[Federal Register Volume 89, Number 143 (Thursday, July 25, 2024)]
[Notices]
[Page 60356]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-16381]



[[Page 60356]]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology


Community Engagement on the Open Security Controls Assessment 
Language (OSCAL)

AGENCY: National Institute of Standards and Technology, Department of 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) is 
seeking to identify stakeholders involved in ongoing or planned 
activities, including but not limited to standardization, education, 
and adoption, related to the Open Security Controls Assessment Language 
(OSCAL).

DATES: NIST will accept written questions for clarification, comments, 
and/or pertinent feedback until 11:59 p.m. Eastern Time on August 8, 
2024.

ADDRESSES: Community members involved in ongoing or planned OSCAL-
related efforts can submit written questions for clarification, 
comments, and/or pertinent feedback via email to: [email protected] or by 
mail to the contact identified below. Submissions via email should 
include ``OSCAL Engagement'' in the subject line of the message.

FOR FURTHER INFORMATION CONTACT: Michaela Iorga via email to 
[email protected] or by phone at 301-975-8431, or by mail to National 
Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, 
Maryland 20899, Attn: Michaela Iorga, ITL/CSD.

SUPPLEMENTARY INFORMATION: 
    Background: The Federal Information Security Modernization Act 
(FISMA) of 2014 (Pub. L. 113-283, 44 U.S.C. 3554) emphasized the 
importance of information security to the economic and national 
security interests of the United States. FISMA requires agency heads to 
report on the adequacy and effectiveness of their enterprise's 
information security policies, procedures, and practices. For two 
decades, agencies worked diligently to implement the Office of 
Management and Budget (OMB) Circular A-130: ``Managing Information as a 
Strategic Resource,'' employing Authorization to Operate (ATO) 
processes reliant on paper-based documentation, manual assessment 
processes, and non-interoperable proprietary automation processes and 
tools that do not support security data portability.
    NIST initiated the development of the Open Security Controls 
Assessment Language (OSCAL) to support automated (or computer-assisted) 
assessment and risk management through operationally sustainable means 
and to fill federal, national, and international gaps in security 
assessment automation by providing a set of data-centric, regulatory-
agnostic, technical specifications capable of expressing security 
information in machine-readable formats (XML, JSON or YAML), in support 
of risk management automation.
    The NIST OSCAL program has been working with the public to develop 
a standardized, open-source, actionable data framework referred to as 
OSCAL, OSCAL models, or OSCAL framework, and a service interface and 
proof-of-concept tools for representing and exchanging high-fidelity 
controls-based IT system risk management data between applications 
hosted by multiple organizations. This OSCAL framework, the service 
interface, and tools provide the foundation for a high degree of 
automation around assessing the underlying system implementation state 
and the extent to which this state ensures that security and privacy 
controls are implemented and remain effective.
    The immediate acceptance and successful international adoption of 
the OSCAL framework calls for a long-term NIST vision of OSCAL 
evolution and incremental maturity into open-source standards developed 
by industry-accepted standards development organizations. OSCAL will 
also promote innovation around applying machine learning, robotic 
process automation, and new knowledge domains to the IT system risk 
management space.
    Community Engagement Areas: NIST seeks to identify community 
members involved in ongoing or planned activities, including but not 
limited to standardization, education, and adoption, related to OSCAL. 
Individual and organizational community members with ongoing or planned 
activities in these areas may respond to this notice to describe these 
activities and inform NIST's planning and coordination efforts across 
the OSCAL program.
    Exemplary activities could include, but are not limited to, the 
following:
     Assessing OSCAL maturity level readiness for international 
standardization. The category could include development of open-source 
OSCAL content for community's consumption based on the OSCAL latest 
released set of models (7), development of tests or OSCAL content 
exercising the latest prototype OSCAL models.
     Developing enhancements or new OSCAL models as deemed 
necessary by the community.
     Developing OSCAL educational material (tutorials, videos) 
for all OSCAL-adoption levels, from novice to advanced.
     Organizing OSCAL events such as conferences, webinars, 
workshops for security experts, assessors, auditors and developers 
implementing OSCAL-based solutions.
     Establishing OSCAL incubators (labs) that will develop 
proof of concept implementations (pilots), tools and adoption best 
practices guidance.
     Implementing OSCAL solutions for internal purpose.
     Implementing OSCAL Governance Risk and Compliance (GRC) 
tools.
    Authority: 15 U.S.C. 272(b)(10).

Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2024-16381 Filed 7-24-24; 8:45 am]
BILLING CODE 3510-13-P