As I watch the OSCAL community expand, I am excited to see an explosive growth in the quantity and quality of OSCAL-based projects. There are many kinds of people involved in OSCAL projects, and I have the wonderful privilege of talking to these many kinds of people, all in different steps of their OSCAL journey. One theme I hear increasingly often from those who have built expertise in OSCAL and get questions from the uninitiated is: OSCAL is a noun, not a verb, why do people not get that!?

With the first production release of OSCAL 1.0.0 in June 2021, there was an understandable desire and pressure in the last year to meet industry demand and implement solutions that bake in OSCAL goodness. During the last year, many developers, security specialists, and executive security leadership embarked on their OSCAL journey. As OSCAL novices, they internalize their own journey and ask a simple question of everyone around them.

How do I OSCAL?

This question conveys the best of intentions, but is still problematic. Using the word OSCAL as a verb implies it has agency, that OSCAL can inherently do things for you. Symbolically and metaphorically, maybe it can. But practically speaking, OSCAL is not an agent of change. It is simply a medium. You can hope that it is a verb, wishfully believing it is a change agent and absolves us from worthwhile challenge of understanding its concepts and internalizing them into your own security program. But that hope is misplaced.

OSCAL, at its core, is an information model (what data make up a system security plan?) and data models (how do I encode the data that makes up a system security plan in JSON? In XML? In YAML?). By definition, these things are nouns.

So what does this small wording change and mindset afford you? A whole lot! OSCAL, in its information models and data models, is a catalyst for all the different kinds of people in the security industry to empower themselves. OSCAL, as the official documents say today, is data-centric, integrated, extensible, and automated. These tenets represent a central theme: data ownership. So, you need to focus on the actual questions.

What am I doing with OSCAL?

How does my security data and workflows fit with OSCAL?

How do I make OSCAL work for my security program?

OSCAL is a noun, you bring the verbs. And this means you own the data and make it work for you.

OSCAL is fun because it brings new perspectives to many different specialties in security and information technology. Cybersecurity and privacy policy are complex disciplines in their own right. They have their own methodologies and culture. Still, many practitioners might not see them expertise as a form engineering or data science.

OSCAL changes all of that, sometimes in small ways, other times in big ways.

Since OSCAL brings data-oriented engineering culture into the domain of executives and policy analysts, a few of its fundamental ideas =shift the way you design and implement those policies. From the lens of computer science and mathematics, policies look differently through these OSCAL-based lenses. You can understand a lot of OSCAL’s power when thinking of data in control catalog, system security plans, assessment plans, and assessment results as mathematical objects. What truths do they hold? To understand OSCAL, you must understand its invariants. These invariants are facts mathematical objects of OSCAL goodness that are true throughout its lifetime. Even if OSCAL-enabled software acts upon the data, these facts must always be true.

So what is an invariant in OSCAL? Let’s examine an important example, one highlighted recently by the NIST development team as they update the profile resolution specification: equivalence of OSCAL objects. An instance of an OSCAL model, be it a catalog or component-definition or system-security-plan

Breaking News: A New Year, a New Look

Hello to and from the OSCAL Club Community. The community is small and determined, but even for the smallest of communities an easily editable website is key. So here we are! In order to allow those members passionate about compliance and security to contribute to the site directly, developer or not, I introduce the brand new site!

What Changed?

The new website not only has some minor stylistic improvements, but big functionality enhancements.

• The use of the US Web Design System, for a crisp look but also one that is accessible for as many users as possible.

• The adoption of Gatsby and React platform, to allow for easily adaptable styling and interactivity that many web developers will find comfortable.

• Most importantly, the migration to Netlify and NetlifyCMS as a backend. This migration allows preview versions of the website before a pull request is reviewed, all without a full developer environment on their computer.

So, get started today! You can simply click the Help fix this site link in the upper right-hand corner.

Even I missed some things and had to fix them after the launch, you can check them out the changes I made with NetlifyCMS here.

Oh, and expect more blog post series on the intersection of OSCAL and other topics soon. The new workflows will benefit all of us.

As we like to say in the OSCAL Club Community:

World unification equals world domination, have a nice day!

Hopfully, I will get feedback from you soon. (Hey, see what I did there? I look forward to the first fix!)