Introduction to OSCAL.io
OSCAL.io is a community hub for the Open Security Controls Assessment Language (OSCAL), originally developed by the National Institute of Standards and Technology (NIST). It provides shared resources, tooling, and community support for organizations adopting OSCAL to automate risk management and compliance across frameworks such as FedRAMP, SOC 2, ISO 27001, StateRAMP, CMMC, HIPAA, and PCI.
Purpose of the Site
OSCAL.io exists to accelerate OSCAL adoption by serving three core goals:
- Community Hub: Provide a central place for OSCAL adopters and tool builders to find resources, discover events, and connect with one another.
- Automate Discovery: Offer an API and registry so that tools can programmatically query for OSCAL content such as catalogs, profiles, and component definitions.
- Promote Adoption: Lower the barrier to entry for new OSCAL adopters by providing documentation, tooling, and reference content.
The site hosts a directory of OSCAL-compatible tools, a calendar of community events, and links to key OSCAL resources including the API specification.
Content Registry
The OSCAL Content Registry is a centralized platform for storing, managing, and sharing OSCAL models. It allows organizations to publish and discover OSCAL catalogs, baselines (profiles), component definitions, and other OSCAL artifacts in a single, searchable location.
The registry enables tool interoperability by giving OSCAL-enabled applications a common source of content. Rather than each tool maintaining its own set of OSCAL data, the registry provides a shared repository that any compliant tool can query, either through the web interface or programmatically via the OSCAL REST API.
OSCAL Viewer
The OSCAL Viewer is an open-source React application for viewing OSCAL documents in a human-readable format. Built on the OSCAL React Library, it supports all OSCAL model types:
- Catalogs: Browse security control definitions and their associated parameters and guidance.
- Profiles: View baselines that select and tailor controls from one or more catalogs.
- Component Definitions: Review reusable descriptions of how a component satisfies security controls.
- System Security Plans (SSPs): Inspect how controls are implemented within a specific system.
- Assessment Plans: Examine the objectives and methods for assessing control implementations.
- Assessment Results: Review findings and observations from completed assessments.
- Plans of Action and Milestones (POA&Ms): Track identified risks and remediation activities.
The Viewer is licensed under the MIT license and its source is available on GitHub.