide a standardized representation for different categories of information pertaining to the publication, implementation, and assessment of security controls. OSCAL is being developed through a collaborative approach with the public. Public contributions to this project are welcome.
With this effort, we are stressing the agile development of a minimal format that is both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types.
The OSCAL website provides an overview of the OSCAL project, including an XML and JSON schema reference, examples, and other resources.
This repository consists of the following directories and files pertaining to the OSCAL project:
- .github: This directory holds GitHub issue and pull request templates for the OSCAL project.
- docs: This directory contains a variety of documentation files and artifacts. They include copies of graphics, old drafts of documentation pending conversion to the new documentation format, and detailed documentation for the OSCAL schema, including a tag library.
- examples: This directory contains numerous OSCAL examples in both XML and JSON formats. Some examples are considered provisional "finished" versions of OSCAL catalogs and profiles; they are not authoritative but are intended as demonstrations of OSCAL. Other examples are works in progress. Each subdirectory within the examples directory clearly indicates the current status of its example files.
- lib: This directory contains a variety of supporting files. For example, it holds core XSLT stylesheets for processing OSCAL. It also contains scripts and utilities used internally by the OSCAL developers.
- schema: This directory contains the OSCAL schemas and related validation tools. The directory contains both XML and JSON representations for OSCAL.
- sources: This directory contains copies of resources not maintained by the OSCAL project that have been used as sources for producing OSCAL artifacts. For example, the sources directory has a copy of the NIST SP 800-53 control data feed schema.
- working: This directory contains development artifacts that comprise the implementation of the OSCAL catalog and profile layers. Examples of artifact types in this directory include XML, XSLT, CSS, script, Markdown, and sample files, plus supporting files.
- CONTRIBUTING.md: This file is for potential contributors to the OSCAL project. It provides basic information on the OSCAL project, describes the main ways people can make contributions, explains how to report issues with OSCAL, and lists pointers to additional sources of information. It also has instructions on establishing a development environment for contributing to the OSCAL project and using GitHub project cards to track development sprints.
- LICENSE.md: This file contains license and copyright information for the files in the OSCAL GitHub repository.
- USERS.md: This file explains which types of users are most likely to benefit from consuming OSCAL tools and content when they are available.