drtconfidence oscal training for federal employees

OSCAL Training for Federal Employees

Introduction to OSCAL is a two-day, in-person training program for federal IT teams to learn the NIST machine-readable standard and develop a robust compliance implementation strategy.

drtconfidence oscal training for federal IT teams


The National Institute of Standards and Technology (NIST), in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is designed to support a control-based risk management framework with standardized formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. Control-based information expressed using OSCAL formats allows you to:

  • Easily access control information from security and privacy control catalogs
  • Establish and share machine-readable control baselines
  • Maintain and share actionable, up-to-date information about how controls are implemented in your systems
  • Automate the monitoring and assessment of your system control implementation effectiveness
OSCAL training from DRTConfidence

What You Will Learn

Federal and government employees enrolling in the DRTConfidence OSCAL training program should expect a rich, immersive technical experience. Notable features of the program include:

  • Overall OSCAL model layers, the approach to the standard
  • Detailed outlines of the various models – Catalogs, Profiles, SSP, SAP, SAR, and POA&M
  • Data pipeline dependencies that need to be maintained
  • Data migration approaches
  • Relation of other A&A artifacts to OSCAL
drtc oscal training program for fedramp and fisma compliance

OSCAL Training Requirements

A solid understanding of compliance fundamentals is necessary before commencing a successful OSCAL training program. Groundwork familiarity leads to smooth collaboration and an enjoyable experience for the instructor and classroom participants.

Elevate Federal Compliance.

Description of the Training Program

This training will include a detailed walkthrough of the NIST standard, what GRC tools can accomplish with a machine-readable format, and how automation can be achieved by leveraging OSCAL.

Day 1

Session 1

  • Detailed walkthrough of the OSCAL model layers that represent the various steps in the RMF process
  • Key terminology used in OSCAL which helps interpret the documentation
  • OSCAL resources for continued education

Session 2

  • Detailed model review of the Control layer, which includes Catalog and Profiles
  • Review of NIST 800-53 and FISMA Low, Moderate, High baselines
  • Creating custom controls and agency-specific baselines
  • Introduction to a GRC tool that would help author OSCAL artifacts


Session 3

  • Detailed walkthrough of the Implementation layer, which includes Component Definitions
  • Approaches to modeling a component registry

Session 4

  • Detailed walkthrough of System Security Plans (SSP)
  • Control inheritance in OSCAL frameworks
  • Data Migration from Word documents

Day 2

Session 5

  • Detailed walkthrough of the Assessment Layer, which includes a Security Assessment Plan (SAP) and Security Assessment Results (SAR)
  • Managing risks and POA&Ms in OSCAL models
  • Integration with Assessment Tools and CI/CD pipelines

Session 6

  • How is ConMon managed in OSCAL
  • Other regulatory frameworks being supported in OSCAL
  • Demonstration of the DRTConfidence GRC platform as an example of OSCAL in action



  • Open discussion on implementation approaches
  • Open discussion on future changes in OSCAL
  • Open discussion on FedRAMP’s adoption of OSCAL

OSCAL Training Instructors

Valinder Mangat

As the Chief Innovation Officer of DRTConfidence, Valinder frequently speaks at the NIST Conferences and has significantly contributed to the OSCAL standard. He successfully completed a pilot with FedRAMP in submitting the first-ever ATO package and assessments in the OSCAL format.

Nick Geyer

Nick is a senior analyst at DRTConfidence and leads the OSCAL implementation requirements for the DRTConfidence product. He managed the first-ever complete assessment package conversion to OSCAL.

Learn. Apply. Comply.