If you’re like me, and have been in IT and information security in times measured not by years but by decades, you have been exposed to a multitude of acronyms. Sometimes acronyms have different meanings across vertical boundaries, such as ATM, which can stand for:

  • Asynchronous Transfer Mode (Data Networking)
  • Automated Teller Machine (Financial Services) 
  • Air Turbine Motor (Aerospace)

    Image shows a jet engine, a type of air turbine motor.

At times I feel like I suffer from acronym induced overload (AIO), Yet it’ s not common for a new acronym to stump me, That’s why I was a bit surprised when I couldn’t respond to a colleagues question: What is OSCAL?

My first two thoughts were way off – Outer Southern CALifornia and Operating System – CAL. OSCAL stands for Open Security Controls Assessment Language. It is an open standard developed by the National Institute of Standards and Technology (NIST) to provide a standardized format for expressing and sharing security controls, assessments, and related information.

NIST says it best, so I quote them here: “NIST is developing the Open Security Controls Assessment Language (OSCAL) as a standardized, data-centric framework that can be applied to an information system for documenting and assessing its security controls. Today, security controls and control baselines are represented in proprietary formats, requiring data conversion and manual effort to describe their implementation. An important goal of OSCAL is to move the security controls and control baselines from a text-based and manual approach (using word processors or spreadsheets) to a set of standardized, machine-readable formats. With systems’ security information represented in OSCAL, security professionals will be able to automate security assessment, auditing, and continuous monitoring processes.”

Think about that – much time can be saved and gaps filled by applying such a methodology when dealing with multiple security frameworks. Many organizations need to comply with one or more such standards. As regulations increase the number of applicable frameworks applicable even to SMBs will undoubtedly increase.

OSCAL would seem to remove much of the complexity of managing such environments. I guess only time will tell. Contact us for assistance navigating and adhering to frameworks.

For more information, check out https://pages.nist.gov/OSCAL/about/.

Photo by Felix Berger on Unsplash