Jump to Content
Security & Identity

Announcing Google Cloud’s first complete OSCAL package

June 9, 2023
Valentin Mihai

Continuous Controls Assurance Engineering, Google Cloud

Rachel Kim

Continuous Controls Assurance Engineering, Google Cloud

Today, Google Cloud is proud to announce that we have successfully submitted the complete OSCAL package. This is a major milestone for us, as it represents our step forward supporting scalable compliance for Google Cloud and its customers.

Open Security Control Assessment Language (OSCAL)

OSCAL (Open Security Control Assessment Language) is an open, machine-readable language for representing security control assessments developed by NIST. It is designed to facilitate the exchange of information about security controls between organizations and systems, and enables the automation of security assessments.

As organizations increasingly look to move from periodic audits to continuous controls monitoring, the free flow of information in a consistent, machine readable format is a critical requirement. Google Cloud is looking to leverage OSCAL as that standard.  The goal is to leverage the data structure combined with tooling to automate the monitoring of security controls to help protect data and reduce risks.  

Google Cloud’s adoption and use of OSCAL

We are proud to be a pioneer in the adoption of OSCAL. As an initial step, we looked to adopt the OSCAL data structure internally such as in our own taxonomy and our GRC tooling. This adoption was critical in getting us an organized, comprehensive, and consistent control and monitoring data structure. 

By adopting the OSCAL taxonomy internally, Google Cloud can help ensure that its security controls are consistently described and assessed. This can help us to improve our security posture and to reduce the risk of security breaches. In addition, we can make it easier to automate the process of assessing our security posture. 

We also developed an internal tool to automatically generate OSCAL files in JSON and XML by consuming internal control and control monitoring metrics data.

We believe that these initiatives will make it easier for organizations to adopt and use OSCAL. We are committed to continuing to develop and improve OSCAL, and we are excited to see what the future holds for this important security standard.

Driving compliance transparency and automation

Google Cloud's adoption of OSCAL is a significant step forward in achieving and supporting compliance. It can provide a single source of truth for security documentation, standardize compliance artifacts, automate security assessments, and automate remediation, which helps create compliance transparency internally.

Google Cloud is committed to enhancing, scaling, and supporting compliance to help customers. In the future, we will work to explore options for externalizing OSCAL formatted packages that customers can use to automate the security assurance process across multiple compliance frameworks.

We are also committed to collaborating with NIST in supporting improving the OSCAL data model and helping the OSCAL community to grow.

Posted in