It's time to embrace OSCAL automation for effective risk management

The National Institute of Standards and Technology (NIST) put forward the Open Security Controls Assessment Language (OSCAL) standard in 2021, creating a standardized machine readable language. The goal of the standard is to enable automation and facilitate interoperability between different security assessment tools. It also aims to enable real-time machine to machine data exchange, improving automation and interoperability across various compliance frameworks.

There are a multitude of regulatory standards and frameworks that organizations must adhere to, all periodically updated. Keeping up with all these changes is quite difficult, and many organizations find it challenging to comply quickly with increasingly stringent security requirements. Historically, compliance has often lagged behind security and even further behind new technological advancements. As more organizations work to meet Federal Risk and Authorization Management Program (FedRAMP) requirements for cloud products and services, it’s vital to face these compliance challenges head on. 

In late July, the Office of Management and Budget (OMB) released a new memorandum modernizing FedRAMP to help with these efforts. Part of that memo focused on automation through machine-readable Risk Management Framework (RMF) documents. In other words, compliance as code. This memo is essentially the first compliance as code mandate for OSCAL, recognizing its ability to transform compliance as we know it.

Automate repetitive and time-consuming tasks

OSCAL’s machine-readable representations of security controls, assessment plans and documentation in standardized formats (such as XML, JSON and YAML) enables users to automate the creation, management and updating of compliance documentation. This automation dramatically reduces the amount of manual effort required to comply with multiple regulatory requirements and the inevitable errors that accompany such efforts. In addition, the OSCAL standard facilitates interoperability between different security tools and platforms. This interoperability enables seamless data exchange and integration, which allows organizations to automate the collection and analysis of compliance data across multiple systems and frameworks. 

OSCAL is a machine readable language that supports the automating reporting of continuous monitoring by providing up-to-date information about the security posture of systems. This allows organizations to provide real-time compliance assessments and reduces (or eliminates) the need for periodic manual reviews. It also enables automation of both the validation of security controls and the generation of reports, such as System Security Plans (SSPs) and Security Assessment Plans (SAPs). This level of automation ensures consistency and accuracy in compliance documentation, which frees up the compliance team to focus on more complex tasks. 

Implementing OSCAL-enabled tools provides the technology needed to eliminate the inevitable inconsistencies so common in manually created security documentation as well as improve automation and interoperability across multiple compliance frameworks. To maximize the benefits of adopting the standard, security leaders need to understand the challenges organizations commonly face, identify ways to address those challenges, and ensure that internal training is available to accelerate adoption and minimize the friction involved in adopting the OSCAL framework. 

Initial challenges adopting OSCAL

The biggest initial challenge is change itself. The problem is that most compliance teams are so accustomed to Excel spreadsheets and manual processes that it’s hard to understand and accept the change to machine to machine data exchange. There are a few ways to address these challenges. 

1. First, clarify that OSCAL is increasingly recognized as an acceptable standard in the cybersecurity community and adoption is growing, particularly given the new OMB guidance. 
2. Next, evaluate current business practices and determine whether the company would save time by embracing the OSCAL standard. This can be done by documenting the time spent on manual compliance tasks, such as data entry, report generation, control assessments, and analyzing formats. Then estimate how much time may be saved by automating these tasks.
3. Demonstrate (using a vendor solution or by referencing a case study) how the same information an Authorizing Official might require three to six months to validate manually can be completed in moments with OSCAL-enabled tooling. Using the OSCAL standard, validating Authority to Operate (ATO) formats and data fields is a quick and straightforward process.
4. Finally, evaluate resource availability. Compliance teams will find immediate business value using OSCAL for machine to machine data exchange because it dramatically reduces the time required to evaluate compliance and prepare for external audits.

To get started, look at the OSCAL section of the NIST website, which spells out exactly what OSCAL is, what the baseline is, and how different components work. Encourage teams to get involved with OSCAL working groups. By participating, compliance teams can help to increase adoption of OSCAL and help the standard develop. Before choosing a new compliance tool, validate that the tool supports OSCAL and meets the specific needs of the company. Make sure to choose a vendor that is involved in developing the standard and is keeping their solutions up to date with the latest changes.

Internal OSCAL training 

There are a lot of videos, presentations and blogs as well as walkthrough tutorials available on the NIST website to help people learn about OSCAL and how to use it. These resources can be used to build the foundation of internal training programs. Consider hosting internal workshops using NIST materials, which should cover the integration of OSCAL-compliant solutions with existing systems, the use of OSCAL models, and what benefits the organization will realize from automating compliance processes. 

Social networking is another helpful way to learn about and become more comfortable with OSCAL. Try to ensure multiple team members are involved in NIST’s OSCAL working groups, where they will learn a lot about how to get started just by listening and asking questions. Engage with the OSCAL community and vendors in the space, who may be able to provide additional support and training sessions tailored to your business requirements. Finally, create an internal community or platform where employees can share their knowledge and ask questions. This might be as simple as a Slack channel, setting up informal Q&A sessions, or creating collaborative projects to encourage peer learning and continuous improvements of compliance efforts. 

Leverage OSCAL to manage risk

While some compliance teams may still be hesitant to adopt the relatively new OSCAL standard, the new OMB guidance on automation through machine-readable RMF documents for FedRAMP certification underscores the many benefits it delivers. This article outlines a few ways you can help your compliance team come to understand and leverage everything OSCAL has to offer. For any business that operates an audit or authorization function, the time has come to embrace OSCAL and leave manual processes behind. This transition will enable organizations to manage risk effectively even in an evolving threat and technological landscape.