Security Control Assessment at Machine Speed (NIST’s OSCAL)

We’ve all been there, a production deployment delayed, a mad scramble to put together a story, and missing documentation for an auditor. Such issues are made worse by ever increasing regulation and the ubiquity of IT in all aspects of business life.  

As the sheer volume of systems and security requirements continues to explode, managing it all can feel overwhelming. One might feel tempted to delay & avoid looking under all the security risk rocks hoping for the best. 

As shown by the recent SolarWinds hack, understanding risk within your domain is critical but not sufficient.  One must also understand transitive risk, especially in the supply chain. Preferably (and increasingly mandated so) cyber risk is to be continuously collected, quantified, and remediated in one big virtuous continuous compliance cycle.  

To help facilitate this continuous compliance NIST has introduced the Open Security Controls Assessment Language (OSCAL). The purpose is to provide a machine-readable representation of control catalogs, baselines, system security plans, assessment plans, and results.  

Standardization around this OSCAL model will enable risk management at machine speeds, and vastly reduce the time and resource requirements to accomplish ATO or Compliance certification processes. This comprehensive OSCAL model addresses the following Control assessment challenges: 

• Control Information Lacks Standardization 
• Assessing Control Implementations Across Multiple Components 
• Supporting Multiple Regulatory Frameworks Simultaneously 
• Documentation Reviews and Control Assessments are Largely Manual Processes 

Ultimately, OSCAL can be a powerful tool to enable fast and continuous compliance.