What’s Happening in the OSCAL World?

It has been an interesting few months in the OSCAL community. For those who follow the club on social media, like our own LinkedIn or Twitter posts or even the industry buzz more generally, you have likely observed a delightful new trend.

In those few months, more and more organizations are producing OSCAL content. NIST’s OSCAL Team, and the GSA FedRAMP program alongside them, were the few publicly producing OSCAL content, but no more. In the last few months, other important organizations in the cybersecurity industry have published.

We have seen the Center for Internet Security, U.S. government agencies like the Center for Medicare and Medicare Services, and even the Australian government’s Cyber Security Centre release their catalogs of security controls in OSCAL. These publications are in addition to many commercial entities advertising their use of OSCAL in the press.

What’s OSCAL Club Doing About It?

These are exciting times! We in OSCAL Club want to help maintain, maybe even increase, that momentum. With that in mind, we are going to extend Awesome OSCAL to include a content section.

• Are you an avid community member and found awesome content you want to share with the community? Do you present the organization publishing this content? Either way, open an issue and let us know!
• Do you have OSCAL content and you do not have a place to share it with the community? Whether you are an expert developer with perfectly well-formed, valid content or rough samples where you want community feedback to help improve, reach out to us at GitHub repository for examples. We will support you, help publish samples, and give you a place to collaboratively discuss and develop those examples.

Sharing is an important part of any community, and especially one centered on our beloved format designed to exchange data. We hope this step will help you join us on the worldwide OSCAL journey!

As I watch the OSCAL community expand, I am excited to see an explosive growth in the quantity and quality of OSCAL-based projects. There are many kinds of people involved in OSCAL projects, and I have the wonderful privilege of talking to these many kinds of people, all in different steps of their OSCAL journey. One theme I hear increasingly often from those who have built expertise in OSCAL and get questions from the uninitiated is: OSCAL is a noun, not a verb, why do people not get that!?

With the first production release of OSCAL 1.0.0 in June 2021, there was an understandable desire and pressure in the last year to meet industry demand and implement solutions that bake in OSCAL goodness. During the last year, many developers, security specialists, and executive security leadership embarked on their OSCAL journey. As OSCAL novices, they internalize their own journey and ask a simple question of everyone around them.

How do I OSCAL?

This question conveys the best of intentions, but is still problematic. Using the word OSCAL as a verb implies it has agency, that OSCAL can inherently do things for you. Symbolically and metaphorically, maybe it can. But practically speaking, OSCAL is not an agent of change. It is simply a medium. You can hope that it is a verb, wishfully believing it is a change agent and absolves us from worthwhile challenge of understanding its concepts and internalizing them into your own security program. But that hope is misplaced.

OSCAL, at its core, is an information model (what data make up a system security plan?) and data models (how do I encode the data that makes up a system security plan in JSON? In XML? In YAML?). By definition, these things are nouns.

So what does this small wording change and mindset afford you? A whole lot! OSCAL, in its information models and data models, is a catalyst for all the different kinds of people in the security industry to empower themselves. OSCAL, as the official documents say today, is data-centric, integrated, extensible, and automated. These tenets represent a central theme: data ownership. So, you need to focus on the actual questions.

What am I doing with OSCAL?

How does my security data and workflows fit with OSCAL?

How do I make OSCAL work for my security program?

OSCAL is a noun, you bring the verbs. And this means you own the data and make it work for you.

Breaking News: A New Year, a New Look

Hello to and from the OSCAL Club Community. The community is small and determined, but even for the smallest of communities an easily editable website is key. So here we are! In order to allow those members passionate about compliance and security to contribute to the site directly, developer or not, I introduce the brand new site!

What Changed?

The new website not only has some minor stylistic improvements, but big functionality enhancements.

• The use of the US Web Design System, for a crisp look but also one that is accessible for as many users as possible.

• The adoption of Gatsby and React platform, to allow for easily adaptable styling and interactivity that many web developers will find comfortable.

• Most importantly, the migration to Netlify and NetlifyCMS as a backend. This migration allows preview versions of the website before a pull request is reviewed, all without a full developer environment on their computer.

So, get started today! You can simply click the Help fix this site link in the upper right-hand corner.

Even I missed some things and had to fix them after the launch, you can check them out the changes I made with NetlifyCMS here.

Oh, and expect more blog post series on the intersection of OSCAL and other topics soon. The new workflows will benefit all of us.

As we like to say in the OSCAL Club Community:

World unification equals world domination, have a nice day!

Hopfully, I will get feedback from you soon. (Hey, see what I did there? I look forward to the first fix!)