From: Iorga, Michaela (Fed) <michaela.iorga@nist.gov>
Date: Wed, Sep 27, 2017 at 7:04 PM
Subject: FW: [oscal-dev] OSCAL Documentation Review Requested
To: Division 773 <div773@nist.gov>, "McBride, Tim (Fed)" <timothy.mcbride@nist.gov>, "Greer, Chris (Fed)" <christopher.greer@nist.gov>, "Wollman, David A. (Fed)" <david.wollman@nist.gov>, "Griffor, Edward (Fed)" <edward.griffor@nist.gov>, Division 777 <div777@nist.gov>
Dear colleagues,
David Waltermire and I would like to invite you to a briefing on our project: Open Security Controls Assessment Language (OSCAL) on October 17, 2017 at 2:00PM in Bldg. 215, Rm. C103.
Open Security Controls Assessment Language (OSCAL)
NIST is proposing the development of the Open Security Controls Assessment Language, or OSCAL, a hierarchical, formatted, XML-based (and JSON translation) schema that provides a standard for representing different categories of information pertaining to the publication, implementation, and assessment of security controls.
OSCAL aims to:
- Standardize control, implementation, and assessment information using open, machine-readable formats.
- Normalize the semantics of controls and profiles/baselines/overlays across multiple control catalogs (e.g., NIST SP 800-53, ISO/IEC 27001/2, COBIT 5).
- Provide interoperable formats to ensure that OSCAL information is used by tools in consistent ways.
- Promote adoption of OSCAL by tool developers by ensuring that OSCAL information is easy to create, use, and customize.
OSCAL consists of a number of layers:
Starting from the bottom on the left, the OSCAL layers are:
- Catalog: Defines a set of security controls (e.g., NIST SP 800-53 Appendix F); may also define objectives and methods for assessing the controls (e.g., NIST SP 800-53A).
- Profile: Defines a set of security requirements, where meeting each requirement necessitates implementing one or more security controls; also called a baseline or overlay.
- Implementation: Defines how each profile item is implemented for a given system component (System Security Plan).
- Assessment: Describes how the system assessment is to be performed.
- Assessment Results: Records the findings of the assessment.
OSCAL will also integrate with:
- Metrics: Defines metrics and measurements for understanding the effectiveness of the system’s security.
- Mechanism: Describes methods used to monitor the system’s current security state (e.g., Security Content Automation Protocol (SCAP)).
We have a private repository for this project on GitHub at
https://github.com/usnistgov/O
These documents can be found on GitHub using the following links:
- Overview:
https://github.com/usnistgov/O
- Tag Library:
https://github.com/usnistgov/O
Thank you in advance for your participation. Please feel free to forward this email invitation to any colleague/peer that might be interested in OSCAL
Michaela & David
---
Dr. Michaela Iorga
Senior Security Technical Lead for Cloud Computing
Co-Chair, NIST Cloud Security Working Group
Co-Chair, NIST Cloud Forensic Science Working Group
Director, ITL SURF Program
Secure System and Applications Group 773.03
Computer Security Division, ITL
National Institute of Standards and Technology
Information Technology Laboratory | Computer Security Division
National Institute of Standards and Technology