The NIST OSCAL Framework for State and Local Governments

What Is Open Security Controls Assessment Language (OSCAL)?

OSCAL is not a new security framework or set of controls. Rather, it is a common language for describing security controls, implementations and assessment results in a machine-readable format. OSCAL uses structured data formats such as JSON, XML and YAML so that software tools — not just human reviewers — can process compliance information.

At its core, OSCAL replaces narrative-heavy documentation with data models that describe what controls exist, how they are implemented and how well they perform. This allows agencies to reuse the same control information across systems and assessments, rather than recreating documentation every time.

According to Michael Epley, chief architect and security strategist for public sector at Red Hat, OSCAL was developed to address a long-standing documentation challenge.

“OSCAL was created to solve the static documentation crisis,” Epley says. “For decades, security teams have lived in Word and Excel, creating massive PDFs that are outdated the moment they are saved.”

The Problem With Traditional Security Control Documentation

For many state and local governments, security compliance still revolves around large system security plans, spreadsheets and attachments that must be updated manually. These documents are often copied from system to system, revised by hand and stored in disconnected locations.

That approach introduces several problems. Manual documentation takes time and invites errors. Updates must be repeated across multiple files. And because the information isn’t machine-readable, it can’t be easily validated or analyzed by tools.

Epley notes that these challenges hit state and local governments particularly hard.

“State and local governments should care because they still have to prove compliance to federal requirements, including NIST, HIPAA, CJIS (Criminal Justice Information Services) and more,” he says. “OSCAL provides a ‘map once, comply many’ approach through standardized control representation across frameworks.”

Epley also points out that OSCAL can help smaller agencies avoid starting from scratch.

“It helps smaller agencies more easily ingest security profiles from larger agencies and partners without having to completely wipe their slates clean,” Epley says. “It also gives agencies an avenue to require machine-readable security data from their vendors.”

READ MORE: Here’s a guide to AI governance for state and local agencies.

How OSCAL Works: Machine-Readable Formats and Layered Architecture

OSCAL organizes security information into structured models that represent different parts of the compliance lifecycle. These models include control catalogs, system implementations and assessment results, all expressed in machine-readable formats.

Instead of writing long narratives describing how controls are implemented, agencies model the information as data. That data can then be validated automatically, reused across systems and integrated with compliance tools.

This fundamentally changes how security teams work from day to day.

“OSCAL changes the daily grind from formatting narratives to managing data,” Epley says. “It shifts teams from document formatting and manual processes to managing machine-readable data.”

Rather than performing periodic, point-in-time audits, OSCAL enables continuous validation.

“This replaces bulky, static Word documents with dynamic JSON, XML or YAML files,” Epley explains, “enabling a move from infrequent snapshot-in-time audits to continuous monitoring and automated validation.”

Epley offers a practical example: Instead of searching through a 500-page document, a security engineer can rely on an OSCAL-driven dashboard.

“If a new validation error occurs, the dashboard flags it and a fix can be pushed via code,” he says. “Once all the system checks turn green, the work is done and an audit trail is maintained in real time.”

Benefits of OSCAL for State and Local Government Operations

Here are some benefits of OSCAL for state and local government IT teams.

Faster audit readiness and authorizations: One of the most immediate benefits agencies see from OSCAL is improved audit readiness. Automation reduces the time required to prepare documentation and respond to findings. “Agencies typically see the quickest wins in audit readiness and authorization speed,” Epley says. “Audit timelines are reduced — sometimes from months to minutes — thanks to automation driven by OSCAL-enabled tooling.”

Easier updates and reuse: With OSCAL, updates to security controls can be applied once and reused everywhere. “Manual system security plans can be converted into digital packages with a machine-readable OSCAL format,” Epley says. “Updates to the plan can be pushed digitally in a one-to-many approach, saving time, energy and sanity.”

Clearer risk visibility: Because OSCAL data is structured, tools can track vulnerabilities, fixes and compliance status automatically. “OSCAL-compatible tools automatically track vulnerability and error fixes, leaving a trail that can be easily followed by auditors, without the risk of being lost in a spreadsheet,” Epley says.

DIVE DEEPER: Here’s how agencies can build stronger data governance.

Getting Started With OSCAL: A Practical Roadmap

Adopting OSCAL does not require a massive upfront investment. The most important change is philosophical, Epley says.

“The journey to modern security automation does not require an insurmountable budget,” he says. “The fundamental shift is to stop creating static documents and start modeling dynamic security data.”

Agencies can begin by leveraging free tools already available. NIST offers oscal-cli, a command-line tool that helps validate OSCAL data, convert legacy documentation and ensure schema compliance.

“By using tools like oscal-cli or oscal-compass, security data becomes standardized and structured,” Epley says, “rather than a mix of proprietary vendor output and static documentation.”

From there, agencies can expand into OSCAL-compatible governance, risk and compliance platforms and begin building reusable component definitions.

“It is neither practical nor necessary to convert every piece of documentation at once,” Epley says. “The most impactful starting point is to model the foundational technology building blocks of the organization.”

Preparing for Emerging Priorities, Including AI

As agencies explore artificial intelligence and advanced analytics, structured security data becomes even more important.

“AI thrives on structured data, but it struggles with 500-page PDFs,” Epley says. “OSCAL provides the machine-readable backbone that allows AI agents to assist in security.”

He emphasizes that OSCAL helps document AI-specific risks and controls in a consistent way, but it is not a silver bullet.

“OSCAL isn’t magic, out-of-the-box automation,” Epley says. “It’s a standardized language. You still need tools that understand it to gain the full benefits.”

For state and local governments, OSCAL offers a practical path away from static documentation and toward continuous, data-driven security assurance. By reducing manual work, improving reuse and enabling automation, the framework helps agencies strengthen cybersecurity while making better use of limited resources.

As compliance expectations continue to grow, OSCAL gives public sector IT leaders a way to show progress clearly — not through thicker binders, but through actionable, machine-readable insight into risk.