A collection of awesome community resources, maybe not quite production ready, for increasing the adoption of the Open Security Controls Assessment Language, OSCAL.
Before contributing, please review the Contribution Guidelines.
-
Australian Cyber Security Centre's Information Security Manual in OSCAL: OSCAL-based security catalogs and profiles for the Australian Cyber Security Centre's Information Security Manual controls.
-
Center for Internet Security's : the Center for Internet Security's Critical 18 Security controls as an OSCAL catalog, also with their controls related to other catalogs of security controls in the draft OSCAL mapping format.
-
CMS Acceptable Risk Safeguards: the tailored profiles and catalog of adapted NIST SP 800-53 controls used by the Centers for Medicare and Medicaid Services in OSCAL format. Perhaps the first OSCAL content released by a US government agency other than NIST, separate of collaboration with FedRAMP.
-
Fathom5 SP 800-171 Catalog: the community-maintained version(s) of the NIST SP 800-171 catalog created by Fathom5.
-
Alex Koderman's oscal4neo4j: a collection of scripts in Neo4j's Cypher query language to load OSCAL catalog data in JSON format into its graph database, potentially for use with the Red Team Project's Security Control Knowledge Graph.
-
Brian Ruf's OSCAL-GUI: an example PHP web interface developed by @brian-ruf of former FedRAMP fame. It has core presentation logic, file import, format conversion, and working profile resolution.
-
CivicActions's compliance-io: library for composable functions for conversion from OpenControl to OSCAL.
-
CivicAction's oscal-component-definitions: a public collection of OSCAL component definitions for commonly used cloud services, software, security controls, and privacy controls.
-
CivicAtions's ssp-toolkit is a suite of command line utilities in Python to mediate the creation of system security plans in NIST RMF 800-53 Revision 4 in OpenControl format. It can now export SSPs to OSCAL.
-
Defense Unicorn's bigbang-oscal-component-generator: a CLI utility and Golang libraries to merge together individual OSCAL YAML components into a unified OSCAL YAML component definition, focused primarily on the specific needs of Platform One's Big Bang.
-
Defense Unicorn's Lula: a Command Line Interface tool that will consume OSCAL component-definition files to configure and drive execution of automated control validation for Kubernetes utilizing the Kyverno policy management system.
-
Defense Unicorn's go-oscal: a Golang library to generate OSCAL data types.
-
DRTConfidence: GRC Platform supporting all OSCAL artifacts (catalog, profile, ssp, sap, sar, poa&m) with FedRAMP extensions and validations implemented out of the box. Available in a FedRAMP JAB High authorized Government Cloud Center.
-
EasyDynamics OSCAL REST API Draft Standard: an emerging standard for REST APIs to encourage all tool vendors to make a conformant API surface to reduce future churn in supporting heterogenous APIs for OSCAL-friendly tools and services.
-
EasyDynamics OSCAL React Library: a fully featured React component library for rendering all the OSCAL object models in JSON format with a developer-friendly API and a clean (but customizable) React-based UI.
-
EasyDynamics OSCAL REST API Service: an initial Java-based implementation of some the OSCAL REST API listed above. It persists data as files in local directories.
-
EasyDynamics OSCAL Editor Deployment: an integrated application, with the REST API service and React-based frontend (mentioned above), packaged as a simple Docker deployment of both open-source projects. It allows both viewing, and for some OSCAL document types and scenarios, editing file content and saving it to a properly configured Docker volume.
-
GSA's OSCAL Tools: a collection of open-source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.
-
GoComply's FedRAMP Utility: a tool that uses oscalkit (see below) to stamp in OSCAL data to the FedRAMP Word (DOCX) system security plan templates.
-
GoComply's oscalkit: a Golang-based software development kit and command-line utility for operating on OSCAL data models.
-
GovReady's GovReady-Q: an open source, web-based self-service GRC tool to automate security assessments and compliance from @gregelin and the GovReady crew. It focuses on import and export of OSCAL data models.
-
Hidayatullah Ahsan's ValidateOscalDocuments: a C# library and console application to validate OSCAL XML documents.
-
IBM Compliance Trestle: an opinionated command-line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.
-
John Jediny's OSCAL Static Site Playground: a static web application, using Gatsby and the US Web Design System, with hosting on the Federalist platform, to host a modern responsive application with OSCAL data models in JSON format dropped in place.
-
MITRE's InSpec OSCAL Plugin: an InSpec plugin developed by MITRE and open-source contributors to prototype the use of InSpec profiles with variables and configuration data embedded, in OSCAL components, SSPs, and other document instances.
-
mocolicious OSCAL-Examples: a collection of different front-end web applications leveraging OSCAL, mainly to show off different development workflows and environments. Current development status or community use is unclear.
-
OMB'S OPAL: OSCAL Policy Administration Library (OPAL) provides a simple web application from the US government's Office of Management and Budget for managing system security plans, using the OSCAL standard to inform its data models.
-
NREL Cyber's oscal: a library of types and utility functions for using the OSCAL JSON object models conveniently with Typescript applications.
-
NREL Cyber's oscal-atoms: a library for Atomic components for interacting with oscal-cache (see below).
-
NREL Cyber's oscal-cache: a libray with a collection of stores, commands and queries for OSCAL application cache.
-
RedHat's OpenControl Database: a web application that demonstrates RedHat technologies' conformance to different compliance standards (i.e. NIST 800-53 Revisiion 5) and configuration baselines (i.e. DISA STIG for RedHat Enterprise Linux 7), supporting the export of various artifacts in OSCAL format with GoComply's library.
-
RegScale: RegScale Community Edition is a free to use, real-time Governance, Risk and Compliance (GRC) platform that deploys in any environment, integrating with security and compliance tools via API to keep compliance documentation continuously up to date. GRC staff can work in the UI, engineers can write to the API, and OSCAL v1.0 content is automatically generated on demand.
-
Risk Redux's Control Freak: a delightful Ruby on Rails application using the NIST 800-53 control catalogs in OSCAL JSON format to make the controls easily searchable.
-
SHR Group's iac2oscal: a collection of Infrastructure-as-Code examples (primarily Ansible and Terraform) and how to link them to OSCAL component models for more tightly integrated Infrastructure-as-Code and Documentation-as-Code.
-
SHR Group's oscal-cli container: a GitHub repo with supporting GitHub Actions workflow that checks for new releases of the NIST OSCAL Team's Java-based
oscal-cli
tool and bundles the released application into an OCI container for each new release based on tags. -
SHR Group's pyOSCAL: Python library to convert OSCAL content into python objects, developed by the clever @mruge. pyOSCAL-Builder automatically generates pyOSCAL dynamically from the lastes NIST OSCAL Metaschema.
-
SHR Group's OSCAL Diagram Exmaples: a collection of documentation and diagrams for advanced OSCAL use cases, primarily showing how to interrelate data inside OSCAL component definitions.
-
Wendell Piez's OSCAL Profile Import Examiner: XMLJellySandwich: a web-based, in-browser XSLT transform system leveraging SaxonJS. @wendellpiez has focused one demo on validating an OSCAL profile in XML form by validating upstream catalog references.
-
Bill Weber's "The Future of SCAP Is the Missing Gap in OSCAL"
-
EasyDynamics "Innovating Security Compliance Through Open Standards"
-
Greg Elin's "An Orientation to OSCAL in the DevSecOps Pipeline"
-
IBM's "Compliance Automated Standard Solution (COMPASS), Part 1: Personas and Roles"
-
IBM's "Compliance Automated Standard Solution (COMPASS), Part 2: Trestle SDK"
-
IBM's "Compliance Automated Standard Solution (COMPASS), Part 3: Artifacts and Personas"
-
Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to OSCAL"
-
Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to oscalkit"
-
Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to Metaschema"
-
Andrew Martin and Control Plane's "Avoiding IAC Potholes with Policy + Cloud Controllers" from Cloud Native Security Con North America 2023
-
Robert Ficcaglia's "12 Essential Requirements for Policy Enforcement and Governance with OSCAL" from Cloud Native Security Con North America 2023
-
Brad Hards ISM OSCAL Catalog: a community developer's collection of the Australian Government's Information Security Manual security controls in the form of an OSCAL catalog and profiles (including Essential 8).
-
oscal-diagrams: Automatically generated diagrams for visualizing the OSCAL data models.