ASD adopts OSCAL format for Information Security Manual

When the ASD published the latest edition of its Information Security Manual, there was a largely-unheralded first: the ISM was published in machine-readable format.

The September 15 update to the ISM marked the first time the document has been published in the OSCAL machine-readable format.

First launched in June 2021, OSCAL (the Open Security Controls Assessment Language) was created by America’s National Institute for Standards and Technology.

OSCAL uses JSON, XML and YAML to provide a platform for automating security assessment, auditing, and continuous monitoring. 

Announcing the first release, NIST said this makes “systems’ authorisation to operate processes and overall risk management easier.”

The ASD said the OSCAL release “supports a standardised way for organisations to track the implementation status of controls for their systems, through user-friendly dashboards within their governance, risk and compliance tools.”

An ASD spokesperson explained to iTnews that making the ISM machine-readable can help organisations:

• Track the implementation of controls across many systems;
• Maintain status information on how controls are implemented; and
• Monitor the assessment status of systems through user-friendly dashboards.

The release also simplifies life for governance, risk and compliance vendors, the ASD spokesperson said. 

Compared to other ISM formats – PDF, DOCX, XLSX and XML – the OSCAL release means vendors “should be able to automatically download and ingest the ISM OSCAL format” into their tools.

The language provides machine-readable representations of control catalogues, control baselines, system security plans, assessment plans, and results.

The ASD published both the June 2022 and September 2022 ISM editions here.