Secani
Secani
  • Company
  • Roadmap
Request demo

Summarize with AI

Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok
SIBB Startups
Berlin
Kofinanziert von der Europäischen Union
Secani

Jonathan Bezdek

Wörther Straße 9

10435 Berlin


hello@secani.com

Product

  • Security
  • Roadmap
  • Documentation
  • OSCAL

Legal

  • Privacy Policy
  • Terms
  • Cookie settings
  • Legal Notice

Company

  • Company
  • Contact
  • Blog

Support

  • Help
    Blog

    The OSCAL tools landscape

    Jonathan BezdekCTO
    8 min read
    July 15, 2026

    Explore with AI

    Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok

    On this page

    A young ecosystem with clear categoriesViewers: making OSCAL documents readableValidators: check early instead of failing lateLibraries and CLIs for your own pipelinesPlatforms: OSCAL in daily operationsHow to recognize a good OSCAL tool

    A young ecosystem with clear categories

    If you search for OSCAL tools for the first time, you quickly end up with long lists: the official NIST directory, the community tools page, and curated collections like awesome-oscal. More helpful than any list is a simple map, because almost every tool falls into one of four categories: viewing, validating, processing programmatically, or supporting complete workflows.

    This overview places the best-known tools on that map – and is upfront where we are a vendor ourselves. If OSCAL is new to you, start with our introduction What is OSCAL?

    Viewers: making OSCAL documents readable

    The most mature category. The OSCAL Viewer by Easy Dynamics is the de facto standard: drag a file into the browser, navigate through a catalog, SSP, or assessment results, done. All processing happens in the browser, nothing gets uploaded. Around it, the community is building documentation and registry offerings such as OSCAL Hub that let you open published documents directly in a viewer.

    • Strength: instantly understandable, no installation, no data transfer
    • Limit: viewers are deliberately read-only – you cannot change anything
    • Use it for: reviews, vendor assessments, quickly understanding unfamiliar documents

    Validators: check early instead of failing late

    Before an OSCAL document travels into a target system, it should be checked. NIST provides oscal-cli, a command-line tool built on the Metaschema framework that handles schema validation as well as format conversion.

    For a quick check without installing anything, we built the Secani OSCAL Validator: validate OSCAL 1.2 JSON against the official NIST schemas directly in the browser, with readable error messages and without the document ever leaving your machine. One important distinction: schema validation is the baseline. Whether a document is also complete in substance – for example, meets all mandatory content of a program like FedRAMP – is a separate, stricter layer of checking.

    • Schema validation: is the document structurally valid OSCAL?
    • Constraint validation: does it satisfy the additional rules of a program?
    • Rule of thumb: pull both as early into the workflow as possible

    Libraries and CLIs for your own pipelines

    If you want to integrate OSCAL into CI/CD pipelines or your own products, you reach for libraries. IBM maintains compliance-trestle, a Python framework that treats compliance artifacts like code and embeds them in Git workflows. Defense Unicorns builds Lula, a tool that uses component definitions to automatically validate controls in environments such as Kubernetes. GovReady-Q connects questionnaires with OSCAL import and export.

    For TypeScript teams we are building secani/oscal: an open library for loading, validating, and transforming OSCAL documents across all eight model types – the same foundation our validator and our platform run on.

    Platforms: OSCAL in daily operations

    At the top end sit platforms that do not just import OSCAL but organize work in it. In the US market, RegScale and Paramify are visible, both strongly oriented toward FedRAMP packages. Many classic GRC suites, by contrast, offer an export at best – there, OSCAL is a side dish, not the foundation.

    The real gap is authoring

    Viewing and validating are well solved in 2026. Things get thin where content is created: writing SSPs, maintaining profiles, linking evidence, documenting approvals. That gap is exactly where we are working with Secani – OSCAL-native instead of OSCAL-export.

    How to recognize a good OSCAL tool

    Independent of category, four questions have served us well. They separate tools that take OSCAL seriously from tools that merely tick the box.

    • Is all data preserved – including props, namespaces, and extensions – or do details get lost on import?
    • Does a document survive the round trip of import and export without silent data loss?
    • Are current OSCAL versions supported and version upgrades handled cleanly?
    • Can you trace where every change came from – especially when AI is involved?

    The ecosystem is growing at a high pace, driven by FedRAMP in the US and the BSI in Germany. A good moment to sort out your own toolchain – starting with a validated document.

    Build auditable compliance workflows

    Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.

    Request demo

    Related posts

    All posts
    OSCAL
    FedRAMP goes machine-readable

    With RFC-0024 and the Consolidated Rules 2026, FedRAMP makes structured authorization data mandatory. The deadlines are staggered – the direction is unambiguous.

    Read
    OSCAL
    What is OSCAL?

    OSCAL turns compliance documents into structured data: eight document models, three formats, and an ecosystem that is becoming the standard for regulation.

    Read
    IT baseline protection
    IT-Grundschutz++ meets OSCAL

    With the Stand-der-Technik-Bibliothek, IT-Grundschutz leaves the PDF behind: IT-Grundschutz++ ships as an OSCAL catalog – changing how ISMS work is organized.

    Read