Community Engagement on the Open Security Controls Assessment Language (OSCAL), 60356 [2024-16381]

Download as PDF 60356 Federal Register / Vol. 89, No. 143 / Thursday, July 25, 2024 / Notices DEPARTMENT OF COMMERCE National Institute of Standards and Technology Community Engagement on the Open Security Controls Assessment Language (OSCAL) National Institute of Standards and Technology, Department of Commerce. ACTION: Notice. AGENCY: The National Institute of Standards and Technology (NIST) is seeking to identify stakeholders involved in ongoing or planned activities, including but not limited to standardization, education, and adoption, related to the Open Security Controls Assessment Language (OSCAL). SUMMARY: NIST will accept written questions for clarification, comments, and/or pertinent feedback until 11:59 p.m. Eastern Time on August 8, 2024. ADDRESSES: Community members involved in ongoing or planned OSCALrelated efforts can submit written questions for clarification, comments, and/or pertinent feedback via email to: oscal@nist.gov or by mail to the contact identified below. Submissions via email should include ‘‘OSCAL Engagement’’ in the subject line of the message. FOR FURTHER INFORMATION CONTACT: Michaela Iorga via email to oscal@ nist.gov or by phone at 301–975–8431, or by mail to National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, Maryland 20899, Attn: Michaela Iorga, ITL/CSD. SUPPLEMENTARY INFORMATION: Background: The Federal Information Security Modernization Act (FISMA) of 2014 (Pub. L. 113–283, 44 U.S.C. 3554) emphasized the importance of information security to the economic and national security interests of the United States. FISMA requires agency heads to report on the adequacy and effectiveness of their enterprise’s information security policies, procedures, and practices. For two decades, agencies worked diligently to implement the Office of Management and Budget (OMB) Circular A–130: ‘‘Managing Information as a Strategic Resource,’’ employing Authorization to Operate (ATO) processes reliant on paper-based documentation, manual assessment processes, and noninteroperable proprietary automation processes and tools that do not support security data portability. NIST initiated the development of the Open Security Controls Assessment ddrumheller on DSK120RN23PROD with NOTICES1 DATES: VerDate Sep<11>2014 19:41 Jul 24, 2024 Jkt 262001 Language (OSCAL) to support automated (or computer-assisted) assessment and risk management through operationally sustainable means and to fill federal, national, and international gaps in security assessment automation by providing a set of data-centric, regulatory-agnostic, technical specifications capable of expressing security information in machine-readable formats (XML, JSON or YAML), in support of risk management automation. The NIST OSCAL program has been working with the public to develop a standardized, open-source, actionable data framework referred to as OSCAL, OSCAL models, or OSCAL framework, and a service interface and proof-ofconcept tools for representing and exchanging high-fidelity controls-based IT system risk management data between applications hosted by multiple organizations. This OSCAL framework, the service interface, and tools provide the foundation for a high degree of automation around assessing the underlying system implementation state and the extent to which this state ensures that security and privacy controls are implemented and remain effective. The immediate acceptance and successful international adoption of the OSCAL framework calls for a long-term NIST vision of OSCAL evolution and incremental maturity into open-source standards developed by industryaccepted standards development organizations. OSCAL will also promote innovation around applying machine learning, robotic process automation, and new knowledge domains to the IT system risk management space. Community Engagement Areas: NIST seeks to identify community members involved in ongoing or planned activities, including but not limited to standardization, education, and adoption, related to OSCAL. Individual and organizational community members with ongoing or planned activities in these areas may respond to this notice to describe these activities and inform NIST’s planning and coordination efforts across the OSCAL program. Exemplary activities could include, but are not limited to, the following: • Assessing OSCAL maturity level readiness for international standardization. The category could include development of open-source OSCAL content for community’s consumption based on the OSCAL latest released set of models (7), development of tests or OSCAL content exercising the latest prototype OSCAL models. PO 00000 Frm 00008 Fmt 4703 Sfmt 4703 • Developing enhancements or new OSCAL models as deemed necessary by the community. • Developing OSCAL educational material (tutorials, videos) for all OSCAL-adoption levels, from novice to advanced. • Organizing OSCAL events such as conferences, webinars, workshops for security experts, assessors, auditors and developers implementing OSCAL-based solutions. • Establishing OSCAL incubators (labs) that will develop proof of concept implementations (pilots), tools and adoption best practices guidance. • Implementing OSCAL solutions for internal purpose. • Implementing OSCAL Governance Risk and Compliance (GRC) tools. Authority: 15 U.S.C. 272(b)(10). Alicia Chambers, NIST Executive Secretariat. [FR Doc. 2024–16381 Filed 7–24–24; 8:45 am] BILLING CODE 3510–13–P DEPARTMENT OF COMMERCE National Oceanic and Atmospheric Administration [RTID 0648–XE074] Takes of Marine Mammals Incidental to Specified Activities; Taking Marine Mammals Incidental to the New England Wind Project, Offshore Massachusetts National Marine Fisheries Service (NMFS), National Oceanic and Atmospheric Administration (NOAA), Commerce. ACTION: Notice; issuance of letter of authorization. AGENCY: In accordance with the Marine Mammal Protection Act (MMPA) as amended, and implementing regulations, notification is hereby given that a Letter of Authorization (LOA) has been issued to Avangrid Renewables, LLC (Avangrid), the parent company of the original applicant, Park City Wind, LLC (Park City Wind), LLC, for the taking of marine mammals incidental to the construction of the New England Wind Project (hereafter known as the ‘‘Project’’). SUMMARY: The LOA is effective from March 27, 2025, through March 26, 2030. ADDRESSES: The LOA and supporting documentation are available online at: https://www.fisheries.noaa.gov/permit/ incidental-take-authorizations-undermarine-mammal-protection-act. In case of problems accessing these documents, please call the contact listed below. DATES: E:\FR\FM\25JYN1.SGM 25JYN1

Agencies

[Federal Register Volume 89, Number 143 (Thursday, July 25, 2024)]
[Notices]
[Page 60356]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-16381]



[[Page 60356]]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology


Community Engagement on the Open Security Controls Assessment 
Language (OSCAL)

AGENCY: National Institute of Standards and Technology, Department of 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) is 
seeking to identify stakeholders involved in ongoing or planned 
activities, including but not limited to standardization, education, 
and adoption, related to the Open Security Controls Assessment Language 
(OSCAL).

DATES: NIST will accept written questions for clarification, comments, 
and/or pertinent feedback until 11:59 p.m. Eastern Time on August 8, 
2024.

ADDRESSES: Community members involved in ongoing or planned OSCAL-
related efforts can submit written questions for clarification, 
comments, and/or pertinent feedback via email to: [email protected] or by 
mail to the contact identified below. Submissions via email should 
include ``OSCAL Engagement'' in the subject line of the message.

FOR FURTHER INFORMATION CONTACT: Michaela Iorga via email to 
[email protected] or by phone at 301-975-8431, or by mail to National 
Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, 
Maryland 20899, Attn: Michaela Iorga, ITL/CSD.

SUPPLEMENTARY INFORMATION: 
    Background: The Federal Information Security Modernization Act 
(FISMA) of 2014 (Pub. L. 113-283, 44 U.S.C. 3554) emphasized the 
importance of information security to the economic and national 
security interests of the United States. FISMA requires agency heads to 
report on the adequacy and effectiveness of their enterprise's 
information security policies, procedures, and practices. For two 
decades, agencies worked diligently to implement the Office of 
Management and Budget (OMB) Circular A-130: ``Managing Information as a 
Strategic Resource,'' employing Authorization to Operate (ATO) 
processes reliant on paper-based documentation, manual assessment 
processes, and non-interoperable proprietary automation processes and 
tools that do not support security data portability.
    NIST initiated the development of the Open Security Controls 
Assessment Language (OSCAL) to support automated (or computer-assisted) 
assessment and risk management through operationally sustainable means 
and to fill federal, national, and international gaps in security 
assessment automation by providing a set of data-centric, regulatory-
agnostic, technical specifications capable of expressing security 
information in machine-readable formats (XML, JSON or YAML), in support 
of risk management automation.
    The NIST OSCAL program has been working with the public to develop 
a standardized, open-source, actionable data framework referred to as 
OSCAL, OSCAL models, or OSCAL framework, and a service interface and 
proof-of-concept tools for representing and exchanging high-fidelity 
controls-based IT system risk management data between applications 
hosted by multiple organizations. This OSCAL framework, the service 
interface, and tools provide the foundation for a high degree of 
automation around assessing the underlying system implementation state 
and the extent to which this state ensures that security and privacy 
controls are implemented and remain effective.
    The immediate acceptance and successful international adoption of 
the OSCAL framework calls for a long-term NIST vision of OSCAL 
evolution and incremental maturity into open-source standards developed 
by industry-accepted standards development organizations. OSCAL will 
also promote innovation around applying machine learning, robotic 
process automation, and new knowledge domains to the IT system risk 
management space.
    Community Engagement Areas: NIST seeks to identify community 
members involved in ongoing or planned activities, including but not 
limited to standardization, education, and adoption, related to OSCAL. 
Individual and organizational community members with ongoing or planned 
activities in these areas may respond to this notice to describe these 
activities and inform NIST's planning and coordination efforts across 
the OSCAL program.
    Exemplary activities could include, but are not limited to, the 
following:
     Assessing OSCAL maturity level readiness for international 
standardization. The category could include development of open-source 
OSCAL content for community's consumption based on the OSCAL latest 
released set of models (7), development of tests or OSCAL content 
exercising the latest prototype OSCAL models.
     Developing enhancements or new OSCAL models as deemed 
necessary by the community.
     Developing OSCAL educational material (tutorials, videos) 
for all OSCAL-adoption levels, from novice to advanced.
     Organizing OSCAL events such as conferences, webinars, 
workshops for security experts, assessors, auditors and developers 
implementing OSCAL-based solutions.
     Establishing OSCAL incubators (labs) that will develop 
proof of concept implementations (pilots), tools and adoption best 
practices guidance.
     Implementing OSCAL solutions for internal purpose.
     Implementing OSCAL Governance Risk and Compliance (GRC) 
tools.
    Authority: 15 U.S.C. 272(b)(10).

Alicia Chambers,
NIST Executive Secretariat.
[FR Doc. 2024-16381 Filed 7-24-24; 8:45 am]
BILLING CODE 3510-13-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.