Skip to content

@oscalbuilder oscalbuilder released this Oct 1, 2019 · 64 commits to master since this release

We are pleased to announce the release of OSCAL 1.0.0 Milestone 2. This is the second official release of OSCAL, and marks another important milestone for the OSCAL project.

This release contains:
• A new system security plan (SSP) model that allows organizations to document the security and privacy control implementation of their systems using a rich OSCAL model.
• Updated stable versions of the OSCAL catalog and profile models, along with associated XML and JSON schemas.
• Updated content in OSCAL XML, JSON, and YAML formats for the NIST SP 800-53 revision 4 catalog, and for the three NIST and four FedRAMP baselines.
• Provides tools to convert OSCAL catalog, profile, and SSP content between OSCAL XML and JSON formats.

To download this release, click on "Assets" below and download either the .zip or the .tar.bz2 bundle. These bundles contain the resources described above. There is also release notes containing a summary of changes in this release.

The OSCAL team will continue the development of OSCAL focusing our full attention on finalizing the Component model as part of the implementation layer. The OSCAL Component model will allow organizations producing hardware, software, services, policies, processes, and proceedures to document information on the controls implemented in these offerings. Organizations can import component definitions into an OSCAL SSP, saving time and improving the richness of the documented system implementation. Stable versions of this work will be featured in our next release, OSCAL 1.0.0 Milestone 3.

We are seeking feedback from the community on the current OSCAL Catalog, Profile, and SSP models. We are also seeking tool developers and vendors that would like to implement these models in commercial and open source offerings. To further validate the implementation layer's functionality and flexibility, NIST is seeking software and service providers that are willing to work with us to represent control implementation information about their products. To provide feedback or to ask questions, please email the NIST OSCAL team at You can also post publicly to the OSCAL development list:

There are instructions for joining the OSCAL development and update lists on our contributing page.

Assets 4
You can’t perform that action at this time.