guyzyl/awesome-oscal

A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards.

Awesome OSCAL

A collection of awesome community resources, maybe not quite production ready, for increasing the adoption of the Open Security Controls Assessment Language, OSCAL.

Before contributing, please review the Contribution Guidelines.

Tools

• Brian Ruf's OSCAL-GUI: An example PHP web interface developed by @brian-ruf of former FedRAMP fame. It has core presentation logic, file import, format conversion, and working profile resolution.

• CivicActions's compliance-io library for composable functions for conversion from OpenControl to OSCAL.

• CivicAtions's ssp-toolkit is a suite of command line utilities in Python to mediate the creation of system security plans in NIST RMF 800-53 Revision 4 in OpenControl format. It can now export SSPs to OSCAL.

• EasyDynamics OSCAL REST API Draft Standard: an emerging standard for REST APIs to encourage all tool vendors to make a conformant API surface to reduce future churn in supporting heterogenous APIs for OSCAL-friendly tools and services.

• EasyDynamics OSCAL React Library: a fully featured React component library for rendering all the OSCAL object models in JSON format with a developer-friendly API and a clean (but customizable) React-based UI.

• GSA's OSCAL Tools: A collection of open-source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.

• GoComply's FedRAMP Utility: a tool that uses oscalkit (see below) to stamp in OSCAL data to the FedRAMP Word (DOCX) system security plan templates.

• GoComply's oscalkit: a Golang-based software development kit and command-line utility for operating on OSCAL data models.

• GovReady's GovReady-Q: An open source, web-based self-service GRC tool to automate security assessments and compliance from @gregelin and the GovReady crew. It focuses on import and export of OSCAL data models.

• IBM Compliance Trestle: An opinionated command-line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.

• John Jediny's OSCAL Static Site Playground: a static web application, using Gatsby and the US Web Design System, with hosting on the Federalist platform, to host a modern responsive application with OSCAL data models in JSON format dropped in place.

• MITRE's InSpec OSCAL Plugin: a InSpec plugin developed by MITRE and open-source contributors to prototype the use of InSpec profiles with variables and configuration data embedded, in OSCAL components, SSPs, and other document instances.

• mocolicious OSCAL-Examples: A collection of different front-end web applications leveraging OSCAL, mainly to show off different development workflows and environments. Current development status or community use is unclear.

• OMB'S OPAL: OSCAL Policy Administration Library (OPAL) provides a simple web application from the US government's Office of Management and Budget for managing system security plans, using the OSCAL standard to inform its data models.

• NREL Cyber's oscal: a library of types and utility functions for using the OSCAL JSON object models conveniently with Typescript applications.

• NREL Cyber's oscal-atoms: a library for Atomic components for interacting with oscal-cache (see below).

• NREL Cyber's oscal-cache: A libray with a collection of stores, commands and queries for OSCAL application cache.

• Risk Redux's Control Freak: a delightful Ruby on Rails application using the NIST 800-53 control catalogs in OSCAL JSON format to make the controls easily searchable.

• SHR Group's iac2oscal: A collection of Infrastructure-as-Code examples (primarily Ansible and Terraform) and how to link them to OSCAL component models for more tightly integrated Infrastructure-as-Code and Documentation-as-Code.

• SHR Group's pyOSCAL: Python library to convert OSCAL content into python objects, developed by the clever @mruge. pyOSCAL-Builder automatically generates pyOSCAL dynamically from the lastes NIST OSCAL Metaschema.

• SHR Group's OSCAL Diagram Exmaples: a collection of documentation and diagrams for advanced OSCAL use cases, primarily showing how to interrelate data inside OSCAL component definitions.

• Wendell Piez's OSCAL Profile Import Examiner: XMLJellySandwich is a web-based, in-browser XSLT transform system leveraging SaxonJS. @wendellpiez has focused one demo on validating an OSCAL profile in XML form by validating upstream catalog references.

Blog Posts

• EasyDynamics "Innovating Security Compliance Through Open Standards"

• Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to OSCAL"

• Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to oscalkit"

• Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to Metaschema"

Other Resources

• Brad Hards ISM OSCAL Catalog: a community developer's collection of the Australian Government's Information Security Manual security controls in the form of an OSCAL catalog and profiles (including Essential 8).

• oscal-diagrams: Automatically generated diagrams for visualizing the OSCAL data models.