A collection of awesome community resources, maybe not quite production ready, for increasing the adoption of the Open Security Controls Assessment Language, OSCAL.
Before contributing, please review the Contribution Guidelines.
-
Brian Ruf's OSCAL-GUI: An example PHP web interface developed by @brian-ruf of former FedRAMP fame. It has core presentation logic, file import, format conversion, and working profile resolution.
-
CivicActions's compliance-io library for composable functions for conversion from OpenControl to OSCAL.
-
CivicAtions's ssp-toolkit is a suite of command line utilities in Python to mediate the creation of system security plans in NIST RMF 800-53 Revision 4 in OpenControl format. It can now export SSPs to OSCAL.
-
EasyDynamics OSCAL REST API Draft Standard: an emerging standard for REST APIs to encourage all tool vendors to make a conformant API surface to reduce future churn in supporting heterogenous APIs for OSCAL-friendly tools and services.
-
EasyDynamics OSCAL React Library: a fully featured React component library for rendering all the OSCAL object models in JSON format with a developer-friendly API and a clean (but customizable) React-based UI.
-
GSA's OSCAL Tools: A collection of open-source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.
-
GoComply's FedRAMP Utility: a tool that uses oscalkit (see below) to stamp in OSCAL data to the FedRAMP Word (DOCX) system security plan templates.
-
GoComply's oscalkit: a Golang-based software development kit and command-line utility for operating on OSCAL data models.
-
GovReady's GovReady-Q: An open source, web-based self-service GRC tool to automate security assessments and compliance from @gregelin and the GovReady crew. It focuses on import and export of OSCAL data models.
-
IBM Compliance Trestle: An opinionated command-line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.
-
John Jediny's OSCAL Static Site Playground: a static web application, using Gatsby and the US Web Design System, with hosting on the Federalist platform, to host a modern responsive application with OSCAL data models in JSON format dropped in place.
-
MITRE's InSpec OSCAL Plugin: a InSpec plugin developed by MITRE and open-source contributors to prototype the use of InSpec profiles with variables and configuration data embedded, in OSCAL components, SSPs, and other document instances.
-
mocolicious OSCAL-Examples: A collection of different front-end web applications leveraging OSCAL, mainly to show off different development workflows and environments. Current development status or community use is unclear.
-
OMB'S OPAL: OSCAL Policy Administration Library (OPAL) provides a simple web application from the US government's Office of Management and Budget for managing system security plans, using the OSCAL standard to inform its data models.
-
NREL Cyber's oscal: a library of types and utility functions for using the OSCAL JSON object models conveniently with Typescript applications.
-
NREL Cyber's oscal-atoms: a library for Atomic components for interacting with oscal-cache (see below).
-
NREL Cyber's oscal-cache: A libray with a collection of stores, commands and queries for OSCAL application cache.
-
Risk Redux's Control Freak: a delightful Ruby on Rails application using the NIST 800-53 control catalogs in OSCAL JSON format to make the controls easily searchable.
-
SHR Group's iac2oscal: A collection of Infrastructure-as-Code examples (primarily Ansible and Terraform) and how to link them to OSCAL component models for more tightly integrated Infrastructure-as-Code and Documentation-as-Code.
-
SHR Group's pyOSCAL: Python library to convert OSCAL content into python objects, developed by the clever @mruge. pyOSCAL-Builder automatically generates pyOSCAL dynamically from the lastes NIST OSCAL Metaschema.
-
SHR Group's OSCAL Diagram Exmaples: a collection of documentation and diagrams for advanced OSCAL use cases, primarily showing how to interrelate data inside OSCAL component definitions.
-
Wendell Piez's OSCAL Profile Import Examiner: XMLJellySandwich is a web-based, in-browser XSLT transform system leveraging SaxonJS. @wendellpiez has focused one demo on validating an OSCAL profile in XML form by validating upstream catalog references.
-
EasyDynamics "Innovating Security Compliance Through Open Standards"
-
Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to OSCAL"
-
Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to oscalkit"
-
Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to Metaschema"
-
Brad Hards ISM OSCAL Catalog: a community developer's collection of the Australian Government's Information Security Manual security controls in the form of an OSCAL catalog and profiles (including Essential 8).
-
oscal-diagrams: Automatically generated diagrams for visualizing the OSCAL data models.