/awesome-oscal

A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards.

Creative Commons Zero v1.0 UniversalCC0-1.0

Awesome OSCAL

Awesome

A collection of awesome community resources, maybe not quite production ready, for increasing the adoption of the Open Security Controls Assessment Language, OSCAL.

Before contributing, please review the Contribution Guidelines.

Content

Tools

  • Alex Koderman's oscal4neo4j: a collection of scripts in Neo4j's Cypher query language to load OSCAL catalog data in JSON format into its graph database, potentially for use with the Red Team Project's Security Control Knowledge Graph.

  • Brian Ruf's OSCAL-GUI: an example PHP web interface developed by @brian-ruf of former FedRAMP fame. It has core presentation logic, file import, format conversion, and working profile resolution.

  • CivicActions's compliance-io: a library for composable functions for conversion from OpenControl to OSCAL.

  • CivicAtions's ssp-toolkit: a suite of command line utilities in Python to mediate the creation of system security plans in NIST RMF 800-53 Revision 4 in OpenControl format. It can now export SSPs to OSCAL.

  • Control Plane's collie a project demonstrating how infrastructure provisioned by cloud infrastructure controllers can be simultaneously secured and validated for compliance with Kyverno policies and OSCAL documents, leveraging Lula for validation.

  • Credentive security's oscal-pydantic: A set of pydantic models generated from the OSCAL JSON schema, useful for implementing OSCAL in Python. See also this PyPI page. Just "pip install oscal-pydantic".

  • Defense Unicorn's bigbang-oscal-component-generator: a CLI utility and Golang libraries to merge together individual OSCAL YAML components into a unified OSCAL YAML component definition, focused primarily on the specific needs of Platform One's Big Bang.

  • Defense Unicorn's Lula: a Command Line Interface tool that will consume OSCAL component-definition files to configure and drive execution of automated control validation for Kubernetes utilizing the Kyverno policy management system.

  • Defense Unicorn's go-oscal: a Golang library to generate OSCAL data types.

  • DRTConfidence: GRC Platform supporting all OSCAL artifacts (catalog, profile, ssp, sap, sar, poa&m) with FedRAMP extensions and validations implemented out of the box. Available in a FedRAMP JAB High authorized Government Cloud Center.

  • EasyDynamics oscal.io: a community site, like OSCAL Club, with a list of tools from or for the community.

  • EasyDynamics OSCAL REST API Draft Standard: an emerging standard for REST APIs to encourage all tool vendors to make a conformant API surface to reduce future churn in supporting heterogenous APIs for OSCAL-friendly tools and services.

  • EasyDynamics OSCAL React Library: a fully featured React component library for rendering all the OSCAL object models in JSON format with a developer-friendly API and a clean (but customizable) React-based UI.

  • EasyDynamics OSCAL REST API Service: an initial Java-based implementation of some the OSCAL REST API listed above. It persists data as files in local directories.

  • EasyDynamics OSCAL Editor Deployment: an integrated application, with the REST API service and React-based frontend (mentioned above), packaged as a simple Docker deployment of both open-source projects. It allows both viewing, and for some OSCAL document types and scenarios, editing file content and saving it to a properly configured Docker volume.

  • GSA's OSCAL Tools: a collection of open-source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.

  • GoComply's FedRAMP Utility: a tool that uses oscalkit (see below) to stamp in OSCAL data to the FedRAMP Word (DOCX) system security plan templates.

  • GoComply's oscalkit: a Golang-based software development kit and command-line utility for operating on OSCAL data models.

  • GovReady's GovReady-Q: an open source, web-based self-service GRC tool to automate security assessments and compliance from @gregelin and the GovReady crew. It focuses on import and export of OSCAL data models.

  • Hidayatullah Ahsan's ValidateOscalDocuments: a C# library and console application to validate OSCAL XML documents.

  • IBM Compliance Trestle: an opinionated command-line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.

  • IBM's Compliance to Policy Tool: a framework to bridge the gap between compliance and policy administration with Kubernetes automation and OSCAL catalogs, profiles, and component definitions.

  • John Jediny's OSCAL Static Site Playground: a static web application, using Gatsby and the US Web Design System, with hosting on the Federalist platform, to host a modern responsive application with OSCAL data models in JSON format dropped in place.

  • Metanorma's coradoc-oscal: a Ruby utility script to convert Metanorma Coradoc into data in the OSCAL Catalog document instances in YAML format.

  • Metanorma's oscal-ruby: a Ruby gem for processing OSCAL data in YAML format.

  • MITRE's InSpec OSCAL Plugin: an InSpec plugin developed by MITRE and open-source contributors to prototype the use of InSpec profiles with variables and configuration data embedded, in OSCAL components, SSPs, and other document instances.

  • mocolicious OSCAL-Examples: a collection of different front-end web applications leveraging OSCAL, mainly to show off different development workflows and environments. Current development status or community use is unclear.

  • Nikita Wootten's Nix package for oscal-cli: a declarative NixOS Linux package specification for repeatably building NIST's oscal-cli utility.

  • Nikita Wootten's Nix package for oscal-deep-diff: a declarative NixOS Linux package specification for repeatably building NIST's oscal-deep-diff utility.

  • NREL Cyber's oscal: a library of types and utility functions for using the OSCAL JSON object models conveniently with Typescript applications.

  • NREL Cyber's oscal-atoms: a library for Atomic components for interacting with oscal-cache (see below).

  • NREL Cyber's oscal-cache: a libray with a collection of stores, commands and queries for OSCAL application cache.

  • OMB'S OPAL: OSCAL Policy Administration Library (OPAL) provides a simple web application from the US government's Office of Management and Budget for managing system security plans, using the OSCAL standard to inform its data models.

  • OSCAL Club's asdf-oscal-cli: a plugin for the asdf extensible version manager so OSCAL adopters can install and switch between multiple versions of NIST's oscal-cli repeatedly and reliably.

  • OSCAL Club's oscal-cli-action: a reusable action for developers to repeatedly and reliably use NIST's oscal-cli for continuous integration or continuous deployment tasks on the GitHub Actions service.

  • Project SledgeHammer: a project by Robert Ficcaglia and members of the Kubernetes Policy Working Group with an example of using OSCAL and SBOMs (SPDX at this time) as generated with Open Policy Agent (OPA) policies for Kubernetes clusters.

  • Ramper. Ramper is a FedRAMP lifecycle automation web application emphasizing Continuous Monitoring. It is a single source of truth for all Plan of Action and Milestone. It is equipped with real-time analytics, and produces monthly FedRAMP POA&M Excel and OSCAL POA&M files for FedRAMP PMO or a CSP's approving agency.

  • RedHat's OpenControl Database: a web application that demonstrates RedHat technologies' conformance to different compliance standards (i.e. NIST 800-53 Revisiion 5) and configuration baselines (i.e. DISA STIG for RedHat Enterprise Linux 7), supporting the export of various artifacts in OSCAL format with GoComply's library.

  • RedHat's oscal-automation-libs: a common repository to share code for Makefiles, helper scripts, and IaC to support repositories with OSCAL content.

  • RedHat's Trestle-Bot: a set of GitHub Actions for working with IBM's Compliance Trestle in a CI/CD pipeline

  • RegScale: RegScale Community Edition is a free to use, real-time Governance, Risk and Compliance (GRC) platform that deploys in any environment, integrating with security and compliance tools via API to keep compliance documentation continuously up to date. GRC staff can work in the UI, engineers can write to the API, and OSCAL v1.0 content is automatically generated on demand.

  • Risk Redux's Control Freak: a delightful Ruby on Rails application using the NIST 800-53 control catalogs in OSCAL JSON format to make the controls easily searchable.

  • Roscal: a Rust based project aiming to build a collection of tools and libraries for OSCAL model building/manipulation/visualisation, conversion and normalisation between various existing security stardard formats and schemas, automation and integration for continuously documentation update and security posture monitoring in various environments, with long term goal of automatic security and control enforcement based on OSCAL models in Docs-as-Code style.

  • SHR Group's iac2oscal: a collection of Infrastructure-as-Code examples (primarily Ansible and Terraform) and how to link them to OSCAL component models for more tightly integrated Infrastructure-as-Code and Documentation-as-Code.

  • SHR Group's oscal-cli container: a GitHub repo with supporting GitHub Actions workflow that checks for new releases of the NIST OSCAL Team's Java-based oscal-cli tool and bundles the released application into an OCI container for each new release based on tags.

  • SHR Group's pyOSCAL: Python library to convert OSCAL content into python objects, developed by the clever @mruge. pyOSCAL-Builder automatically generates pyOSCAL dynamically from the lastes NIST OSCAL Metaschema.

  • SHR Group's OSCAL Diagram Exmaples: a collection of documentation and diagrams for advanced OSCAL use cases, primarily showing how to interrelate data inside OSCAL component definitions.

  • Wendell Piez's OSCAL Profile Import Examiner: XMLJellySandwich: a web-based, in-browser XSLT transform system leveraging SaxonJS. @wendellpiez has focused one demo on validating an OSCAL profile in XML form by validating upstream catalog references.

Articles and Blog Posts

Presentations and Talks

Other Resources