# OSCAL Public Announcement NOTE: * This is a draft of the OSCAL Gold Medal Award announcement combined with the key point of the strategic plan of NIST intention of evolving OSCAL from a project to a program that aims to rapidly grow and become sustainable through the community’s broader engagement. * The announcement can be distributed via email, go on our website and posted on social media by NIST. * The management and possibly PA approvals might be necessary. --- ### NIST OSCAL Team's Commitment Over the past years, OSCAL emerged as a research project aiming to deliver, through collaboration with GSA/FedRAMP and the industry, a machine-readable language expressed in XML, JSAON and YAML able to represent control catalogs, control baselines, system security plans, and assessment plans and results. OSCAL was managed as an initiative loosely coordinated and run from within two groups within Computer Security Division (CSD) of ITL. The OSCAL team's dedication and hard work resulted in the development and rapid adoption of the Open Security Controls Assessment Language which "is already solving foundational problems that stymied even the simplest data sharing and compliance automation, like consistent identifiers for organizational defined parameters. Importantly, the establishment of an open, government-backed standard has both forced and elevated critical conversations long needed around enabling the exchange of compliance data and compliance automation." (Greg Elin, Principal OSCAL Engineer, RegScale) The high rate of OSCAL adoption is calling for a stronger commitment from NIST OSCAL team and from the supporting community. OSCAL's transition in early 2023 from a research project to a program, demonstrates NIST's commitment to support OSCAL further development. However, as NIST resources are below the anticipated OSCAL development needs in the near future, OSCAL team's mission in 2023 is not only to continue core OSCAL development but more than anything, to establish better collaboration processes which facilitate community growth and development, with broader roles and improved responsibilities. Mr. Elin also stated: "The next most important mountain to climb is how to become more effective as a community. This is [...] on all of us who are adopting and using OSCAL in the wild with agencies and private industry. We need to develop our community muscles and not rely on NIST for initiation and follow through on everything. The community needs to be more effective at providing timely feedback to NIST, at generating documentation, at supporting adoption, and helping set priorities." Under NIST's leadership and in close collaboration with the OSCAL team, the community has the opportunity to play a leading role in OSCAL's metamorphosis into a standard used internationally, by governments, and public and private sectors. ### Department of Commerce's Gold Award In 2022, NIST OSCAL Team received the [Department of Commerce's Gold Medal](https://www.nist.gov/nist-awards/2022-gold-medal-award-michaela-iorga-david-waltermire-dmitry-cousin-alexander-stein) The group was "recognized for enabling faster, more accurate, and more secure system deployments and updates with reduced operational costs through the automated assessment of security control implementation and effectiveness. The group developed and increased adoption of the Open Security Controls Assessment Language to facilitate a transition from manual to machine-driven, automated security assessments. The rapid international adoption demonstrates OSCAL’s groundbreaking transformation of systems security-assessment processes." #### - OBSOLETE CONTENT There is risk associated with this commitment, to the extent that OSCAL becomes an ongoing government responsibility subject to unforeseeable rearrangements of resources at agency or department levels. In a better future, OSCAL is fully owned, supported and maintained by its user community -- a *standard* in every meaningful sense. We should hope most of its growth occurs outside the NIST Team even as we hope for adoption across NIST, the federal government and public and private sectors, wherever it is useful and applicable. So we enter an important transition phase: OSCAL as a program within CSD develops for a longer-term horizon beyond it. What does becoming a program mean? - Greater and more predictable resource allocation for the time being (5 year outlook? what is min/max) - ? - ? What does it not mean? - Community is not needed. We need you more than ever! - Easier access to ITL (OU) and NIST (Bureau) resources -