Community Engagement on the Open Security Controls Assessment Language (OSCAL)

AGENCY:

National Institute of Standards and Technology, Department of Commerce.

ACTION:

Notice.

SUMMARY:

The National Institute of Standards and Technology (NIST) is seeking to identify stakeholders involved in ongoing or planned activities, including but not limited to standardization, education, and adoption, related to the Open Security Controls Assessment Language (OSCAL).

DATES:

NIST will accept written questions for clarification, comments, and/or pertinent feedback until 11:59 p.m. Eastern Time on August 8, 2024.

ADDRESSES:

Community members involved in ongoing or planned OSCAL-related efforts can submit written questions for clarification, comments, and/or pertinent feedback via email to: oscal@nist.gov or by mail to the contact identified below. Submissions via email should include “ OSCAL Engagement ” in the subject line of the message.

FOR FURTHER INFORMATION CONTACT:

Michaela Iorga via email to oscal@nist.gov or by phone at 301-975-8431, or by mail to National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, Maryland 20899, Attn: Michaela Iorga, ITL/CSD.

SUPPLEMENTARY INFORMATION:

Background: The Federal Information Security Modernization Act (FISMA) of 2014 (Pub. L. 113-283, 44 U.S.C. 3554) emphasized the importance of information security to the economic and national security interests of the United States. FISMA requires agency heads to report on the adequacy and effectiveness of their enterprise's information security policies, procedures, and practices. For two decades, agencies worked diligently to implement the Office of Management and Budget (OMB) Circular A-130: “Managing Information as a Strategic Resource,” employing Authorization to Operate (ATO) processes reliant on paper-based documentation, manual assessment processes, and non-interoperable proprietary automation processes and tools that do not support security data portability.

NIST initiated the development of the Open Security Controls Assessment Language (OSCAL) to support automated (or computer-assisted) assessment and risk management through operationally sustainable means and to fill federal, national, and international gaps in security assessment automation by providing a set of data-centric, regulatory-agnostic, technical specifications capable of expressing security information in machine-readable formats (XML, JSON or YAML), in support of risk management automation.

The NIST OSCAL program has been working with the public to develop a standardized, open-source, actionable data framework referred to as OSCAL, OSCAL models, or OSCAL framework, and a service interface and proof-of-concept tools for representing and exchanging high-fidelity controls-based IT system risk management data between applications hosted by multiple organizations. This OSCAL framework, the service interface, and tools provide the foundation for a high degree of automation around assessing the underlying system implementation state and the extent to which this state ensures that security and privacy controls are implemented and remain effective.

The immediate acceptance and successful international adoption of the OSCAL framework calls for a long-term NIST vision of OSCAL evolution and incremental maturity into open-source standards developed by industry-accepted standards development organizations. OSCAL will also promote innovation around applying machine learning, robotic process automation, and new knowledge domains to the IT system risk management space.

Community Engagement Areas: NIST seeks to identify community members involved in ongoing or planned activities, including but not limited to standardization, education, and adoption, related to OSCAL. Individual and organizational community members with ongoing or planned activities in these areas may respond to this notice to describe these activities and inform NIST's planning and coordination efforts across the OSCAL program.

Exemplary activities could include, but are not limited to, the following:

• Assessing OSCAL maturity level readiness for international standardization. The category could include development of open-source OSCAL content for community's consumption based on the OSCAL latest released set of models (7), development of tests or OSCAL content exercising the latest prototype OSCAL models.
• Developing enhancements or new OSCAL models as deemed necessary by the community.
• Developing OSCAL educational material (tutorials, videos) for all OSCAL-adoption levels, from novice to advanced.
• Organizing OSCAL events such as conferences, webinars, workshops for security experts, assessors, auditors and developers implementing OSCAL-based solutions.
• Establishing OSCAL incubators (labs) that will develop proof of concept implementations (pilots), tools and adoption best practices guidance.
• Implementing OSCAL solutions for internal purpose.
• Implementing OSCAL Governance Risk and Compliance (GRC) tools.

Authority: 15 U.S.C. 272(b)(10).