IT-Grundschutz++ meets OSCAL
From PDF compendium to structured data
For decades, IT-Grundschutz – Germany's national security baseline – was above all a body of text: compendium, standards, and implementation guidance as PDFs, maintained in documents, analyzed in spreadsheets. At the end of September 2025, the BSI officially ended that era and published the Stand-der-Technik-Bibliothek on GitHub – with IT-Grundschutz++ as a machine-readable catalog.
This is more than a new storage format. The requirements are available as an OSCAL catalog in XML, JSON, and YAML. Tools can read them directly, reference them, and link them to an organization's own implementation – no retyping, no guessing versions, no page numbers.
- Requirements get stable, machine-readable identifiers
- Updates appear traceably in a public repository
- ISMS tools read the catalog directly instead of manual re-entry
Why the BSI chose OSCAL
The format decision is remarkable. The BSI could have defined its own national data format – and deliberately chose not to. OSCAL is an internationally established standard led by NIST; adopting it keeps German organizations compatible with international frameworks and with a fast-growing tool ecosystem.
Germany thereby joins a larger movement: in the US, FedRAMP is moving to machine-readable authorization packages, and the tooling around the standard is growing quickly. If you want the foundations first, our introduction What is OSCAL? explains how the standard is structured.
What changes for Grundschutz practice
For day-to-day ISMS work, the format change matters more than it first sounds. Today, a substantial share of Grundschutz work consists of transferring requirements from documents into your own structure: into spreadsheets, into GRC tools, into security concepts. Every new edition of the compendium triggers the same exercise again.
With a machine-readable catalog, the logic flips. The tool already knows the requirements, and the actual work shifts to where it belongs: assignment, implementation, evidence, and decisions.
- Target-versus-actual comparisons can be generated automatically instead of maintained by hand
- Changes between catalog versions become diff-able and explainable
- Evidence and justifications link to stable requirement identifiers
A measured transition
Existing security concepts based on Edition 23 do not lose their value overnight – the modernization is a transition that the BSI is detailing step by step. The direction, however, is unambiguous, and teams that organize their structure early benefit twice: today's work gets cleaner, and the later switch gets smaller.
Three preparations have proven useful in our view. They pay off regardless of when an organization formally moves to IT-Grundschutz++.
- Structure existing implementations and evidence so they are unambiguously mapped to requirements
- Audit your tools: can they read OSCAL catalogs natively – or only import and forget?
- Get first-hand experience with the format, for example by opening and checking a catalog in the OSCAL Validator
Our take
We built Secani OSCAL-native from day one – out of the conviction that compliance content should be structured data long before regulators demand it. That the BSI is now taking IT-Grundschutz exactly there confirms the path. If you are preparing the transition to IT-Grundschutz++ and want more than a prettier archive, talk to us.
Build auditable compliance workflows
Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.
Related posts
All postsOnly about a third of affected companies registered with the BSI on time. Until the end of July 2026 this can be fixed – after that, it gets expensive.
With RFC-0024 and the Consolidated Rules 2026, FedRAMP makes structured authorization data mandatory. The deadlines are staggered – the direction is unambiguous.
The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.