Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-oscal

A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards.
https://github.com/oscal-club/awesome-oscal

Last synced: 2 days ago
JSON representation

Content
- Center for Internet Security's
- CivicAction's oscal-component-definitions
- CMS Acceptable Risk Safeguards - 53 controls used by the Centers for Medicare and Medicaid Services in OSCAL format. Perhaps the first OSCAL content released by a US government agency other than NIST, separate of collaboration with FedRAMP.
- RedHat's OSCAL component definitions
- RedHat's OSCAL profiles
- Australian Cyber Security Centre's Information Security Manual in OSCAL - based security catalogs and profiles for the Australian Cyber Security Centre's Information Security Manual controls.
- Cloud Security Alliance's Cloud Controls Matrix v4 Controls and Mappings
- CyberESI's CPRT OSCAL Catalog Library
- Fathom5 SP 800-171 Catalog - maintained version(s) of the NIST SP 800-171 catalog created by Fathom5.
- GovTech Singapore's ICT&SS Policy - risk systems for 'Instruction Manual 8 Reform'.
- Center for Internet Security's
- Fathom5 SP 800-171 Catalog - maintained version(s) of the NIST SP 800-171 catalog created by Fathom5.
Tools
- Alex Koderman's oscal4neo4j - project/sckg).
- Brian Ruf's OSCAL-GUI - ruf](https://github.com/brian-ruf) of former FedRAMP fame. It has core presentation logic, file import, format conversion, and working profile resolution.
- CivicActions's compliance-io
- CivicAtions's ssp-toolkit - 53 Revision 4 in OpenControl format. It can now export SSPs to OSCAL.
- Control Plane's collie
- Credentive security's oscal-pydantic - pydantic/). Just "pip install oscal-pydantic".
- Defense Unicorn's bigbang-oscal-component-generator - one/big-bang/bigbang).
- Defense Unicorn's Lula - definition files to configure and drive execution of automated control validation for Kubernetes utilizing the [Kyverno](https://kyverno.io/) policy management system.
- Defense Unicorn's go-oscal
- EasyDynamics OSCAL REST API Draft Standard - friendly tools and services.
- EasyDynamics OSCAL REST API Service - based implementation of some the OSCAL REST API listed above. It persists data as files in local directories.
- EasyDynamics OSCAL Editor Deployment - based frontend (mentioned above), packaged as a simple Docker deployment of both open-source projects. It allows both viewing, and for some OSCAL document types and scenarios, editing file content and saving it to a properly configured Docker volume.
- GSA's oscal-js - cli & helper typescript types and functions for leveraging oscal, available via `npm install oscal`
- GoComply's FedRAMP Utility
- GoComply's oscalkit - based software development kit and command-line utility for operating on OSCAL data models.
- GovReady's GovReady-Q - based self-service GRC tool to automate security assessments and compliance from [@gregelin](https://github.com/gregelin) and the GovReady crew. It focuses on import and export of OSCAL data models.
- Hidayatullah Ahsan's ValidateOscalDocuments
- IBM Compliance Trestle - line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.
- IBM's Compliance to Policy Tool
- John Jediny's OSCAL Static Site Playground
- Metanorma's coradoc-oscal
- Metanorma's oscal-ruby
- mocolicious OSCAL-Examples - end web applications leveraging OSCAL, mainly to show off different development workflows and environments. Current development status or community use is unclear.
- OMB'S OPAL
- OSCAL Club's asdf-oscal-cli - vm/asdf) so OSCAL adopters can install and switch between multiple versions of NIST's [`oscal-cli`](https://github.com/usnistgov/oscal-cli) repeatedly and reliably.
- OSCAL Club's oscal-cli-action - cli`](https://github.com/usnistgov/oscal-cli) for continuous integration or continuous deployment tasks on [the GitHub Actions service](https://docs.github.com/en/actions).
- Project SledgeHammer
- RedHat's OpenControl Database - 53 Revisiion 5) and configuration baselines (i.e. DISA STIG for RedHat Enterprise Linux 7), supporting the export of various artifacts in OSCAL format with GoComply's library.
- RedHat's oscal-automation-libs
- RedHat's Trestle-Bot - trestle)
- Risk Redux's Control Freak - 53 control catalogs in OSCAL JSON format to make the controls easily searchable.
- Roscal - as-Code style.
- SHR Group's iac2oscal - as-Code examples (primarily Ansible and Terraform) and how to link them to OSCAL component models for more tightly integrated Infrastructure-as-Code and Documentation-as-Code.
- SHR Group's oscal-cli container - based `oscal-cli` tool](https://github.com/SHRGroup/oscal-cli) and bundles the released application into an OCI container for each new release based on tags.
- SHR Group's pyOSCAL - Builder](https://gitlab.com/shrgroup/oss/python/pyoscal-builder) automatically generates pyOSCAL dynamically from the lastes NIST OSCAL Metaschema.
- SHR Group's OSCAL Diagram Exmaples
- DRTConfidence
- EasyDynamics OSCAL React Library - friendly API and a clean (but customizable) React-based UI.
- GSA's OSCAL Tools - source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.
- MITRE's InSpec OSCAL Plugin - source contributors to prototype the use of InSpec profiles with variables and configuration data embedded, in OSCAL components, SSPs, and other document instances.
- Nikita Wootten's Nix package for oscal-cli - cli utility](https://github.com/usnistgov/oscal-cli).
- Nikita Wootten's Nix package for oscal-deep-diff - deep-diff](https://github.com/usnistgov/oscal-deep-diff/) utility.
- NREL Cyber's oscal
- NREL Cyber's oscal-atoms - cache (see below).
- NREL Cyber's oscal-cache
- Ramper - time analytics, and produces monthly FedRAMP POA&M Excel and [OSCAL POA&M](https://ramper.io/oscal) files for FedRAMP PMO or a CSP's approving agency.
- RegScale - time Governance, Risk and Compliance (GRC) platform that deploys in any environment, integrating with security and compliance tools via API to keep compliance documentation continuously up to date. GRC staff can work in the UI, engineers can write to the API, and OSCAL v1.0 content is automatically generated on demand.
- Wendell Piez's OSCAL Profile Import Examiner - based, in-browser XSLT transform system leveraging SaxonJS. [@wendellpiez](https://github.com/wendellpiez) has focused one demo on validating an OSCAL profile in XML form by validating upstream catalog references.
- EasyDynamics oscal.io
- GSA's OSCAL Tools - source tools provided by GSA teams to interoperate between OSCAL data (with required FedRAMP Extensions) and Word (DOCX) formats for SSPs, SARs, and SAPs.
- IBM Compliance Trestle - line tooling platform for managing compliance as code, using continuous integration and NIST's OSCAL standard.
- IBM's Compliance to Policy Tool
- Metanorma's oscal-ruby
Other Resources
- Brad Hards ISM OSCAL Catalog - all-content/ism) in the form of an OSCAL catalog and profiles (including Essential 8).
- oscal-diagrams
Articles and Blog Posts
Presentations and Talks
- Andrew Martin and Control Plane's "Avoiding IAC Potholes with Policy + Cloud Controllers"
- Robert Ficcaglia's "12 Essential Requirements for Policy Enforcement and Governance with OSCAL"

Programming Languages

Python 7 Shell 6 Go 5 Ruby 3 TypeScript 2 JavaScript 2 Java 2 Dockerfile 1 Rust 1 Dart 1

Ecosyste.ms: Awesome

awesome-oscal

Content

Tools

Other Resources

Articles and Blog Posts

Presentations and Talks