Open security controls: NIST officially releases OSCAL 1.0.0

The National Institute of Standards and Technology officially released Open Security Controls Assessment Language 1.0.0, a federal government effort to standardize authorization packages and streamline security reviews using a common machine-readable language.

According to the FedRAMP blog announcing the benefits of the release:

  • Cloud service providers can “create their System Security Plans more rapidly and accurately, validating much of their content before submission to the government for review.”
  • Federal agencies can “expedite their reviews of the FedRAMP security authorization packages.”
  • Third Party Assessment Organizations (3PAOs) can “automate the planning, execution, and reporting of cloud assessment activities.”

“The idea of developing OSCAL was fueled by my frustration around the lack of transparency into cloud services’ security posture, in particular, from the cloud consumers’ perspective,” said Michaela Iorga on the NIST blog. “From the beginning, OSCAL was envisioned to be the foundation for interoperable and portable security automation in support of Authorization to Operate processes for all types of systems, not just cloud-based systems – a very challenging task. Because of this challenge, our NIST team partnered in 2016 with GSA/FedRAMP to research and develop OSCAL – the standardized, openly-available, foundational representation of the security information in support of security automation and of risk management frameworks in general.”


About Luke Fretwell

Luke Fretwell is the founder of GovFresh, co-founder/CEO of ProudCity and co-host of the podcast, The Government We Need. Connect with him on Twitter and LinkedIn or email at


This site uses Akismet to reduce spam. Learn how your comment data is processed.