Should component output be in OSCAL format?

[ErnestoOrtiz3]

Are the output of tools (say a static code analizer) something that would be transformed into OSCAL format, or is OSCAL at a higher level of abstraction, where the implementation and assessment of controls describe how things work without including the results of particular tools?

[openprivacy]

I am not endorsing nor do I have much experience with this tool, but it seems the MITRE SAF folk have a take on normalizing security tool output that may be useful to OSCAL Assessment processes.

[ErnestoOrtiz3]

Thank you, I'll take a look at it.

[nikitawootten-nist]

The OSCAL Assessment Results model is composed of (among other things): observations, risks, and findings. Observations can contain human or machine-generated evidence of compliance or non-compliance.

OSCAL is on the "higher level of abstraction" side, allowing for implementors to collect evidence from a wide variety of tools and processes without prescribing a specific tool output.

For a really simple example of an automated workflow generating Assessment Results documents based off of tool output (in this case, a Python test), check out this case study that our team recently presented on.

[ErnestoOrtiz3]

Thank you! This seems very helpful. I'll work through it, and maybe I'll post a follow up question or comment in a few days.