Automating Cloud Policies with OSCAL

Automating Cloud Policies with OSCAL

Automating Cloud Policies with OSCAL

Writing policy can be a cumbersome part of a security program, especially when the organization may not have those that are dedicated to writing policy. NIST has been developing the Open Security Controls Assessment Language (OSCAL) since 2019 to help alleviate the pain that comes with writing policy.

It’s important to note that OSCAL policy automation should not be confused with Policy as Code that other tools such as HashiCorp Sentinel and Open Policy Agent (OPA) provide.

Automating Policies and System Security Plans (SSP)

A value-add that OSCAL provides is the automation of creating policies. For FedRAMP, the authoring of an SSP is important in order to achieve Authorization to Operate (ATO) status. An open source project, Compliance Trestle has an SSP author demo that can be used to do this.

Since 2015, ScaleSec have been pioneers in automating FedRAMP for customers. For example, we have developed tools such as FedRAMPup to help with the automation of an SSP for cloud service providers and developing FedRAMP-compliant infrastructure as code (e.g. Terraform).

IBM Compliance Trestle

IBM Compliance Trestle

FedRAMPup by ScaleSec

FedRAMPup by ScaleSec

Testing Security Controls with DevOps Toolsets

In order for OSCAL to be effective, it must also integrate with DevOps tools. Integrating with existing tooling, such as Kubernetes configuration files, helps to ensure that controls can be tested with minimal friction. Compliance Trestle has a demo that convers Kubernetes YAML to OSCAL. In addition to looking at configuration before it’s deployed to cloud infrastructure, tools such as Chef Inspec can inspect the already deployed environment configuration to populate control catalogs that map back to compliance frameworks.

Kubernetes YAML to OSCAL

Kubernetes YAML to OSCAL

Chef Inspec

Chef Inspec

Reporting Adherence to Security Controls

Tools exist that examine a cloud environment’s security posture, generally referred to as Cloud Security Posture Management (CSPM). CSPM tools are effective at analyzing the configuration of a cloud environment, but may miss out on other aspects such as process and security controls that exist outside of the cloud environment (such as code analysis and scanning). This is where OSCAL comes in. Some governance, risk and compliance (GRC) tools such as GovReady can already ingest OSCAL to provide reports.




OSCAL could be used for policy automation, automated testing of controls, and integrations to other tools for reporting purposes such as GRC tooling. There are many open source projects and commercial products that are being developed to automate roles that were historically filled by security professionals who specialize in policy. While OSCAL won’t yet automate all aspects of creating security policy, the capabilities and toolsets are being developed to make policy easier than ever.

The information presented in this article is accurate as of March 31, 2022. Follow the ScaleSec blog for new articles and updates.

About ScaleSec

ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.

Get in touch!

Customization with Vault Extensions

Customize HashiCorp Vault with Vault Extensions to increase functionality within your enterprise.

Next article

ScaleSec is a Cloud Security Alliance Member.
ScaleSec is a Cloud Security Alliance Trusted Cloud Consultant.
ScaleSec is a Better Business Bureau® Accredited Business.
ScaleSec is a PCI Security Standards Council Participating Organization.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security.
ScaleSec is a certified Veteran’s Business Enterprise™ (VBE) from the National Veteran Owned Business Association.

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

San Diego, CA 92120, United States


© 2023 ScaleSec. All rights reserved. | Privacy Policy