The Open Security Controls Assessment Language (OSCAL) is an open, machine-readable information exchange format designed to increase automation in compliance and risk management, and help teams move away from text-based manual approaches. Led by the National Institute of Standards and Technology (NIST), OSCAL provides standard representations in XML, JSON and YAML for expressing security controls associated with industry frameworks such as SOC 2 and PCI, as well as government frameworks such as FedRAMP in the United States, Singapore's Cybersecurity Control Catalogue and Australia's Information Security Manual.
While OSCAL has not yet been widely adopted outside the public sector and its ecosystem is still maturing, we’re excited by its potential to streamline security assessments, reduce reliance on spreadsheets and box-ticking exercises and even enable automated compliance when incorporated into compliance-as-code and continuous compliance platforms.
