Secani
Secani
  • Company
  • Roadmap
Request demo

Summarize with AI

Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok
SIBB Startups
Berlin
Kofinanziert von der Europäischen Union
Secani

Jonathan Bezdek

Wörther Straße 9

10435 Berlin


hello@secani.com

Product

  • Security
  • Roadmap
  • Documentation
  • OSCAL

Legal

  • Privacy Policy
  • Terms
  • Cookie settings
  • Legal Notice

Company

  • Company
  • Contact
  • Blog

Support

  • Help
    Blog

    What is OSCAL?

    Jonathan BezdekCTO
    7 min read
    July 14, 2026

    Explore with AI

    Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok

    On this page

    Why compliance is a data problemThe eight document modelsControl layer: catalog and profileImplementation layer: component definition and system security planAssessment layer: plan, results, and open itemsWho uses OSCAL todayHow teams get started in practice

    Why compliance is a data problem

    Security requirements still live mostly in prose: catalogs as PDFs, security plans as Word documents, assessment findings as reports. Prose is flexible, but it comes at a cost. The same requirement gets interpreted differently by different readers, cross-references break with every new version, and every analysis starts with copying, pasting, and manually maintaining spreadsheets.

    This is exactly the problem OSCAL addresses. The Open Security Controls Assessment Language is an open standard led by NIST, developed together with FedRAMP and an international community. OSCAL describes security requirements, their implementation, and their assessment as structured data – available in JSON, XML, and YAML.

    • Requirements get stable identifiers instead of page numbers and headings
    • Relationships between requirement, implementation, and evidence become explicit
    • Tools can validate, compare, and transform the content

    The eight document models

    OSCAL is not a single file format but a family of document models that build on each other. Once you understand the layers, you can find your way around any OSCAL document.

    Control layer: catalog and profile

    A catalog defines requirements, such as the controls of NIST SP 800-53 or the modules of a national standard. A profile selects from it, tailors, and combines: a large catalog becomes the concrete set of requirements for one use case, for example a baseline for cloud services.

    Implementation layer: component definition and system security plan

    A component definition describes how a product or service can satisfy requirements – reusable across many systems. The system security plan (SSP) then documents, for one concrete system, which requirements apply and how they are actually implemented there.

    Assessment layer: plan, results, and open items

    The assessment plan defines what gets tested and how. Assessment results capture observations, findings, and risks in a structured way. The plan of action and milestones (POA&M) manages open items with owners and deadlines – as data, not as an attachment.

    OSCAL 1.2 added the mapping collection on top. It describes relationships between requirements of different catalogs, for instance between an international standard and a national framework. Framework crosswalks themselves become machine-readable.

    OSCAL is a data model, not a tool

    The standard defines the structure and meaning of the content, not the software around it. How OSCAL feels in daily work is decided by the tools – from validators and viewers to the platform where teams actually do their work.

    Who uses OSCAL today

    OSCAL has long outgrown its research roots. FedRAMP, the US cloud authorization program, is moving away from Word and Excel packages and requires structured, machine-readable authorization data – a shift we describe in detail in FedRAMP goes machine-readable.

    Germany has made its call as well: the BSI publishes the content of its Stand-der-Technik-Bibliothek – including the IT-Grundschutz++ catalog – as OSCAL catalogs in XML, JSON, and YAML. The BSI's reasoning is refreshingly pragmatic: OSCAL is internationally established, and a national special format would be a detour. What this means for Grundschutz teams is covered in our post on IT-Grundschutz++ and OSCAL.

    • FedRAMP: machine-readable authorization packages replace document templates
    • BSI: IT-Grundschutz++ ships as an OSCAL catalog on GitHub
    • Community: viewers, validators, libraries, and platforms are converging

    How teams get started in practice

    Getting into OSCAL does not have to be a project. A good first step is to look at a real document and validate it – for example a catalog from the NIST repository or an export of your own.

    With our free OSCAL Validator you can check any OSCAL JSON document against the official schemas directly in the browser, with no upload and no registration. If you want to go deeper, our OSCAL Toolkit provides an open TypeScript library for loading, validating, and transforming OSCAL documents.

    From that point on, OSCAL becomes mostly a question of your working model: which catalogs and profiles apply to us? Where do SSP content and evidence come from? Secani is built OSCAL-native from the ground up – so teams can not only import structured compliance data but actually work in it.

    Build auditable compliance workflows

    Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.

    Request demo

    Related posts

    All posts
    OSCAL
    FedRAMP goes machine-readable

    With RFC-0024 and the Consolidated Rules 2026, FedRAMP makes structured authorization data mandatory. The deadlines are staggered – the direction is unambiguous.

    Read
    OSCAL
    The OSCAL tools landscape

    The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.

    Read
    IT baseline protection
    IT-Grundschutz++ meets OSCAL

    With the Stand-der-Technik-Bibliothek, IT-Grundschutz leaves the PDF behind: IT-Grundschutz++ ships as an OSCAL catalog – changing how ISMS work is organized.

    Read