Community Engagement on the Open Security Controls Assessment Language (OSCAL), 60356 [2024-16381]
Download as PDF
60356
Federal Register / Vol. 89, No. 143 / Thursday, July 25, 2024 / Notices
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
Community Engagement on the Open
Security Controls Assessment
Language (OSCAL)
National Institute of Standards
and Technology, Department of
Commerce.
ACTION: Notice.
AGENCY:
The National Institute of
Standards and Technology (NIST) is
seeking to identify stakeholders
involved in ongoing or planned
activities, including but not limited to
standardization, education, and
adoption, related to the Open Security
Controls Assessment Language
(OSCAL).
SUMMARY:
NIST will accept written
questions for clarification, comments,
and/or pertinent feedback until 11:59
p.m. Eastern Time on August 8, 2024.
ADDRESSES: Community members
involved in ongoing or planned OSCALrelated efforts can submit written
questions for clarification, comments,
and/or pertinent feedback via email to:
oscal@nist.gov or by mail to the contact
identified below. Submissions via email
should include ‘‘OSCAL Engagement’’
in the subject line of the message.
FOR FURTHER INFORMATION CONTACT:
Michaela Iorga via email to oscal@
nist.gov or by phone at 301–975–8431,
or by mail to National Institute of
Standards and Technology, 100 Bureau
Drive, Gaithersburg, Maryland 20899,
Attn: Michaela Iorga, ITL/CSD.
SUPPLEMENTARY INFORMATION:
Background: The Federal Information
Security Modernization Act (FISMA) of
2014 (Pub. L. 113–283, 44 U.S.C. 3554)
emphasized the importance of
information security to the economic
and national security interests of the
United States. FISMA requires agency
heads to report on the adequacy and
effectiveness of their enterprise’s
information security policies,
procedures, and practices. For two
decades, agencies worked diligently to
implement the Office of Management
and Budget (OMB) Circular A–130:
‘‘Managing Information as a Strategic
Resource,’’ employing Authorization to
Operate (ATO) processes reliant on
paper-based documentation, manual
assessment processes, and noninteroperable proprietary automation
processes and tools that do not support
security data portability.
NIST initiated the development of the
Open Security Controls Assessment
ddrumheller on DSK120RN23PROD with NOTICES1
DATES:
VerDate Sep<11>2014
19:41 Jul 24, 2024
Jkt 262001
Language (OSCAL) to support
automated (or computer-assisted)
assessment and risk management
through operationally sustainable means
and to fill federal, national, and
international gaps in security
assessment automation by providing a
set of data-centric, regulatory-agnostic,
technical specifications capable of
expressing security information in
machine-readable formats (XML, JSON
or YAML), in support of risk
management automation.
The NIST OSCAL program has been
working with the public to develop a
standardized, open-source, actionable
data framework referred to as OSCAL,
OSCAL models, or OSCAL framework,
and a service interface and proof-ofconcept tools for representing and
exchanging high-fidelity controls-based
IT system risk management data
between applications hosted by
multiple organizations. This OSCAL
framework, the service interface, and
tools provide the foundation for a high
degree of automation around assessing
the underlying system implementation
state and the extent to which this state
ensures that security and privacy
controls are implemented and remain
effective.
The immediate acceptance and
successful international adoption of the
OSCAL framework calls for a long-term
NIST vision of OSCAL evolution and
incremental maturity into open-source
standards developed by industryaccepted standards development
organizations. OSCAL will also promote
innovation around applying machine
learning, robotic process automation,
and new knowledge domains to the IT
system risk management space.
Community Engagement Areas: NIST
seeks to identify community members
involved in ongoing or planned
activities, including but not limited to
standardization, education, and
adoption, related to OSCAL. Individual
and organizational community members
with ongoing or planned activities in
these areas may respond to this notice
to describe these activities and inform
NIST’s planning and coordination
efforts across the OSCAL program.
Exemplary activities could include,
but are not limited to, the following:
• Assessing OSCAL maturity level
readiness for international
standardization. The category could
include development of open-source
OSCAL content for community’s
consumption based on the OSCAL latest
released set of models (7), development
of tests or OSCAL content exercising the
latest prototype OSCAL models.
PO 00000
Frm 00008
Fmt 4703
Sfmt 4703
• Developing enhancements or new
OSCAL models as deemed necessary by
the community.
• Developing OSCAL educational
material (tutorials, videos) for all
OSCAL-adoption levels, from novice to
advanced.
• Organizing OSCAL events such as
conferences, webinars, workshops for
security experts, assessors, auditors and
developers implementing OSCAL-based
solutions.
• Establishing OSCAL incubators
(labs) that will develop proof of concept
implementations (pilots), tools and
adoption best practices guidance.
• Implementing OSCAL solutions for
internal purpose.
• Implementing OSCAL Governance
Risk and Compliance (GRC) tools.
Authority: 15 U.S.C. 272(b)(10).
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2024–16381 Filed 7–24–24; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
[RTID 0648–XE074]
Takes of Marine Mammals Incidental to
Specified Activities; Taking Marine
Mammals Incidental to the New
England Wind Project, Offshore
Massachusetts
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice; issuance of letter of
authorization.
AGENCY:
In accordance with the
Marine Mammal Protection Act
(MMPA) as amended, and implementing
regulations, notification is hereby given
that a Letter of Authorization (LOA) has
been issued to Avangrid Renewables,
LLC (Avangrid), the parent company of
the original applicant, Park City Wind,
LLC (Park City Wind), LLC, for the
taking of marine mammals incidental to
the construction of the New England
Wind Project (hereafter known as the
‘‘Project’’).
SUMMARY:
The LOA is effective from March
27, 2025, through March 26, 2030.
ADDRESSES: The LOA and supporting
documentation are available online at:
https://www.fisheries.noaa.gov/permit/
incidental-take-authorizations-undermarine-mammal-protection-act. In case
of problems accessing these documents,
please call the contact listed below.
DATES:
E:\FR\FM\25JYN1.SGM
25JYN1
Agencies
[Federal Register Volume 89, Number 143 (Thursday, July 25, 2024)]
[Notices]
[Page 60356]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-16381]
[[Page 60356]]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
Community Engagement on the Open Security Controls Assessment
Language (OSCAL)
AGENCY: National Institute of Standards and Technology, Department of
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST) is
seeking to identify stakeholders involved in ongoing or planned
activities, including but not limited to standardization, education,
and adoption, related to the Open Security Controls Assessment Language
(OSCAL).
DATES: NIST will accept written questions for clarification, comments,
and/or pertinent feedback until 11:59 p.m. Eastern Time on August 8,
2024.
ADDRESSES: Community members involved in ongoing or planned OSCAL-
related efforts can submit written questions for clarification,
comments, and/or pertinent feedback via email to: [email protected] or by
mail to the contact identified below. Submissions via email should
include ``OSCAL Engagement'' in the subject line of the message.
FOR FURTHER INFORMATION CONTACT: Michaela Iorga via email to
[email protected] or by phone at 301-975-8431, or by mail to National
Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg,
Maryland 20899, Attn: Michaela Iorga, ITL/CSD.
SUPPLEMENTARY INFORMATION:
Background: The Federal Information Security Modernization Act
(FISMA) of 2014 (Pub. L. 113-283, 44 U.S.C. 3554) emphasized the
importance of information security to the economic and national
security interests of the United States. FISMA requires agency heads to
report on the adequacy and effectiveness of their enterprise's
information security policies, procedures, and practices. For two
decades, agencies worked diligently to implement the Office of
Management and Budget (OMB) Circular A-130: ``Managing Information as a
Strategic Resource,'' employing Authorization to Operate (ATO)
processes reliant on paper-based documentation, manual assessment
processes, and non-interoperable proprietary automation processes and
tools that do not support security data portability.
NIST initiated the development of the Open Security Controls
Assessment Language (OSCAL) to support automated (or computer-assisted)
assessment and risk management through operationally sustainable means
and to fill federal, national, and international gaps in security
assessment automation by providing a set of data-centric, regulatory-
agnostic, technical specifications capable of expressing security
information in machine-readable formats (XML, JSON or YAML), in support
of risk management automation.
The NIST OSCAL program has been working with the public to develop
a standardized, open-source, actionable data framework referred to as
OSCAL, OSCAL models, or OSCAL framework, and a service interface and
proof-of-concept tools for representing and exchanging high-fidelity
controls-based IT system risk management data between applications
hosted by multiple organizations. This OSCAL framework, the service
interface, and tools provide the foundation for a high degree of
automation around assessing the underlying system implementation state
and the extent to which this state ensures that security and privacy
controls are implemented and remain effective.
The immediate acceptance and successful international adoption of
the OSCAL framework calls for a long-term NIST vision of OSCAL
evolution and incremental maturity into open-source standards developed
by industry-accepted standards development organizations. OSCAL will
also promote innovation around applying machine learning, robotic
process automation, and new knowledge domains to the IT system risk
management space.
Community Engagement Areas: NIST seeks to identify community
members involved in ongoing or planned activities, including but not
limited to standardization, education, and adoption, related to OSCAL.
Individual and organizational community members with ongoing or planned
activities in these areas may respond to this notice to describe these
activities and inform NIST's planning and coordination efforts across
the OSCAL program.
Exemplary activities could include, but are not limited to, the
following:
Assessing OSCAL maturity level readiness for international
standardization. The category could include development of open-source
OSCAL content for community's consumption based on the OSCAL latest
released set of models (7), development of tests or OSCAL content
exercising the latest prototype OSCAL models.
Developing enhancements or new OSCAL models as deemed
necessary by the community.
Developing OSCAL educational material (tutorials, videos)
for all OSCAL-adoption levels, from novice to advanced.
Organizing OSCAL events such as conferences, webinars,
workshops for security experts, assessors, auditors and developers
implementing OSCAL-based solutions.
Establishing OSCAL incubators (labs) that will develop
proof of concept implementations (pilots), tools and adoption best
practices guidance.
Implementing OSCAL solutions for internal purpose.
Implementing OSCAL Governance Risk and Compliance (GRC)
tools.
Authority: 15 U.S.C. 272(b)(10).
Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2024-16381 Filed 7-24-24; 8:45 am]
BILLING CODE 3510-13-P