OSCAL 1.0.0 Release Candidate 1

We are pleased to announce the publication of OSCAL 1.0.0 Release Candidate 1 (RC1). This is a full draft release of OSCAL 1.0.0 which is made available for public review and feedback before releasing the final OSCAL 1.0.0.

The OSCAL 1.0.0 RC1 includes:

• Updated stable versions of catalog and profile models which provide a structured representation of control catalogs and baselines or overlays.
• Updated stable version of the system security plan model which provides a structured representations of a system's control-based implementation. This model has been enhanced to support documenting how controls from an existing authorized system can be leveraged in another information system, which supports common control provider and platform as a service (PaaS) use cases.
• Updated stable version of the component definition model which provides a structured representation of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
• Revised drafts of the assessment plan, assessment results, plan of action and milestones (POA&M) models, which support the structured representation of information used for planning and documenting the results of an information system assessment or continuous monitoring activity. These models have been enhanced to better support continuous assessment; to provide more traceability between the assessment schedule, specific assessment activities, collected data, and resulting findings and identified risks; and to improve the extensibility of these models.
• Updated tools to convert between OSCAL XML and JSON formats, and to up convert content from milestone 3 to RC1.

These changes were made based on all the excellent feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.

The NIST team is also maintaining OSCAL content that is updated to the latest OSCAL 1.0.0 RC1. The OSCAL content repository provides OSCAL examples, in addition to the final NIST SP 800-53 revision 5 catalog and the final security and privacy NIST SP 800-53B baselines. All this content is provided in XML, JSON and YAML formats, including the following:

• Updated content for the NIST SP 800-53 revision 4 catalogs, and for the three NIST baselines.
• Updated content in OSCAL XML, JSON and YAML formats of the FedRAMP SP 800-53 revision 4 baselines. Please note, these baselines are also available on GSA/fedramp-automation repository.

To download this release, click on Assets below and download either the .zip or the *.tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.

The OSCAL team is working to release OSCAL 1.0.0 FINAL. To this end, we appreciate any feedback you have on the updated RC1 models. Receiving your comments is instrumental for our team to make the OSCAL 1.0.0 FINAL release as robust as is feasible, and to address any gaps that might cause backwards compatibilities between future OSCAL minor releases (e.g., 1.1.0, 1.2.0) and OSCAL 1.0.0.

At our end, we will continue the development of OSCAL focusing our full attention on providing a more complete set of documentation for all the OSCAL layers and models, creating more examples, and providing a diverse set of tutorials.

NIST is also seeking tool developers, vendors, and service providers that would like to implement the OSCAL 1.0.0 models in commercial and open-source offerings. To provide feedback, to ask questions, or to let us know about an OSCAL implementation you are working on, please email the NIST OSCAL team at oscal@nist.gov. You can also post publicly to the OSCAL development list: oscal-dev@list.nist.gov or create an issue on our GitHub repository.

Please find instructions for joining the OSCAL development and update lists on our contacts page.