ISM OSCAL releases

The Australian Signals Directorate (ASD) provides the Information security manual (ISM) in the Open Security Controls Assessment Language (OSCAL), a standardised machine-readable format developed by the United States’ National Institute of Standards and Technology (NIST). ISM OSCAL enables enhanced machine-supported consumption possibilities that can be incorporated into organisations’ governance, risk and compliance (GRC) processes and tooling. For example, improved tooling could include programmatic ingestion of ISM releases into internal systems for tracking in line with organisations’ GRC processes. NIST publishes several OSCAL learning resources to help organisations understand the concepts behind OSCAL and its use.

The ISM is provided as an OSCAL catalog with the use of OSCAL props for unique ISM attributes. ASD also provides illustrative OSCAL profiles and OSCAL resolved profile catalogs for each ISM control’s applicability (non-classified, OFFICIAL: Sensitive, PROTECTED, SECRET, TOP SECRET), as well as for Essential Eight Maturity Level One (ML1), Maturity Level Two (ML2) and Maturity Level Three (ML3). Importantly, to enable greater flexibility for consumers, and to align with the ISM’s non-machine-readable documents, the information used to inform these profiles are also included in the source ISM catalog.

ASD welcomes feedback regarding ISM OSCAL. If you would like to provide any feedback or insights about your usage, or have enquiries regarding ISM OSCAL, please complete the ISM Feedback Form. Feedback pertaining to the broader use of OSCAL (including the OSCAL specification) should be directed to the OSCAL community or NIST’s OSCAL team.