bigforceone
FORCE// RESOURCES · OSCAL PRIMER

What OSCAL actually is — without the buzzwords.

It's a structured data format. Not a UI, not a portal, not a product. Once you internalize that, everything about the federal compliance shift makes sense.

April 27, 2026·5 min read·← All resources

OSCAL is a vocabulary, not a tool.

OSCAL stands for Open Security Controls Assessment Language. NIST has been developing it since 2018. It is published in three semantically equivalent serializations — XML, JSON, and YAML — at version 1.1.2 as of early 2026.

It is not a piece of software. It does not prescribe how compliance data is stored, generated, or displayed. It prescribes what compliance information looks like when it leaves one system and enters another. Think of it the way you think of CSV or JSON Schema — a format, not a product.

The five layers.

OSCAL organizes compliance artifacts into a stack:

  • Catalog: the controls themselves. NIST 800-53 R5 is published as an OSCAL Catalog. Source-of-truth content; you consume, you don't produce.
  • Profile: a tailoring of a Catalog. Which controls apply to your system, parameter overrides, baseline membership.
  • Implementation: System Security Plan (SSP) plus Component Definitions. How a system implements the controls the Profile requires.
  • Assessment: Assessment Plan (what to check) plus Assessment Results (what was found). The findings ledger.
  • POA&M: Plan of Action and Milestones. Open gaps with owners, remediation plans, target dates.

OSCAL artifacts reference each other. A POA&M references an SSP. An SSP references a Profile. A Profile references a Catalog. An Assessment Result references both an SSP and an Assessment Plan. The graph is the point.

What you will actually generate.

For a typical CMMC L2 customer, four OSCAL artifacts matter:

  • A Profile reflecting your scope (the 110 NIST 800-171 R3 controls in CMMC L2, with your tenant-specific tailoring).
  • An SSP describing how your system implements those 110 controls — components, narratives, evidence references.
  • A POA&M for the controls that didn't pass — owners, deadlines, remediation plans.
  • Assessment Results describing the findings ledger — every control's MET / NOT_MET / N/A status with cited evidence.

Why the federal government is mandating it.

Compliance documentation has historically been Microsoft Word, Excel, and PDF — formats that are expensive to read, parse, validate, or compare. An assessor reading 200 PDFs from 200 different vendors is doing the same translation work over and over. A submission to a federal authority is even worse: someone manually rekeys data into a portal.

OSCAL is the federal answer. Every artifact validates against a published schema. Tooling can read them, diff them, validate them, sign them. FedRAMP's RFC-0024 mandates machine-readable OSCAL submissions starting September 30, 2026; CSPs that miss the transition face certification revocation by September 30, 2027. DoD will follow within 18-36 months for CMMC.

Where FORCE fits.

FORCE is OSCAL-native by design. Your control evidence, attestations, and findings produce valid OSCAL artifacts you can download from any assessment page in the product. You don't have to learn the format; you just generate the artifact and submit it. See what FORCE generates →

FORCE // CHARTER PROGRAM

Get CMMC ready for $599/month.

Charter pricing locked for life for the first 50 L2 customers. Self-checkout. Continuous compliance.

Subscribe Now →See pricing