OSCAL (Open Security Controls Assessment Language) catalog and profile definitions for 14 compliance frameworks. Ready to use with any OSCAL-compatible tooling.
| Framework | Directory |
|---|---|
| NIST 800-53 | nist-800-53-oscal/ |
| ISO 27001 | iso-27001-oscal/ |
| ISO 27701 | iso-27701-oscal/ |
| ISO 42001 | iso-42001-oscal/ |
| SOC 2 | soc2-oscal/ |
| FedRAMP | fedramp-oscal/ |
| HIPAA | hipaa-oscal/ |
| CMMC | cmmc-oscal/ |
| GDPR | gdpr-oscal/ |
| PCI DSS v4.0 | pci-dss-oscal/ |
| NIST CSF 2.0 | nist-csf-oscal/ |
| EU AI Act | eu-ai-act-oscal/ |
| SEC Cyber | sec-cyber-oscal/ |
| UCF | unified-controls-framework/ |
Each framework directory follows a consistent layout:
<framework>-oscal/
catalog/catalog.json # OSCAL 1.1.2 catalog
profiles/ # Baseline profiles (where applicable)
mappings/ # Cross-framework mappings
tests/ # Validation tests
All catalogs conform to OSCAL version 1.1.2.
UUIDs are deterministic (UUID5 with a fixed namespace) so the same input always produces the same OSCAL output. Control IDs are normalized to lowercase with hyphens (e.g., AC-2 becomes ac-2, CC6.1 becomes cc6-1).
These JSON files work with any OSCAL-compatible tool:
- NIST OSCAL CLI
- Compliance-trestle
- Lula
- Custom tooling that parses OSCAL JSON
# Validate with oscal-cli
oscal-cli validate nist-800-53-oscal/catalog/catalog.jsonMIT