What is OSCAL?
Why compliance is a data problem
Security requirements still live mostly in prose: catalogs as PDFs, security plans as Word documents, assessment findings as reports. Prose is flexible, but it comes at a cost. The same requirement gets interpreted differently by different readers, cross-references break with every new version, and every analysis starts with copying, pasting, and manually maintaining spreadsheets.
This is exactly the problem OSCAL addresses. The Open Security Controls Assessment Language is an open standard led by NIST, developed together with FedRAMP and an international community. OSCAL describes security requirements, their implementation, and their assessment as structured data – available in JSON, XML, and YAML.
- Requirements get stable identifiers instead of page numbers and headings
- Relationships between requirement, implementation, and evidence become explicit
- Tools can validate, compare, and transform the content
The eight document models
OSCAL is not a single file format but a family of document models that build on each other. Once you understand the layers, you can find your way around any OSCAL document.
Control layer: catalog and profile
A catalog defines requirements, such as the controls of NIST SP 800-53 or the modules of a national standard. A profile selects from it, tailors, and combines: a large catalog becomes the concrete set of requirements for one use case, for example a baseline for cloud services.
Implementation layer: component definition and system security plan
A component definition describes how a product or service can satisfy requirements – reusable across many systems. The system security plan (SSP) then documents, for one concrete system, which requirements apply and how they are actually implemented there.
Assessment layer: plan, results, and open items
The assessment plan defines what gets tested and how. Assessment results capture observations, findings, and risks in a structured way. The plan of action and milestones (POA&M) manages open items with owners and deadlines – as data, not as an attachment.
OSCAL 1.2 added the mapping collection on top. It describes relationships between requirements of different catalogs, for instance between an international standard and a national framework. Framework crosswalks themselves become machine-readable.
Who uses OSCAL today
OSCAL has long outgrown its research roots. FedRAMP, the US cloud authorization program, is moving away from Word and Excel packages and requires structured, machine-readable authorization data – a shift we describe in detail in FedRAMP goes machine-readable.
Germany has made its call as well: the BSI publishes the content of its Stand-der-Technik-Bibliothek – including the IT-Grundschutz++ catalog – as OSCAL catalogs in XML, JSON, and YAML. The BSI's reasoning is refreshingly pragmatic: OSCAL is internationally established, and a national special format would be a detour. What this means for Grundschutz teams is covered in our post on IT-Grundschutz++ and OSCAL.
- FedRAMP: machine-readable authorization packages replace document templates
- BSI: IT-Grundschutz++ ships as an OSCAL catalog on GitHub
- Community: viewers, validators, libraries, and platforms are converging
How teams get started in practice
Getting into OSCAL does not have to be a project. A good first step is to look at a real document and validate it – for example a catalog from the NIST repository or an export of your own.
With our free OSCAL Validator you can check any OSCAL JSON document against the official schemas directly in the browser, with no upload and no registration. If you want to go deeper, our OSCAL Toolkit provides an open TypeScript library for loading, validating, and transforming OSCAL documents.
From that point on, OSCAL becomes mostly a question of your working model: which catalogs and profiles apply to us? Where do SSP content and evidence come from? Secani is built OSCAL-native from the ground up – so teams can not only import structured compliance data but actually work in it.
Build auditable compliance workflows
Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.
Related posts
All postsWith RFC-0024 and the Consolidated Rules 2026, FedRAMP makes structured authorization data mandatory. The deadlines are staggered – the direction is unambiguous.
The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.
With the Stand-der-Technik-Bibliothek, IT-Grundschutz leaves the PDF behind: IT-Grundschutz++ ships as an OSCAL catalog – changing how ISMS work is organized.