OSCAL 1.0.4 Release

Note: This patch release fixes a defect in the JSON schemas released with OSCAL 1.0.3. Please use this release instead of the 1.0.3 release.

What's Changed

• #1256 Removed duplicated text in identifier use webpage. (PR #1257) @Rene2mt
• #1260 Updated data type documentation and schema constraints to address regex issues in JSON schemas (PR #1265) @david-waltermire-nist, @wendellpiez
• Removed references to specific OSCAL releases inREADME.md (PR #1261) @guyzyl
• Added OSCAL-deep-diff content to tools page (PR #1248) @nikitawootten-nist
• Simplifed release Management in OSCAL Github repo and website (PR #1264) @david-waltermire-nist

New Contributors

• @nikitawootten-nist made their first contribution in #1248

Notable Changes

This release corrects defects in the JSON schemas released with OSCAL 1.0.3. The previously released schemas did not contain the correct regular expressions required to properly constrain data based on the specific data type for a given field. As a result, under the old schemas some data might be allowed to be provided that is invalid. The new JSON schemas in this release correct this defect by restoring the proper regular expressions.

Full Changelog: v1.0.3...v1.0.4

OSCAL 1.0.3 Release

Note: This release contains defective JSON schemas that are missing required regular expressions. This has been corrected in the OSCAL 1.0.4 release. Please use the 1.0.4 release instead of this release.

What's Changed

• #737, #1208 Updated link checker for generate website workflow and improve workflows. (PR #1231) @aj-stein-nist
• #1062 Clarifying system security plan cross-references (PR #1167) @Rene2mt, @aj-stein-nist, @david-waltermire-nist
• #1127, #1186 Updated to latest Metaschema toolchain (PR #1161) @wendellpiez, @david-waltermire-nist, @aj-stein-nist
  • Properly encode high-order Unicode characters in schemas (PR usnistgov/metaschema#183)
  • usnistgov/metaschema#181 Rolled back token datatype to avoid problematic character references
  • usnistgov/metaschema#182 Fixed double-escaped RegEx patterns in output JSON schema causing issues with some RegEx flavors. @wendellpiez
  • usnistgov/metaschema#188 Added support for durations. @wendellpiez, @david-waltermire-nist
  • Adjusted data types in generated XML and JSON schemas. @wendellpiez, @david-waltermire-nist
  • Corrected pruning of unused definitions during XML and JSON schema generation. (PR usnistgov/metaschema#199) @wendellpiez, @aj-stein-nist, @david-waltermire-nist
• #1193 Grammar fixes to assessment-common metaschema only. (PR #1224) @guyzyl
• #1194 Clarified the semantics of implemented-requirement in a component definition as only a suggestion of how to implement. (PR #1232) @david-waltermire-nist
• #1198 Replaced master with main in the git-cheat-sheet.md file' (#1200) @iMichaela
• #1206 Clarified use of set-parameter and how to determine the effective value. (PR #1234) @david-waltermire-nist
• #1209, #1212 Added Issue Triage automation to project. (PR #1210) @aj-stein-nist
• #1211 Clarified use of profile and catalog in import-profile/@href. (PR #1227) @david-waltermire-nist
• #1216 Ensured GitHub Actions Installs Python Dependencies Like Local Docker Environment. (PR usnistgov/oscal-content#103)
• #1220 Corrected metadata/location/address/country regex (PR #1226) @david-waltermire-nist
• Bump minimist from 1.2.5 to 1.2.6 in /build (PR #1195) @dependabot
• Changed GitHub links to point to main branch instead of master branch. (PR #1225) @guyzyl
• Normalized enumerated namespace values to use http prefix consistently (PR #1233) @david-waltermire-nist
  • Normalized enumerated namespace values to use http prefix consistently; created deprecation entries where needed.
  • Updated examples to be consistent with namespace values.
  • Added deprecation entries for old values.
• Fixed typo in the word "separately" (PR #1235) @galtm
• Boolean handling workaround for workflow_call vs workflow_dispatch bug. (PR #1236) @aj-stein-nist
• Improved actions workflow and steps for package release automation. (PR #1240) @aj-stein-nist, @david-waltermire-nist
• Removed unneeded Ruby dependencies. @david-waltermire-nist
• Reordered tools listing alphabetically. @david-waltermire-nist
• Add Ignyte to tools page. (PR ##1197) @caseykulasa

Notable Changes

To fix a number of data type related issues, the underlying type system used in the generated OSCAL XML and JSON schemas was replaced. This change resulted in different names for simple and complex types for data types in XML schemas and some adjustments in data type definitions in JSON schemas. This may cause some issues with schema binding approaches that generate code from the XML or JSON schemas. In such instances, you may need to further customize your binding configurations or make some code adjustments resulting from differently generated code.

Full Changelog: v1.0.2...v1.0.3

OSCAL 1.0.2 Release

The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.2. This patch release of OSCAL 1.0 provides bug fixes and documentation enhancements.

This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.

Looking forward, the NIST OSCAL team is excited to continue to work with the OSCAL community to enhance OSCAL through additional minor releases.

For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.

For documentation on the OSCAL models included in this release, please visit the v1.0.2 model reference.

What's Changed

The following changes were made in this patch release.

• #1035 Upgrade Saxon version used in CI/CD to 10.6 (#PR 1187) @david-waltermire-nist
• #1093 Parameterize insertion of xsi:schemaLocation attribute in the content upgrader XSLTs; this feature is disabled by default (#1162) @aj-stein-nist, @wendellpiez
  • Parameterized insertion of xsi:schemaLocation in RC2->1.0.0 content upgrader.
  • Created README for content upgraders, document schema-location param.
  • Added pointer from README.txt to content-upgrade docs, per @david-waltermire-nist's sync meeting review.
• #1121 Added embeded diagram of CI/CD workflow. (PR #1165) @aj-stein-nist
• #1130 Changed remarks fields from define-field to ref. (PR #1138) @guyzyl
• #1137 Replace define-assembly for include-all with assembly ref (PR #1144) @guyzyl, @david-waltermire-nist
• A bunch of updates to the Profile Resolution Specififcation to clarify and improve the specification. (PR #1172) @stephenbanghart, @aj-stein-nist
  • #1140 Significant improvements around resolution of internal references. Behavior is now defined for resolving resources with different combinations of "rlink" and "base64". As these /should/ all be equal to one another, there is no standardized order or priority given in the specification at this time.
  • #1141 Enhanced prose around Group handling, especially around expected behavior of the "keep always" prop.
  • #1142 Core issue obsoleted by general OSCAL requirements on valid OSCAL documents. Cleaned up prose in the formats section.
  • #1152 Added Metaschema entries for the new Mapping assembly and it's associated fields/flags. Verified the veracity of existing Profile documentation, making minor-moderate edits to bring documentation up to speed with the current specification.
  • #1155 Fixed incorrect notation in metadata section: props are now properly refereed to as such, rather than using the value of their "name" field.
• #1153 Added README explaining content validation concepts. (PR #1170) @aj-stein-nist, @wendellpiez, @david-waltermire-nist
• #1153 Added information about content well-formedness and validation to the website. (PR #1169) @aj-stein-nist, @wendellpiez, @david-waltermire-nist
• #1176 Removed stale NEW CONTENT, END NEW CONTENT, and NEW comment blocks from Metaschemas. (PR #1179) @guyzyl
• Multiple changes to the Profile Resolution Specification. (PR #1089) @stephenbanghart, @aj-stein-nist
  • Tagged Requirements (updated .rnc), Added Draft Status, several small fixes in modify section
  • Applying AJ's fixes, other various small fixes - pending larger automated formating
  • Intro purpose rewrite. Editorial fixes from comments. Small edits to "Processing" page on site.
• Added DRT Strategies Inc GRC tool to tools page (PR #1122) @vmangat
• Add Rules Presentation from January 21, 2022 Meeting (PR #1125) @aj-stein-nist
• Add tool oscal4neo4j to tools page (#1128) @Agh42, @bradh
• Remove extra > which shows in the built schemas (PRs #1133, #1147) @guyzyl
• Fix broken links to FedRAMP baselines (PR #1143) @rosskarchner
• Bumped nokogiri from 1.12.5 to 1.13.3 in /docs (PR #1154) @dependabot
• Updated core repo documentation (PR #1157) @david-waltermire-nist, @aj-stein-nist
  • Updated readmes with more current and relevant information.
  • Added CODEOWNERS to drive reviews.
  • Updated .github/PULL_REQUEST_TEMPLATE.md
• Removed duplicated risk status construct in the assessment commonm Metaschema (PR #1159) @david-waltermire-nist
• Updated Tools with Additional Open Source Projects (PR #1164) @rgauss
• Fixed broken links in README.md (PR #1181) @guyzyl
• Renamed .github/README.md file to ABOUT.md to fix the main index page in the GitHub repo (#1182) @guyzyl
• Added mailing list names to contact page.

The following compatibility breaking change was made:

• In all JSON schemas, the name "props" is used to signify the list of metadata properties. There was one case where the name prop is used instead of props. Fixes this obvious typo in the assessment results metaschema. (PR #1148) @guyzyl

New Contributors

• @vmangat made their first contribution in #1122
• @rgauss made their first contribution in #1164

Full Changelog: v1.0.1...v1.0.2

OSCAL 1.0.1 Release

The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.1. This first patch release of OSCAL 1.0 provides bug fixes and documentation enhancements.

This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.

Looking forward, the NIST OSCAL team is excited to continue to work with the OSCAL community to enhance OSCAL through additional minor releases.

For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.

For documentation on the OSCAL models included in this release, please visit the v1.0.1 model reference.

The following changes were made in this patch release.

• #635, #966 Cleaned up src/utils directory and added documentation (PR #970, #1014) @wendellpiez
• #956 Enhanced the schema production pipeline to ensure that high-order Unicode characters are properly escaped (PR usnistgov/ metaschema#165) @wendellpiez
• #958 Fixed an issue in the content upconverter used for updating OSCAL content from 1.0.0 RC2 to 1.0.0 (PR #960) @wendellpiez
• #983 Fix Dockerfile entrypoint using best practices for entrypoint. (PR #984) @ohsh60
• #986 Updated dependency versions for Saxon and AJV in the Docker config. Added dependencies for yargs. (PR #987) @ohsh60
• #1001 Fixed bad metapath. @david-waltermire-nist
• #1004 Refactored dockerfiles for the build and docs folders. Updated use documentation. Added missing dependency for calabash. (PR #1005) @david-waltermire-nist
• #1020 Updated documentation around using the content converters. (PR #1027, #1055) @wendellpiez
• #1025 Fixed SyntaxWarning for content validator oscal-content-validator.py (PR #1026) @bradh, @david-waltermire-nist
• #1037 Clarify data types docs for param insert (PR #1112)
• #1039, #1040, #1041, #1042, #1046 Updated the profile resolution specification (PR #1014, #1017) @stephenbanghart
• #1044 Added warnings for non-required UUID flags. @david-waltermire-nist
• #1053 Make @control-id for alter statements in profile required (PR #1111) @aj-stein-nist
• #1067 Fix enum typo from inteneral->internal (PR #1110) @aj-stein-nist
• #1102 Some Docker container improvements for local web development and testing for PRs (PR #1103) @aj-stein-nist
• #1107 Incorporating processing directives that support schematron validation of Metaschema-based models (#1108) @aj-stein-nist
• usnistgov/oscal-content/#59 Convert File Type for Files or Remote Hyperlinks in Continuous Deployment (PR #1010, 1070) @ohsh6o, @david-waltermire-nist
• Fixed broken branch configuration for the metaschema submodule (PR #991) @ohsh60
• Fixed OSCAL constraints in Metaschemas. Fixing Metapath syntax errors. (PR #1012, #1065) @david-waltermire-nist
• Repaired a bug report on a missed control; adding test files (PR #1013) @wendellpiez
• Removed duplicate json import in oscal-content-validator.py (PR #1077) @flickerfly
• Improvements to XSLT-based profile resolver (PR #1071) @wendellpiez
• Added requirements.txt for oscal-content-validator.py (PR #1077) @guyzyl
• Add support for yaml OSCAL files validation (PR #1091) @guyzyl, @aj-stein-nist
• Updated contributing and pull request documentation for External Developers (#1094) @aj-stein-nist
• Bump addressable from 2.7.0 to 2.8.0 in /docs (PR #994) @dependabot
• Bump nokogiri from 1.11.5 to 1.12.5 in /docs (PR #1029) @dependabot
• Bump lxml from 4.6.3 to 4.6.5 in /build/ci-cd/python (PR #1096) @dependabot

The following additional changes were made that affect the OSCAL website.

• #739 Fixed 404 error when using the "Improve this page" link. (PR #995) @kylelaker, @david-waltermire-nist
• #854 Added a Component Tutorial to Website (PR #935, #1015) @Rene2mt, @david-waltermire-nist
• #860 Updated model reference documentation to better clarify the scope and uniqueness of identifiers used within the OSCAL models. (PR #941) @Rene2mt, @david-waltermire-nist, @aj-stein-nist
• #947 Fixed a number of typos (PR #955) @david-waltermire-nist
• #968 Fixed broken and stale links in model documentation. (PR #973) @david-waltermire-nist
• #993 Updating tools page to use a table. Added Compliance Tressle. @iMichaela, @david-waltermire-nist
• #996 Added blogs to website. @david-waltermire-nist
• #1049 Added control freak to the OSCAL tools page (PR #1104) @aj-stein-nist
• Fixed prop syntax in validation component tutorial. (PR #999) @ohsh60
• Added link to EasyDynamics OSCAL tools (PR #1009) @afeld
• Adding link to XML Jelly Sandwich OSCAL demos (PR #1016) @wendellpiez
• Updated the Lunch with Devs meeting info and Tools page to include new meeting info (PR #1045) @iMichaela, @david-waltermire-nist

New Contributors

• @afeld made their first contribution in #1009
• @aj-stein-nist made their first contribution in #1094
• @flickerfly made their first contribution in #1077
• @guyzyl made their first contribution in #1082
• @kylelaker made their first contribution in #995

We deeply appreciate all the contributions made by these and other community members.

Full Changelog: v1.0.0...v1.0.1

OSCAL 1.0.0 Release Candidate 2

We are pleased to announce the publication of OSCAL 1.0.0 Release Candidate (RC) 2. This is the second full draft release of OSCAL 1.0.0 which is made available for public review and feedback before releasing the final OSCAL 1.0.0.

Please provide feedback by May 7, 2021 by emailing the NIST OSCAL team at oscal@nist.gov or by creating an issue on our GitHub repository.

The OSCAL 1.0.0 RC 2 includes:

• Updated stable versions of catalog and profile models which provide a structured representation of control catalogs and baselines or overlays.
• Updated stable version of the system security plan model which provides a structured representations of a system's control-based implementation.
• Updated stable version of the component definition model which provides a stand-alone structured representation of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
• Updated stable versions of the assessment plan, assessment results, plan of action and milestones (POA&M) models, which support the structured representation of information used for planning for and documenting the results of an information system assessment or continuous monitoring activity.
• Updated tools to convert between OSCAL XML and JSON formats, and to up convert content from previous releases to RC2.

Changes in this release are focused on the following major areas:

• Simplification of key OSCAL features
  • Properties and annotations have been merged into a single prop that now allows an optional remarks and uuid.
  • In the assessment plan and assessment results models, the concepts of a task and action have been combined.
  • Use of local-definitions in the assessment plan, assessment results, and POA&M models has been simplified and made more consistent.
• Model documentation improvements
  • Some usage descriptions were enhanced to provide more detail and to be more consistent overall.
  • Formal names were updated in some places where the names did not match the data element.
  • Many spelling errors were corrected.
• Removed the use of XML <any> and JSON additonalProperties for arbitrary extensions based on community discussion. Extended data can still be provided using link declarations to external content. This decision can be revisited in future revisions once there is more implementation experience with the OSCAL models.
• Added the following link relations: latest-version, predecessor-version, and successor-version to allow an OSCAL document to link to latest, previous, and next document revisions.
• Fixed a few bugs in the profile resolver code and updated the resolver to work with new profile import/insert structures.
• Provided support for data insertion points for data other than parameters in markup content.

To download this release, click on Assets below and download either the .zip or the *.tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.

These changes were made based on all the excellent feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.

OSCAL 1.0.0 Release

The NIST Open Security Controls Assessment Language (OSCAL) team is pleased to announce the release of OSCAL 1.0.0. This first official, major release of OSCAL provides a stable OSCAL 1.0.0 for wide-scale implementation. This release marks an important milestone for the OSCAL project and for the earlier adopters and implementers of security automation with OSCAL.

This release incorporates changes based on feedback from the OSCAL community. The NIST OSCAL team is very thankful for all of the great ideas and feedback we have received to date.

Looking forward, the NIST OSCAL team is excited to work with the OSCAL community to continue to enhance OSCAL through additional minor releases.

For additional information on the OSCAL project, please see the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” and the OSCAL website.

OSCAL 1.0.0 Release Candidate 1

We are pleased to announce the publication of OSCAL 1.0.0 Release Candidate 1 (RC1). This is a full draft release of OSCAL 1.0.0 which is made available for public review and feedback before releasing the final OSCAL 1.0.0.

The OSCAL 1.0.0 RC1 includes:

• Updated stable versions of catalog and profile models which provide a structured representation of control catalogs and baselines or overlays.
• Updated stable version of the system security plan model which provides a structured representations of a system's control-based implementation. This model has been enhanced to support documenting how controls from an existing authorized system can be leveraged in another information system, which supports common control provider and platform as a service (PaaS) use cases.
• Updated stable version of the component definition model which provides a structured representation of the controls that are supported in a given implementation of a hardware, software, service, policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
• Revised drafts of the assessment plan, assessment results, plan of action and milestones (POA&M) models, which support the structured representation of information used for planning and documenting the results of an information system assessment or continuous monitoring activity. These models have been enhanced to better support continuous assessment; to provide more traceability between the assessment schedule, specific assessment activities, collected data, and resulting findings and identified risks; and to improve the extensibility of these models.
• Updated tools to convert between OSCAL XML and JSON formats, and to up convert content from milestone 3 to RC1.

These changes were made based on all the excellent feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.

The NIST team is also maintaining OSCAL content that is updated to the latest OSCAL 1.0.0 RC1. The OSCAL content repository provides OSCAL examples, in addition to the final NIST SP 800-53 revision 5 catalog and the final security and privacy NIST SP 800-53B baselines. All this content is provided in XML, JSON and YAML formats, including the following:

• Updated content for the NIST SP 800-53 revision 4 catalogs, and for the three NIST baselines.
• Updated content in OSCAL XML, JSON and YAML formats of the FedRAMP SP 800-53 revision 4 baselines. Please note, these baselines are also available on GSA/fedramp-automation repository.

To download this release, click on Assets below and download either the .zip or the *.tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.

The OSCAL team is working to release OSCAL 1.0.0 FINAL. To this end, we appreciate any feedback you have on the updated RC1 models. Receiving your comments is instrumental for our team to make the OSCAL 1.0.0 FINAL release as robust as is feasible, and to address any gaps that might cause backwards compatibilities between future OSCAL minor releases (e.g., 1.1.0, 1.2.0) and OSCAL 1.0.0.

At our end, we will continue the development of OSCAL focusing our full attention on providing a more complete set of documentation for all the OSCAL layers and models, creating more examples, and providing a diverse set of tutorials.

NIST is also seeking tool developers, vendors, and service providers that would like to implement the OSCAL 1.0.0 models in commercial and open-source offerings. To provide feedback, to ask questions, or to let us know about an OSCAL implementation you are working on, please email the NIST OSCAL team at oscal@nist.gov. You can also post publicly to the OSCAL development list: oscal-dev@list.nist.gov or create an issue on our GitHub repository.

Please find instructions for joining the OSCAL development and update lists on our contacts page.

OSCAL 1.0.0 Milestone 3 Release

We are pleased to announce the release of OSCAL 1.0.0 Milestone 3. This is the third official milestone pre-release of OSCAL, and marks the last pre-release milestone for OSCAL v1. At this point we have drafts of all the models we intended to produce for OSCAL v1 and will now start working towards producing a full initial release of OSCAL v1, which will be v1.0.0.

This release contains:

• A new component definition model, which allows for the definition of a set of components that each provide a description of the controls supported by a specific implementation of a hardware, software, or service; or by a given policy, process, procedure, or compliance artifact (e.g., FIPS 140-2 validation).
• Creation of draft models for the assessment and assessment result layers. Drafts of the assessment plan, assessment results, and plan of action and milestones (POA&M) models were created. These drafts were slated for the OSCAL v2 release cycle and are being released early as drafts ahead of schedule.
• Updated stable versions of the OSCAL catalog, profile, and system security plan (SSP) models, along with associated XML and JSON schemas. These changes were made based on all of the feedback we received from the OSCAL community. The NIST OSCAL team is very thankful for all of the great feedback we have received.
• New OSCAL content in XML, JSON, and YAML formats for the draft NIST SP 800-53 revision 5 catalog.
• Updated content in OSCAL XML, JSON, and YAML formats for the NIST SP 800-53 revision 4 catalog, and for the three NIST and four FedRAMP baselines.
• Provides tools to convert OSCAL catalog, profile, and SSP content between OSCAL XML and JSON formats, and to up convert content from milestone 2 to milestone 3.

To download this release, click on "Assets" below and download either the .zip or the .tar.bz2 bundle. These bundles contain the resources described above. There are also release notes containing a summary of changes in this and previous releases.

The OSCAL team will continue the development of OSCAL focusing our full attention on providing a more complete set of documentation for all the OSCAL layers and models, creating more examples, and providing a diverse set of tutorials. We will continue to collect feedback from the community on the OSCAL models. We are also seeking tool developers, vendors, and service providers that would like to implement the OSCAL models in commercial and open source offerings. To provide feedback, to ask questions, or to let us know about an OSCAL implementation you are working on, please email the NIST OSCAL team at oscal@nist.gov. You can also post publicly to the OSCAL development list: oscal-dev@list.nist.gov.

There are instructions for joining the OSCAL development and update lists on our contacts page.

OSCAL 1.0.0-milestone2 Release

We are pleased to announce the release of OSCAL 1.0.0 Milestone 2. This is the second official release of OSCAL, and marks another important milestone for the OSCAL project.

This release contains:
• A new system security plan (SSP) model that allows organizations to document the security and privacy control implementation of their systems using a rich OSCAL model.
• Updated stable versions of the OSCAL catalog and profile models, along with associated XML and JSON schemas.
• Updated content in OSCAL XML, JSON, and YAML formats for the NIST SP 800-53 revision 4 catalog, and for the three NIST and four FedRAMP baselines.
• Provides tools to convert OSCAL catalog, profile, and SSP content between OSCAL XML and JSON formats.

To download this release, click on "Assets" below and download either the .zip or the .tar.bz2 bundle. These bundles contain the resources described above. There is also release notes containing a summary of changes in this release.

The OSCAL team will continue the development of OSCAL focusing our full attention on finalizing the Component model as part of the implementation layer. The OSCAL Component model will allow organizations producing hardware, software, services, policies, processes, and proceedures to document information on the controls implemented in these offerings. Organizations can import component definitions into an OSCAL SSP, saving time and improving the richness of the documented system implementation. Stable versions of this work will be featured in our next release, OSCAL 1.0.0 Milestone 3.

We are seeking feedback from the community on the current OSCAL Catalog, Profile, and SSP models. We are also seeking tool developers and vendors that would like to implement these models in commercial and open source offerings. To further validate the implementation layer's functionality and flexibility, NIST is seeking software and service providers that are willing to work with us to represent control implementation information about their products. To provide feedback or to ask questions, please email the NIST OSCAL team at oscal@nist.gov. You can also post publicly to the OSCAL development list: oscal-dev@nist.gov.

There are instructions for joining the OSCAL development and update lists on our contributing page.

OSCAL 1.0.0-milestone1 Release

We are pleased to announce the release of OSCAL 1.0.0 Milestone 1. As the first official release of OSCAL, this release marks an important milestone for the OSCAL project.

The release contains:

• Stable versions of the OSCAL catalog and profile models in XML and JSON formats, along with associated XML and JSON schemas.
• Includes draft versions of the NIST SP 800-53 revision 4 OSCAL content and FedRAMP baselines in OSCAL XML, JSON, and YAML formats.
• Provides content converters that are capable of accurately converting between OSCAL catalog and profile content in OSCAL XML to OSCAL JSON format and vice versa.

To download this release, click on "Assets" below and download either the .zip or the .tar.bz2 bundle. These bundles contain the resources described above.