Introducing the CIS Controls OSCAL Repository

You have asked, and we have answered! We have created a more machine-friendly version of the CIS Controls v8 document by using the Open Security Controls Assessment Language (OSCAL) Framework, and we have posted it in our new GitHub repository: the Center for Internet Security (CIS) Critical Security Controls (CIS Controls) OSCAL Repository. The repository contains OSCAL serializations of the CIS Controls; it will include a variety of OSCAL Catalogs for the main CIS Controls v8 document, CIS Controls Assessment Specification, and mapping documents.

A Shift in Approach

OSCAL was developed by NIST as a standardized, data-centric framework that can be applied to an information system for documenting and assessing its security controls. Today, security controls and control baselines are represented in proprietary formats, requiring data conversion and manual effort to describe their implementation.

An important goal of OSCAL is to move the security controls and control baselines from a text-based and manual approach (using word processors or spreadsheets) to a set of standardized and machine-readable formats such as XML, JSON, and YAML. With systems security information represented in OSCAL, security professionals can begin moving toward potential automation of their security assessment, auditing, and continuous monitoring processes.

A Work in Progress

Much of the CIS Controls resources are developed with the help of our global volunteer army of experts. As such, CIS invites you to please join and help develop our OSCAL effort. We value your input on this important work in progress.

If you have any questions or concerns, please open an issue on GitHub by clicking the "Issues" tab, clicking the "New Issue" button, and completing the necessary sections with a full description of your question or idea.