The National Institute of Standards and Technology (NIST) has developed the Open Security Controls Assessment Language (OSCAL) to provide security control related information in a machine-readable format. This new standard allows for a data-centric approach to compliance that is integrated, extensible, and automated. At C2 Labs, we are trusted DevSecOps experts that help our clients automate everything. As automation experts, we were excited by NIST's vision for security compliance automation and wanted to be an early adopter of the OSCAL standard. We are proud to say our initial mission was accomplished as we have successfully loaded the following catalogs and baselines based on artifacts from the OSCAL repository on GitHub:
- NIST 800-53 Revision 5, full Catalog of Controls
- High Baseline (Final Published Draft)
- Moderate Baseline (Final Published Draft)
- Low Baseline (Final Published Draft)
- Privacy Baseline (Final Published Draft)
This integration allows our Atlasity customers to easily create new Information System Security Plans (ISSPs) based off 800-53 Rev. 5 using our automated and free compliance platform. Best of all, there was no copying and pasting or manual data entry; just pure machine to machine translation between the OSCAL JSON files and the Atlasity APIs.
In addition to adding support to our Atlasity tool, we also wanted to give back to the community. To that end, we have published the Atlasify Open Source repository that provides example Python code to get you started with parsing OSCAL. In addition, we published some derived artifacts of flattened JSON that contain normalized control information and aligned them to the published NIST baselines. If you are a beginner and the NIST OSCAL seems a bit intimidating, the flattened JSON files should give you a more approachable data set to parse and integrate.
While we are excited about this initial Proof of Concept (POC) integration, we know that it is just the beginning of the ATLASITY and OSCAL journey. NIST continues to innovate on the OSCAL standard and we plan to continue our integration with future Security Assessment Plans (SAPs), Security Assessment Reports (SARs), and other OSCAL models as they are finalized.
Contact Us today to learn more about how C2 Labs can help you meet your NIST 800-53 Rev5 requirements leveraging the new OSCAL standard. If you are ready to start automating your compliance processes for creating and managing your ISSPs, schedule a free demo today to discover how you can join our Atlasity Open BETA program to free your organization from bureaucracy by simplifying compliance.