Date Published: December 2, 2025
Comments Due:
Email Questions to:
Author(s)
Michaela Iorga (NIST), Marilyn Nguyen (NIST)
Announcement
This paper introduces the Open Security Controls Assessment Language (OSCAL) — an open-source, machine-readable language that standardizes security documentation for better monitoring and risk management.
OSCAL was developed to modernize manual, paper-based cybersecurity compliance through automated, scalable processes and continuous assessments. This draft describes OSCAL’s layered architecture, its growing global adoption, and its future integration with emerging technologies (e.g., digital twins, agentic AI) for autonomous risk reasoning and continuous assurance.
We strongly encourage you to use this comment template to prepare your comments before submitting them to [email protected] by January 13, 2026. Thank you.
This document introduces the Open Security Controls Assessment Language (OSCAL), a NIST-developed, open-source, machine-readable language that modernizes manual, paper-based cybersecurity compliance by enabling automated and scalable processes. OSCAL standardizes security documentation for easier monitoring and risk management across different tools. It can also be extended and integrated with numerous capabilities, including software supply chain standards using OSCAL SBOMs, digital twin technology and AI-driven compliance. Overall, OSCAL helps organizations improve efficiency, accuracy, and collaboration in cybersecurity.
This document introduces the Open Security Controls Assessment Language (OSCAL), a NIST-developed, open-source, machine-readable language that modernizes manual, paper-based cybersecurity compliance by enabling automated and scalable processes. OSCAL standardizes security documentation for easier...
See full abstract
This document introduces the Open Security Controls Assessment Language (OSCAL), a NIST-developed, open-source, machine-readable language that modernizes manual, paper-based cybersecurity compliance by enabling automated and scalable processes. OSCAL standardizes security documentation for easier monitoring and risk management across different tools. It can also be extended and integrated with numerous capabilities, including software supply chain standards using OSCAL SBOMs, digital twin technology and AI-driven compliance. Overall, OSCAL helps organizations improve efficiency, accuracy, and collaboration in cybersecurity.
Hide full abstract
Keywords
Agentic AI; compliance; continuous assessment; digital twins; interoperability; machine-readable formats; Open Security Controls Assessment Language; OSCAL; risk management; security automation
Control Families
None selected
