Suitability for OSCAL as part of CFI Policy
Opened this issue · 1 comments
NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of hierarchical, XML-, JSON-, and YAML-based formats that provide a standardized representations of information pertaining to the publication, implementation, and assessment of security controls. OSCAL is being developed through a collaborative approach with the public. Public contributions to this project are welcome.
With this effort, we are stressing the agile development of a set of minimal formats that are both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types.
The OSCAL website provides an overview of the OSCAL project, including an XML and JSON schema reference, examples, and other resources.
The GitHub repo https://github.com/usnistgov/OSCAL
FOR FINOS/CFI: the NIST’s Cybersecurity Insights blog: “The Foundation for Interoperable and Portable Security Automation is Revealed in NIST’s OSCAL Project” lays out the concepts of security and compliance automation. Should they be considered for FINOS?
As discussed in the CFI Policy meeting OSCAL would support automation of FFIEC/NIST CSF controls supported by PCI DSS, CIS, and CSA.