NIST Develops Open Security Controls Assessment Language (OSCAL) to Automate Control Tasks

What is OSCAL?

The Open Security Controls Assessment Language is an open, standardized framework to help document, assess, and maintain security controls. The language can accomplish these tasks by using existing machine-readable languages such as XML, JSON, YAML. 

In a presentation earlier this year, NIST provided this diagram to show the OSCAL content and risk management framework. Screenshot used courtesy of NIST

By leveraging these already existing languages, OSCAL can now automate much of the security control tasks. This not only saves time and money but also reduces human error. OSCAL was created not only to reduce human error but also to standardize how security controls are implemented. By using a standard format, more complex security control systems can be implemented faster and more efficiently. 

As systems become more complicated, and some are even moving to cloud-based systems, documenting and understanding the security controls requirements becomes more complicated. OSCAL was created to help reduce this complexity by first documenting the requirement in a machine-readable language. 

Why is NIST Involved?

NIST stands for National Institute of Standards and Technology. They are responsible for developing standards in measurement and focusing on how technology interacts with other technology. 

NIST was created to improve U.S. industrial competitiveness with other countries. The goal was to standardize and produce better quality products for the global industrial market. Most recently, NIST has been working on developing a way of standardizing and automating security controls.

Machine-Readable Language

At the basic level, a machine-readable language is a language that a machine can understand without losing any data in the process. Examples of machine-readable languages are listed below:

• CSV
• XML
• JSON
• YAML

Using a machine-readable language and a standard format can allow the software tools to consume this data and automate much of the assessing process. 

Security Controls

Security controls are a process to protect a company's assets. These assets could be people, property, or data.  

An industrial engineer checking on security controls on a machine. 

Currently, security controls are developed using text, word processors, or even spreadsheets. All of which are very manual operations, prone to human error, and are sometimes proprietary. These mistakes can lead to disastrous effects. Most recently, you may remember the Colonial Pipeline cyber-attack that happened a few weeks ago. However, this time only data was in danger. If somebody were to have access to the SCADA (supervisory control and data acquisition) control system, costly damage could have been done, or people could have gotten hurt.  

OSCAL Potential

More industrial and utility companies are embarking on advanced SCADA systems that utilize a cloud-based controls solution. These cloud-based systems are vulnerable to cyber-attacks and are becoming very complicated, and require strong security control systems.  

By automating and standardizing the security controls, NIST aims to create a stronger, more efficient system and reduce the workload of understanding, documenting, and assessing these complex systems.  

This year alone, the industrial manufacturing sector has already seen what happens when a security control system has flaws. OSCAL aims to provide an open framework that represents the necessary security information in a machine-readable format to facilitate the automation of the assessment process.