FATHOM5 supports the community advancement of NIST's OSCAL initiatives. This repo provides custom developed content and supporting tools that enable compliance automation using NIST's OSCAL. Our first release includes an OSCAL Catalog, OSCAL Profile, and supporting data transformation scripts for NIST 800-171, forming the basis for compliance automation for US Controlled Unclassified Information.

The Open Security Controls Assessment Language (OSCAL) created and maintained by NIST is the state of the art for compliance automation. OSCAL provides a mechanism for turning cybersecurity artifacts from static PDFs, Excel spreadsheets, and Word documents into machine-readable code. Reformating the data in this way is a critical first step to unlock the power of automation.

Image Credits - NIST

As illustrated above, all OSCAL models must derive content from an OSCAL Catalog and OSCAL Profile.

NIST provides this source material for SP 800-53 (AKA Risk Management Framework).

Image Credits - NIST

All DoD contractors processing, storing, or transmitting CUI must follow NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). However, unlike for RMF, NIST has not yet published similar OSCAL content for SP 800-171.

If DoD contractors want to leverage the state of the art to automate CUI Protection compliance, this project provides the fundamental building blocks.

Under /tools, you'll find a parser we wrote to take a raw tab-delimeted CSV of the 800-171 requirements and reformat the data into OSCAL-compliant JSON.

Under /content/SP800-171, you'll find a resulting OSCAL Catalog and OSCAL Profile for 800-171.

This content is being freely distributed under CC0 to help you automate your compliance for CUI.

We developed this OSCAL Content to be readily ingestable by EasyDynamics' OSCAL Viewer tool. Viewing it is as simple as navigating to their tool, replacing the URL in the OSCAL Catalog URL field with https://raw.githubusercontent.com/FATHOM5/oscal/main/content/SP800-171/oscal-content/catalogs/NIST_SP-800-171_rev2_catalog.json, and hitting Reload. You may also utilize EasyDynamics' containerized deployment of the OSCAL Viewer to edit locally and build your organization-specific OSCAL models from there. If running locally with the OSCAL Viewer from EasyDynamics, just clone this project and run the following command:

$ docker run -p 8080:8080 -v "<direct path to project>\oscal\content\SP800-171\oscal-content":/app/oscal-content ghcr.io/easydynamics/oscal-editor-all-in-one

NOTE: The above command uses backslashes for the local working directory, assuming you're running from Windows. If running from Linux, use forward slashes.

Then open up a browser to localhost:8080.

In either case, you'll see our OSCAL content for 800-171.

We also include a copy of the Catalog converted to HTML, which may be downloaded and viewed in any web browser.

You can follow NIST's guidance to import the 800-171 OSCAL Profile into your organization's OSCAL Models. For instance, this page describes how to import a profile for your System Security Plan.