/awesome-oscal

A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards.

Creative Commons Zero v1.0 UniversalCC0-1.0

Awesome OSCAL

Awesome

A collection of awesome community resources, maybe not quite production ready, for increasing the adoption of the Open Security Controls Assessment Language, OSCAL.

Before contributing, please review the Contribution Guidelines.

Tools

  • Alex Koderman's oscal4neo4j: a collection of scripts in Neo4j's Cypher query language to load OSCAL catalog data in JSON format into its graph database, potentially for use with the Red Team Project's Security Control Knowledge Graph.

  • Brian Ruf's OSCAL-GUI: an example PHP web interface developed by @brian-ruf of former FedRAMP fame. It has core presentation logic, file import, format conversion, and working profile resolution.

  • CivicActions's compliance-io library for composable functions for conversion from OpenControl to OSCAL.

  • CivicAtions's ssp-toolkit is a suite of command line utilities in Python to mediate the creation of system security plans in NIST RMF 800-53 Revision 4 in OpenControl format. It can now export SSPs to OSCAL.

  • Defense Unicorn's bigbang-oscal-component-generator: a CLI utility and Golang libraries to merge together individual OSCAL YAML components into a unified OSCAL YAML component definition, focused primarily on the specific needs of Platform One's Big Bang.

  • EasyDynamics OSCAL REST API Draft Standard: an emerging standard for REST APIs to encourage all tool vendors to make a conformant API surface to reduce future churn in supporting heterogenous APIs for OSCAL-friendly tools and services.

  • EasyDynamics OSCAL React Library: a fully featured React component library for rendering all the OSCAL object models in JSON format with a developer-friendly API and a clean (but customizable) React-based UI.

  • EasyDynamics OSCAL REST API Service: an initial Java-based implementation of some the OSCAL REST API listed above. It persists data as files in local directories.

  • EasyDynamics OSCAL Editor Deployment: an integrated application, with the REST API service and React-based frontend (mentioned above), packaged as a simple Docker deployment of both open-source projects. It allows both viewing, and for some OSCAL document types and scenarios, editing file content and saving it to a properly configured Docker volume.

  • GSA's OSCAL Tools: a collection of open-source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.

  • GoComply's FedRAMP Utility: a tool that uses oscalkit (see below) to stamp in OSCAL data to the FedRAMP Word (DOCX) system security plan templates.

  • GoComply's oscalkit: a Golang-based software development kit and command-line utility for operating on OSCAL data models.

  • GovReady's GovReady-Q: an open source, web-based self-service GRC tool to automate security assessments and compliance from @gregelin and the GovReady crew. It focuses on import and export of OSCAL data models.

  • IBM Compliance Trestle: an opinionated command-line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.

  • John Jediny's OSCAL Static Site Playground: a static web application, using Gatsby and the US Web Design System, with hosting on the Federalist platform, to host a modern responsive application with OSCAL data models in JSON format dropped in place.

  • MITRE's InSpec OSCAL Plugin: an InSpec plugin developed by MITRE and open-source contributors to prototype the use of InSpec profiles with variables and configuration data embedded, in OSCAL components, SSPs, and other document instances.

  • mocolicious OSCAL-Examples: a collection of different front-end web applications leveraging OSCAL, mainly to show off different development workflows and environments. Current development status or community use is unclear.

  • OMB'S OPAL: OSCAL Policy Administration Library (OPAL) provides a simple web application from the US government's Office of Management and Budget for managing system security plans, using the OSCAL standard to inform its data models.

  • NREL Cyber's oscal: a library of types and utility functions for using the OSCAL JSON object models conveniently with Typescript applications.

  • NREL Cyber's oscal-atoms: a library for Atomic components for interacting with oscal-cache (see below).

  • NREL Cyber's oscal-cache: a libray with a collection of stores, commands and queries for OSCAL application cache.

  • RedHat's OpenControl Database: a web application that demonstrates RedHat technologies' conformance to different compliance standards (i.e. NIST 800-53 Revisiion 5) and configuration baselines (i.e. DISA STIG for RedHat Enterprise Linux 7), supporting the export of various artifacts in OSCAL format with GoComply's library.

  • Risk Redux's Control Freak: a delightful Ruby on Rails application using the NIST 800-53 control catalogs in OSCAL JSON format to make the controls easily searchable.

  • SHR Group's iac2oscal: a collection of Infrastructure-as-Code examples (primarily Ansible and Terraform) and how to link them to OSCAL component models for more tightly integrated Infrastructure-as-Code and Documentation-as-Code.

  • SHR Group's pyOSCAL: Python library to convert OSCAL content into python objects, developed by the clever @mruge. pyOSCAL-Builder automatically generates pyOSCAL dynamically from the lastes NIST OSCAL Metaschema.

  • SHR Group's OSCAL Diagram Exmaples: a collection of documentation and diagrams for advanced OSCAL use cases, primarily showing how to interrelate data inside OSCAL component definitions.

  • Wendell Piez's OSCAL Profile Import Examiner: XMLJellySandwich: a web-based, in-browser XSLT transform system leveraging SaxonJS. @wendellpiez has focused one demo on validating an OSCAL profile in XML form by validating upstream catalog references.

Blog Posts

Other Resources