The National Institute of Standards and Technology (NIST) is preparing to release the latest patch for its Open Security Controls Assessment Language (OSCAL), version 1.4, along with a version two prototype of its mapping model within the broader OSCAL framework.
Michaela Iorga, director of the OSCAL Program at NIST, described the updates as a continuation of the language’s global adoption and its role in modernizing cybersecurity compliance.
Iorga did not share a release date for the forthcoming version 1.4 patch release or the mapping model prototype. NIST issued the last OSCAL patch release, version 1.3, in November 2024.
“Our design goals were ambitious: compress months of audit into minutes, remove bias and human errors, standardize regulatory workflow, and free experts from human-intensive activities so they can focus on actual threats,” she said today in her keynote during the NextGov/FCW Cloud Summit.
OSCAL, an open-source, machine-readable language developed with industry, replaces manual, paper-based compliance with automated, scalable assessments. Iorga said the language improves system security assessments by linking implemented controls to original requirements, enabling traceability and continuous monitoring.
“OSCAL enables a more efficient and rigorous approach to security by supporting both left shift and right shift activities across the system lifecycle,” Iorga said.
She explained that OSCAL allows organizations to reassess system components, evaluate deployment-specific characteristics, and analyze interactions across technology stacks, strengthening responses to risks and extending security assurance throughout a system’s operational life.
Iorga also highlighted emerging technology integration, including digital twins and AI.
“An OSCAL-based system security plan serves as a system’s DNA, enabling creation of a precise digital twin that mirrors the system’s architecture and security posture,” she said.
Digital twins allow real-time testing of updates and continuous compliance checks, while AI paired with OSCAL can accelerate control evaluation, identify anomalies, and automate aspects of continuous monitoring that would otherwise demand intensive manual effort, she explained.
Iorga also emphasized that AI must be assessed with the same rigor as any critical system.
“Ensuring security, safety, and trustworthiness – including transparency, robustness, and protection against misuse – is essential to realizing its full potential in delivering automated, reliable cybersecurity assurance,” Iorga said.