├── CONTRIBUTING.md
├── LICENSE
└── README.md


/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | Copied with 💙 from [awesome-security](https://github.com/sbilly/awesome-security/blob/master/contributing.md).
 4 | 
 5 | Please ensure your pull request adheres to the following guidelines:
 6 | 
 7 | - Read [the awesome manifesto](https://github.com/sindresorhus/awesome/blob/master/awesome.md) and ensure your list complies.
 8 | - Search previous suggestions before making a new one, as yours may be a duplicate.
 9 | - Make an individual pull request for each suggestion.
10 | - Use the following format: `- [List Name](link) -`
11 | - Link additions should be added to the bottom of the relevant category.
12 | - New categories or improvements to the existing categorization are welcome.
13 | - If the description is marketing, paraphrase to non-marketing.
14 | - Check your spelling and grammar.
15 | - Make sure your text editor is set to remove trailing whitespace.
16 | - The pull request and commit should have a useful title.
17 | 
18 | Thank you for your suggestions!
19 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Creative Commons Legal Code
  2 | 
  3 | CC0 1.0 Universal
  4 | 
  5 |     CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
  6 |     LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
  7 |     ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
  8 |     INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
  9 |     REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
 10 |     PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
 11 |     THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
 12 |     HEREUNDER.
 13 | 
 14 | Statement of Purpose
 15 | 
 16 | The laws of most jurisdictions throughout the world automatically confer
 17 | exclusive Copyright and Related Rights (defined below) upon the creator
 18 | and subsequent owner(s) (each and all, an "owner") of an original work of
 19 | authorship and/or a database (each, a "Work").
 20 | 
 21 | Certain owners wish to permanently relinquish those rights to a Work for
 22 | the purpose of contributing to a commons of creative, cultural and
 23 | scientific works ("Commons") that the public can reliably and without fear
 24 | of later claims of infringement build upon, modify, incorporate in other
 25 | works, reuse and redistribute as freely as possible in any form whatsoever
 26 | and for any purposes, including without limitation commercial purposes.
 27 | These owners may contribute to the Commons to promote the ideal of a free
 28 | culture and the further production of creative, cultural and scientific
 29 | works, or to gain reputation or greater distribution for their Work in
 30 | part through the use and efforts of others.
 31 | 
 32 | For these and/or other purposes and motivations, and without any
 33 | expectation of additional consideration or compensation, the person
 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
 35 | is an owner of Copyright and Related Rights in the Work, voluntarily
 36 | elects to apply CC0 to the Work and publicly distribute the Work under its
 37 | terms, with knowledge of his or her Copyright and Related Rights in the
 38 | Work and the meaning and intended legal effect of CC0 on those rights.
 39 | 
 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
 41 | protected by copyright and related or neighboring rights ("Copyright and
 42 | Related Rights"). Copyright and Related Rights include, but are not
 43 | limited to, the following:
 44 | 
 45 |   i. the right to reproduce, adapt, distribute, perform, display,
 46 |      communicate, and translate a Work;
 47 |  ii. moral rights retained by the original author(s) and/or performer(s);
 48 | iii. publicity and privacy rights pertaining to a person's image or
 49 |      likeness depicted in a Work;
 50 |  iv. rights protecting against unfair competition in regards to a Work,
 51 |      subject to the limitations in paragraph 4(a), below;
 52 |   v. rights protecting the extraction, dissemination, use and reuse of data
 53 |      in a Work;
 54 |  vi. database rights (such as those arising under Directive 96/9/EC of the
 55 |      European Parliament and of the Council of 11 March 1996 on the legal
 56 |      protection of databases, and under any national implementation
 57 |      thereof, including any amended or successor version of such
 58 |      directive); and
 59 | vii. other similar, equivalent or corresponding rights throughout the
 60 |      world based on applicable law or treaty, and any national
 61 |      implementations thereof.
 62 | 
 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
 64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
 65 | irrevocably and unconditionally waives, abandons, and surrenders all of
 66 | Affirmer's Copyright and Related Rights and associated claims and causes
 67 | of action, whether now known or unknown (including existing as well as
 68 | future claims and causes of action), in the Work (i) in all territories
 69 | worldwide, (ii) for the maximum duration provided by applicable law or
 70 | treaty (including future time extensions), (iii) in any current or future
 71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
 72 | including without limitation commercial, advertising or promotional
 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
 74 | member of the public at large and to the detriment of Affirmer's heirs and
 75 | successors, fully intending that such Waiver shall not be subject to
 76 | revocation, rescission, cancellation, termination, or any other legal or
 77 | equitable action to disrupt the quiet enjoyment of the Work by the public
 78 | as contemplated by Affirmer's express Statement of Purpose.
 79 | 
 80 | 3. Public License Fallback. Should any part of the Waiver for any reason
 81 | be judged legally invalid or ineffective under applicable law, then the
 82 | Waiver shall be preserved to the maximum extent permitted taking into
 83 | account Affirmer's express Statement of Purpose. In addition, to the
 84 | extent the Waiver is so judged Affirmer hereby grants to each affected
 85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
 88 | maximum duration provided by applicable law or treaty (including future
 89 | time extensions), (iii) in any current or future medium and for any number
 90 | of copies, and (iv) for any purpose whatsoever, including without
 91 | limitation commercial, advertising or promotional purposes (the
 92 | "License"). The License shall be deemed effective as of the date CC0 was
 93 | applied by Affirmer to the Work. Should any part of the License for any
 94 | reason be judged legally invalid or ineffective under applicable law, such
 95 | partial invalidity or ineffectiveness shall not invalidate the remainder
 96 | of the License, and in such case Affirmer hereby affirms that he or she
 97 | will not (i) exercise any of his or her remaining Copyright and Related
 98 | Rights in the Work or (ii) assert any associated claims and causes of
 99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 | 
102 | 4. Limitations and Disclaimers.
103 | 
104 |  a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 |     surrendered, licensed or otherwise affected by this document.
106 |  b. Affirmer offers the Work as-is and makes no representations or
107 |     warranties of any kind concerning the Work, express, implied,
108 |     statutory or otherwise, including without limitation warranties of
109 |     title, merchantability, fitness for a particular purpose, non
110 |     infringement, or the absence of latent or other defects, accuracy, or
111 |     the present or absence of errors, whether or not discoverable, all to
112 |     the greatest extent permissible under applicable law.
113 |  c. Affirmer disclaims responsibility for clearing rights of other persons
114 |     that may apply to the Work or any use thereof, including without
115 |     limitation any person's Copyright and Related Rights in the Work.
116 |     Further, Affirmer disclaims responsibility for obtaining any necessary
117 |     consents, permissions or other rights required for any use of the
118 |     Work.
119 |  d. Affirmer understands and acknowledges that Creative Commons is not a
120 |     party to this document and has no duty or obligation with respect to
121 |     this CC0 or use of the Work.
122 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome OSCAL
  2 | [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)
  3 | 
  4 | A collection of awesome community resources, [maybe not quite production ready](https://gitter.im/usnistgov-OSCAL/Lobby?at=6075cc8f2e5574669b34555d), for increasing the adoption of the [Open Security Controls Assessment Language, OSCAL](https://pages.nist.gov/OSCAL).
  5 | 
  6 | Before contributing, please review the [Contribution Guidelines](https://github.com/oscal-club/awesome-oscal/blob/master/CONTRIBUTING.md).
  7 | 
  8 | ## Content
  9 | 
 10 | - [Australian Cyber Security Centre's Information Security Manual in OSCAL](https://www.cyber.gov.au/ism/oscal): OSCAL-based security catalogs and profiles for the Australian Cyber Security Centre's Information Security Manual controls. Covers ISM control’s applicability (non-classified, OFFICIAL: Sensitive, PROTECTED, SECRET, TOP SECRET), as well as for Essential Eight Maturity Level One (ML1), Maturity Level Two (ML2) and Maturity Level Three (ML3).
 11 | 
 12 | - [Center for Internet Security's ](https://github.com/CISecurity/CISControls_OSCAL/): the Center for Internet Security's Critical 18 Security controls as an OSCAL catalog, also with their controls related to other catalogs of security controls in the draft OSCAL mapping format.
 13 | 
 14 | - [CivicActions' oscal-component-definitions](https://github.com/CivicActions/oscal-component-definitions): a public collection of OSCAL component definitions for commonly used cloud services, software, security controls, and privacy controls.
 15 |   
 16 | - [Cloud Security Alliance's Cloud Controls Matrix v4 Controls and Mappings](https://cloudsecurityalliance.org/artifacts/ccm-machine-readable-bundle-json-yaml-oscal/): a bundle of the CCM Controls, CAIQ Security Questionnaire, Implementation Guidelines (both JSON/YAML and OSCAL) and Mappings (JSON/YAML) to support organizations that would like to foster CCM automation.
 17 | 
 18 | - [CMS Acceptable Risk Safeguards](https://github.com/CMSgov/ars-machine-readable): the tailored profiles and catalog of adapted NIST SP 800-53 controls used by the Centers for Medicare and Medicaid Services in OSCAL format. Perhaps the first OSCAL content released by a US government agency other than NIST, separate of collaboration with FedRAMP.
 19 |   
 20 | - [CyberESI's CPRT OSCAL Catalog Library](https://cyberesi-cg.com/oscal-cprt-catalog-project/): a collection official catalogs of various NIST frameworks in [the CPRT format](https://csrc.nist.gov/Projects/cprt/catalog#/cprt/home) converted to OSCAL through a proprietary converter.
 21 | 
 22 | - [EasyDynamics oscal.io](https://oscal.io): a community site, like OSCAL Club, with examples of OSCAL content.
 23 | 
 24 | - [Fathom5 SP 800-171 Catalog](https://github.com/FATHOM5/oscal/tree/main/content/SP800-171/oscal-content): the community-maintained version(s) of the NIST SP 800-171 catalog created by Fathom5.
 25 | 
 26 | - [GovTech Singapore's ICT&SS Policy](https://github.com/GovtechSG/tech-standards): Catalog and Profile for low-risk systems for 'Instruction Manual 8 Reform'.
 27 | 
 28 | - [RedHat's OSCAL component definitions](https://github.com/RedHatProductSecurity/oscal-component-definitions): a collection of OSCAL Component Defintions for testing with FedRAMP HIGH baseline profile.
 29 | 
 30 | - [RedHat's OSCAL profiles](https://github.com/RedHatProductSecurity/oscal-profiles): a collection of OSCAL custom profiles for testing with FedRAMP HIGH baseline profile.
 31 | 
 32 | ## Tools
 33 | 
 34 | - [Alex Koderman's oscal4neo4j](https://github.com/Agh42/oscal4neo4j): a collection of scripts in Neo4j's Cypher query language to load OSCAL catalog data in JSON format into its graph database, potentially for use with [the Red Team Project's Security Control Knowledge Graph](https://gitlab.com/redteam-project/sckg).
 35 | 
 36 | - [Brian Ruf's OSCAL-GUI](https://github.com/brian-ruf/OSCAL-GUI): an example PHP web interface developed by [@brian-ruf](https://github.com/brian-ruf) of former FedRAMP fame. It has core presentation logic, file import, format conversion, and working profile resolution.
 37 | 
 38 | - [CivicActions' compliance-io](https://github.com/CivicActions/compliance-io): a library for composable functions for conversion from OpenControl to OSCAL.
 39 | 
 40 | - [CivicActions' ssp-toolkit](https://github.com/CivicActions/ssp-toolkit): a suite of command line utilities in Python to mediate the creation of system security plans in NIST RMF 800-53 Revision 4 in OpenControl format. It can now export SSPs to OSCAL.
 41 | 
 42 | - [Cloud Native Computing Foundation's OSCAL Compass] (https://github.com/oscal-compass): a set of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL SDKs and adoption by policy engines.
 43 | 
 44 | - [Control Plane's collie](https://github.com/controlplaneio/collie) a project demonstrating how infrastructure provisioned by cloud infrastructure controllers can be simultaneously secured and validated for compliance with Kyverno policies and OSCAL documents, leveraging Lula for validation.
 45 | 
 46 | - [Credentive Security's oscal-pydantic](https://github.com/RS-Credentive/oscal-pydantic): A set of pydantic models generated from the OSCAL JSON schema, useful for implementing OSCAL in Python. See also [this PyPI page](https://pypi.org/project/oscal-pydantic/). Just "pip install oscal-pydantic".
 47 | 
 48 | - [Defense Unicorn's bigbang-oscal-component-generator](https://github.com/defenseunicorns/bigbang-oscal-component-generator): a CLI utility and Golang libraries to merge together individual OSCAL YAML components into a unified OSCAL YAML component definition, focused primarily on the specific needs of [Platform One's Big Bang](https://repo1.dso.mil/platform-one/big-bang/bigbang).
 49 | 
 50 | - [Defense Unicorn's Lula](https://github.com/defenseunicorns/lula): a Command Line Interface tool that will consume OSCAL component-definition files to configure and drive execution of automated control validation for Kubernetes utilizing the [Kyverno](https://kyverno.io/) policy management system.
 51 | 
 52 | - [Defense Unicorn's go-oscal](https://github.com/defenseunicorns/go-oscal): a Golang library to generate OSCAL data types.
 53 | 
 54 | - [DRTConfidence](https://www.drtconfidence.com): GRC Platform supporting all OSCAL artifacts (catalog, profile, ssp, sap, sar, poa&m) with FedRAMP extensions and validations implemented out of the box. Available in a FedRAMP JAB High authorized Government Cloud Center.
 55 | 
 56 | - [EasyDynamics oscal.io](https://oscal.io): a community site, like OSCAL Club, with a list of tools from or for the community.
 57 | 
 58 | - [EasyDynamics OSCAL REST API Draft Standard](https://github.com/EasyDynamics/oscal-rest): an emerging standard for REST APIs to encourage all tool vendors to make a conformant API surface to reduce future churn in supporting heterogenous APIs for OSCAL-friendly tools and services.
 59 | 
 60 | - [EasyDynamics OSCAL React Library](https://github.com/EasyDynamics/oscal-react): a fully featured React component library for rendering all the OSCAL object models in JSON format with a developer-friendly API and a clean (but customizable) React-based UI.
 61 | 
 62 | - [EasyDynamics OSCAL REST API Service](https://github.com/EasyDynamics/oscal-rest-service): an initial Java-based implementation of some the OSCAL REST API listed above. It persists data as files in local directories.
 63 | 
 64 | - [EasyDynamics OSCAL Editor Deployment](https://github.com/EasyDynamics/oscal-editor-deployment): an integrated application, with the REST API service and React-based frontend (mentioned above), packaged as a simple Docker deployment of both open-source projects. It allows both viewing, and for some OSCAL document types and scenarios, editing file content and saving it to a properly configured Docker volume.
 65 | 
 66 | - [GSA's OSCAL Tools](https://github.com/GSA?q=oscal-&type=&language=&sort=): a collection of open-source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.
 67 | 
 68 | - [GSA's oscal-js](https://github.com/GSA/oscal-js): an installer for oscal-cli & helper typescript types and functions for leveraging oscal, available via `npm install oscal`
 69 | 
 70 | - [GoComply's FedRAMP Utility](https://github.com/GoComply/fedramp): a tool that uses oscalkit (see below) to stamp in OSCAL data to the FedRAMP Word (DOCX) system security plan templates.
 71 | 
 72 | - [GoComply's oscalkit](https://github.com/GoComply/oscalkit): a Golang-based software development kit and command-line utility for operating on OSCAL data models. 
 73 | 
 74 | - [GovReady's GovReady-Q](https://github.com/GovReady/govready-q): an open source, web-based self-service GRC tool to automate security assessments and compliance from [@gregelin](https://github.com/gregelin) and the GovReady crew. It focuses on import and export of OSCAL data models.
 75 | 
 76 | - [Hidayatullah Ahsan's ValidateOscalDocuments](https://github.com/hahsan-ti/ValidateOscalDocuments): a C# library and console application to validate OSCAL XML documents.
 77 | 
 78 | - [IBM Compliance Trestle](https://github.com/IBM/compliance-trestle): an opinionated command-line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.
 79 | 
 80 | - [IBM's Compliance to Policy Tool](https://github.com/IBM/compliance-to-policy): a framework to bridge the gap between compliance and policy administration with Kubernetes automation and OSCAL catalogs, profiles, and component definitions. 
 81 | 
 82 | - [John Jediny's OSCAL Static Site Playground](https://github.com/JJediny/oscal-static-site-playground): a static web application, using Gatsby and the US Web Design System, with hosting on the Federalist platform, to host a modern responsive application with OSCAL data models in JSON format dropped in place.
 83 | 
 84 | - [Metanorma's coradoc-oscal](https://github.com/metanorma/coradoc-oscal): a Ruby utility script to convert Metanorma Coradoc into data in the OSCAL Catalog document instances in YAML format.
 85 | 
 86 | - [Metanorma's oscal-ruby](https://github.com/metanorma/oscal-ruby): a Ruby gem for processing OSCAL data in YAML format.
 87 | 
 88 | - [MITRE's InSpec OSCAL Plugin](https://github.com/mitre/inspec-oscal/tree/develop): an InSpec plugin developed by MITRE and open-source contributors to prototype the use of InSpec profiles with variables and configuration data embedded, in OSCAL components, SSPs, and other document instances.
 89 | 
 90 | - [mocolicious OSCAL-Examples](https://github.com/mocolicious/OSCAL-Examples): a collection of different front-end web applications leveraging OSCAL, mainly to show off different development workflows and environments. Current development status or community use is unclear.
 91 | 
 92 | - [Nikita Wootten's Nix package for oscal-cli](https://github.com/nikitawootten/infra/blob/main/packages/oscal-cli/default.nix): a declarative [NixOS Linux](https://nixos.org/) package specification for repeatably building [NIST's oscal-cli utility](https://github.com/usnistgov/oscal-cli).
 93 | 
 94 | - [Nikita Wootten's Nix package for oscal-deep-diff](https://github.com/nikitawootten/infra/blob/main/packages/oscal-deep-diff/default.nix): a declarative [NixOS Linux](https://nixos.org/) package specification for repeatably building [NIST's oscal-deep-diff](https://github.com/usnistgov/oscal-deep-diff/) utility.
 95 | 
 96 | - [NREL Cyber's oscal](https://github.com/NREL-CYBER/oscal): a library of types and utility functions for using the OSCAL JSON object models conveniently with Typescript applications.
 97 | 
 98 | - [NREL Cyber's oscal-atoms](https://github.com/NREL-CYBER/oscal-atoms): a library for Atomic components for interacting with oscal-cache (see below).
 99 | 
100 | - [NREL Cyber's oscal-cache](https://github.com/NREL-CYBER/oscal-cache): a libray with a collection of stores, commands and queries for OSCAL application cache.
101 | 
102 | - [OMB'S OPAL](https://github.com/EOP-OMB/opal): OSCAL Policy Administration Library (OPAL) provides a simple web application from the US government's Office of Management and Budget for managing system security plans, using the OSCAL standard to inform its data models.
103 | 
104 | - [OSCAL Club's asdf-oscal-cli](https://github.com/oscal-club/asdf-oscal-cli): a plugin for the [`asdf` extensible version manager](https://github.com/asdf-vm/asdf) so OSCAL adopters can install and switch between multiple versions of NIST's [`oscal-cli`](https://github.com/usnistgov/oscal-cli) repeatedly and reliably.
105 | 
106 | - [OSCAL Club's oscal-cli-action](https://github.com/oscal-club/oscal-cli-action): a reusable action for developers to repeatedly and reliably use NIST's [`oscal-cli`](https://github.com/usnistgov/oscal-cli) for continuous integration or continuous deployment tasks on [the GitHub Actions service](https://docs.github.com/en/actions).
107 | 
108 | - [Project SledgeHammer](https://github.com/sunstonesecure-robert/sledgehammer): a project by Robert Ficcaglia and members of the Kubernetes Policy Working Group with an example of using OSCAL and SBOMs (SPDX at this time) as generated with Open Policy Agent (OPA) policies for Kubernetes clusters.
109 | 
110 | - [Ramper](https://ramper.io/). Ramper is a FedRAMP lifecycle automation web application emphasizing Continuous Monitoring. It is a single source of truth for all Plan of Action and Milestone. It is equipped with real-time analytics, and produces monthly FedRAMP POA&M Excel and [OSCAL POA&M](https://ramper.io/oscal) files for FedRAMP PMO or a CSP's approving agency.
111 | 
112 | - [RedHat's OpenControl Database](https://github.com/RedHatGov/ocdb): a web application that demonstrates RedHat technologies' conformance to different compliance standards (i.e. NIST 800-53 Revisiion 5) and configuration baselines (i.e. DISA STIG for RedHat Enterprise Linux 7), supporting the export of various artifacts in OSCAL format with GoComply's library.
113 | 
114 | - [RedHat's oscal-automation-libs](https://github.com/RedHatProductSecurity/oscal-automation-libs): a common repository to share code for Makefiles, helper scripts, and IaC to support repositories with OSCAL content.
115 | 
116 | - [RedHat's Trestle-Bot](https://github.com/RedHatProductSecurity/trestle-bot): a set of GitHub Actions for working with IBM's [Compliance Trestle](https://github.com/IBM/compliance-trestle)
117 |  in a CI/CD pipeline
118 | 
119 | - [RegScale](https://regscale.com/oscal): RegScale Community Edition is a free to use, real-time Governance, Risk and Compliance (GRC) platform that deploys in any environment, integrating with security and compliance tools via API to keep compliance documentation continuously up to date.  GRC staff can work in the UI, engineers can write to the API, and OSCAL v1.0 content is automatically generated on demand.
120 | 
121 | - [Risk Redux's Control Freak](https://github.com/risk-redux/control_freak): a delightful Ruby on Rails application using the NIST 800-53 control catalogs in OSCAL JSON format to make the controls easily searchable.
122 | 
123 | - [Roscal](https://github.com/gborough/roscal): a Rust based project aiming to build a collection of tools and libraries for OSCAL model building/manipulation/visualisation, conversion and normalisation between various existing security stardard formats and schemas, automation and integration for continuously documentation update and security posture monitoring in various environments, with long term goal of automatic security and control enforcement based on OSCAL models in Docs-as-Code style.
124 | 
125 | - [SHR Group's iac2oscal](https://gitlab.com/shrgroup/oss/compliance-as-code/iac2oscal): a collection of Infrastructure-as-Code examples (primarily Ansible and Terraform) and how to link them to OSCAL component models for more tightly integrated Infrastructure-as-Code and Documentation-as-Code.
126 | 
127 | - [SHR Group's oscal-cli container](https://github.com/SHRGroup/oscal-cli): a GitHub repo with supporting GitHub Actions workflow that checks for new releases of [the NIST OSCAL Team's Java-based `oscal-cli` tool](https://github.com/SHRGroup/oscal-cli) and bundles the released application into an OCI container for each new release based on tags.
128 | 
129 | - [SHR Group's pyOSCAL](https://gitlab.com/shrgroup/oss/python/pyoscal): Python library to convert OSCAL content into python objects, developed by the clever [@mruge](https://github.com/mruge).  [pyOSCAL-Builder](https://gitlab.com/shrgroup/oss/python/pyoscal-builder) automatically generates pyOSCAL dynamically from the lastes NIST OSCAL Metaschema.
130 | 
131 | - [SHR Group's OSCAL Diagram Exmaples](https://gitlab.com/shrgroup/oss/compliance-as-code/example-diagrams): a collection of documentation and diagrams for advanced OSCAL use cases, primarily showing how to interrelate data inside OSCAL component definitions.
132 | 
133 | - [Wendell Piez's OSCAL Profile Import Examiner](https://wendellpiez.github.io/XMLjellysandwich/oscal/import-examiner/): [XMLJellySandwich]((https://github.com/wendellpiez/XMLjellysandwich)): a web-based, in-browser XSLT transform system leveraging SaxonJS. [@wendellpiez](https://github.com/wendellpiez) has focused one demo on validating an OSCAL profile in XML form by validating upstream catalog references.
134 | 
135 | ## Articles and Blog Posts
136 | 
137 | - [Bill Weber's "The Future of SCAP Is the Missing Gap in OSCAL"](https://www.billweber.io/2022/05/13/the-future-of-scap-is-the-missing-gap-in-oscal/)
138 | 
139 | - [Bill Weber's "Tired of Following the Compliance Herd?"](https://www.billweber.io/2022/05/01/tired-of-following-the-compliance-herd/)
140 | 
141 | - [EasyDynamics "Innovating Security Compliance Through Open Standards"](https://blogs.easydynamics.com/2021/07/07/innovating-security-compliance-through-open-standards/)
142 | 
143 | - [EasyDynamics "DevSecComp(liance)Ops with OSCAL"](https://blogs.easydynamics.com/2022/03/18/devseccomplianceops-with-oscal/)
144 | 
145 | - [Eric Isbell's "Using a continuous ATO for better compliance and real-time data"](https://adhocteam.us/2022/08/16/using-continuous-ATO-better-compliance-real-time-data/)
146 | 
147 | - [Greg Elin's "An Orientation to OSCAL in the DevSecOps Pipeline"](https://medium.com/@gregelin/an-orientation-to-oscal-in-the-devsecops-pipeline-b51e45f8503b)
148 | 
149 | - [IBM's "Compliance Automated Standard Solution (COMPASS), Part 1: Personas and Roles"](https://dzone.com/articles/compass-compliance-part-1)
150 | 
151 | - [IBM's "Compliance Automated Standard Solution (COMPASS), Part 2: Trestle SDK"](https://dzone.com/articles/compliance-automated-standard-solution-compass-part-2-trestle-sdk)
152 | 
153 | - [IBM's "Compliance Automated Standard Solution (), Part 3: Artifacts and Personas"](https://dzone.com/articles/compliance-automated-standard-solution--part-3-artifacts-and-personas)
154 | 
155 | - [NIST's 2nd OSCAL Conference and Workshop](https://www.nist.gov/news-events/events/2021/02/2nd-open-security-controls-assessment-language-oscal-workshop)
156 | 
157 | - [NIST's 3rd OSCAL Conference and Workshop](https://www.nist.gov/news-events/events/2022/03/\-open-security-controls-assessment-language-oscal-workshop)
158 | 
159 | - [NIST's 4th OSCAL Conference and Workshop](https://www.nist.gov/news-events/events/2023/05/4th-open-security-controls-assessment-language-oscal-conference-and)
160 | 
161 | - [NIST's OSCAL 101 Education Series](https://csrc.nist.gov/Projects/open-security-controls-assessment-language/oscal-education-workshops)
162 | 
163 | - [NIST's OSCAL Mini Workshops](https://pages.nist.gov/OSCAL/learn/presentations/mini-workshop/)
164 | 
165 | - [Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to OSCAL"](http://isimluk.com/posts/2020/12/gocomply-with-oscal-fedramp-introduction-to-oscal/)
166 | 
167 | - [Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to oscalkit"](http://isimluk.com/posts/2020/12/gocomply-with-oscal-fedramp-introduction-to-oscalkit/)
168 | 
169 | - [Šimon Lukašík's "GoComply with OSCAL & FedRAMP :: Introduction to Metaschema"](http://isimluk.com/posts/2020/12/gocomply-with-oscal-fedramp-introduction-to-metaschema/)
170 | 
171 | ## Presentations and Talks
172 | 
173 | - [Andrew Martin and Control Plane's "Avoiding IAC Potholes with Policy + Cloud Controllers"](https://www.youtube.com/watch?v=cvoWlwftbEE&list=PLj6h78yzYM2NQ-Zi_k5qVmZyxSmLBzM6V&index=47) from Cloud Native Security Con North America 2023
174 | 
175 | - [Robert Ficcaglia's "12 Essential Requirements for Policy Enforcement and Governance with OSCAL"](https://www.youtube.com/watch?v=7pbIVjSluMs&list=PLj6h78yzYM2NQ-Zi_k5qVmZyxSmLBzM6V&index=52) from Cloud Native Security Con North America 2023
176 | 
177 | ## Other Resources
178 | 
179 | - [Brad Hards ISM OSCAL Catalog](https://github.com/bradh/ism-oscal): a community developer's collection of [the Australian Government's Information Security Manual security controls](https://www.cyber.gov.au/acsc/view-all-content/ism) in the form of an OSCAL catalog and profiles (including Essential 8).
180 | 
181 | - [oscal-diagrams](https://github.com/cyght-io/oscal-diagrams): Automatically generated diagrams for visualizing the OSCAL data models.
182 | 


--------------------------------------------------------------------------------