About OSCAL
The National Institute of Standards and Technology (NIST), in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is designed to support a control-based risk management framework with standardized formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. Control-based information expressed using OSCAL formats allows you to:
- Easily access control information from security and privacy control catalogs
- Establish and share machine-readable control baselines
- Maintain and share actionable, up-to-date information about how controls are implemented in your systems
- Automate the monitoring and assessment of your system control implementation effectiveness
What You Will Learn
Federal and government employees enrolling in the DRTConfidence OSCAL training program should expect a rich, immersive technical experience. Notable features of the program include:
- Overall OSCAL model layers, the approach to the standard
- Detailed outlines of the various models – Catalogs, Profiles, SSP, SAP, SAR, and POA&M
- Data pipeline dependencies that need to be maintained
- Data migration approaches
- Relation of other A&A artifacts to OSCAL
OSCAL Training Requirements
A solid understanding of compliance fundamentals is necessary before commencing a successful OSCAL training program. Groundwork familiarity leads to smooth collaboration and an enjoyable experience for the instructor and classroom participants.
- Understanding of the NIST Risk Management Framework (RMF)
- Understanding of the 800-53 controls set
- Understanding of the FedRAMP and FISMA compliance requirements
Elevate Federal Compliance.
Description of the Training Program
This training will include a detailed walkthrough of the NIST standard, what GRC tools can accomplish with a machine-readable format, and how automation can be achieved by leveraging OSCAL.
Day 1
Session 1
- Detailed walkthrough of the OSCAL model layers that represent the various steps in the RMF process
- Key terminology used in OSCAL which helps interpret the documentation
- OSCAL resources for continued education
Session 2
- Detailed model review of the Control layer, which includes Catalog and Profiles
- Review of NIST 800-53 and FISMA Low, Moderate, High baselines
- Creating custom controls and agency-specific baselines
- Introduction to a GRC tool that would help author OSCAL artifacts
LUNCH BREAK
Session 3
- Detailed walkthrough of the Implementation layer, which includes Component Definitions
- Approaches to modeling a component registry
Session 4
- Detailed walkthrough of System Security Plans (SSP)
- Control inheritance in OSCAL frameworks
- Data Migration from Word documents
Day 2
Session 5
- Detailed walkthrough of the Assessment Layer, which includes a Security Assessment Plan (SAP) and Security Assessment Results (SAR)
- Managing risks and POA&Ms in OSCAL models
- Integration with Assessment Tools and CI/CD pipelines
Session 6
- How is ConMon managed in OSCAL
- Other regulatory frameworks being supported in OSCAL
- Demonstration of the DRTConfidence GRC platform as an example of OSCAL in action
LUNCH BREAK
Conclusion
- Open discussion on implementation approaches
- Open discussion on future changes in OSCAL
- Open discussion on FedRAMP’s adoption of OSCAL
OSCAL Training Instructors
Valinder Mangat
As the Chief Innovation Officer of DRTConfidence, Valinder frequently speaks at the NIST Conferences and has significantly contributed to the OSCAL standard. He successfully completed a pilot with FedRAMP in submitting the first-ever ATO package and assessments in the OSCAL format.
Nick Geyer
Nick is a senior analyst at DRTConfidence and leads the OSCAL implementation requirements for the DRTConfidence product. He managed the first-ever complete assessment package conversion to OSCAL.