Export in OSCAL format
CAM supports the Open Security Controls Assessment Language (OSCAL) used by the National Institute of Standards and Technology (NIST) that provides control-related information in standardized machine-readable formats. CAM supports Catalog, Profile, SSP, Assessment Plan (AP), Assessment Results (AR), and Control Tailoring Request data.
Source tables to fetch data for the models
| Source table | JSON property |
|---|---|
| Catalog | |
| Control objective | controls |
| Control Objective to Control objective requirement | statements parts |
| Test template to Assessment procedure | assessment objective parts |
| Control Objective | guidance |
| Test Template | Assessment-method (Examine) |
| Test Template | Assessment-method (Interview) |
| Profile | |
| Baseline Control | Include-controls |
| Baseline Control | Exclude-controls |
| SSP | |
| Authorization boundary | components |
| Authorization package | leveraged-authorization |
| Authorization boundary | security-impact-level |
| Control requirement | statements |
| Authorization boundary | by-components |
| Information type | Information-types |
| Assessment Plan | |
| Engagement | assessment-plan |
| Engagement metadata | metadata (title, state, objectives, progress, dates, budget) |
| Users | metadata.parties |
| Roles | metadata.roles, responsible-parties |
| Control tests | local-definitions.activities |
| Test plan | local-definitions.activities.related-controls.control-objective-selections |
| Test template | local-definitions.activities.props |
| Assessment procedures | local-definitions.activities.steps |
| Controls in scope | reviewed-controls |
| Package reference | import-ssp.href |
| Assessment Results | |
| Engagement | results (actual dates, actual cost, state, percent complete) |
| Engagement metadata | metadata (responsible parties, roles, parties, props) |
| Control tests | local-definitions.activities, results.attestations |
| Assessment procedures | local-definitions.activities.steps, results.attestations.parts.parts |
| Reviewed controls | results.reviewed-controls |
| AP reference | import-ap.href |
| Control Tailoring Requests | |
| Roles ctr-opened-by, ctr-assigned-to) | metadata.roles[].id, metadata.roles[].title |
| Users (Control Tailoring Request Opened by, Control Tailoring Request Assigned to) | metadata.responsible-parties[].role-id, metadata.responsible-parties[].party-uuids[] |
| Traceability props | system-characteristics.props |
Control Tailoring Request data in OSCAL files
When you generate OSCAL files for an authorization package, the export now includes overlays from both the authorization package and any associated control tailoring requests. Previously, only package-level overlays were included.
The number of overlay catalog files generated reflects the total number of distinct overlays across the package and its control tailoring requests. For example, if a package has two overlays and a control tailoring request introduces a third, the export produces three overlay catalog files.
The OSCAL export files also include control tailoring request data. The data includes baseline controls, and overlays with references to their associated control tailoring requests. The metadata section includes:
- Responsible parties: the CTR Assigned To role and CTR Opened By role, alongside existing package and boundary role assignments
- Roles: CTR-specific roles exported alongside existing package roles
- System characteristics props: props representing control tailoring request data for traceability