By Sara Nieves Matheu Garcia, University of Murcia, Department of Communications and Information Engineering
Cybersecurity documentation is often scattered across reports, spreadsheets, and ad hoc formats, making it difficult to exchange, validate, or automate. The Open Security Controls Assessment Language (OSCAL), developed by NIST, addresses this challenge by providing a family of machine-readable models for representing security controls, system descriptions, assessment plans and results, and remediation actions.
OSCAL’s value lies in its flexibility, extensibility, and support for automation. It is not tied to a specific sector or technology: the same models can be applied in cloud certification, software assurance, or digital devices. This adaptability, together with the growing support in Europe through the EUROSCAL initiative, is making OSCAL a promising foundation for more transparent and interoperable security documentation.
Bringing OSCAL to Devices with the DSP
In the DOSS project, OSCAL has been chosen as the foundation for building the Device Security Passport (DSP). Unlike OSCAL itself, which provides generic models for documenting controls and assessments, the DSP applies and adapts these models to a specific purpose: ensuring transparency and traceability of device security across the entire supply chain.
The DSP integrates descriptors such as SBOMs, HBOMs, CBOMs, MUD profiles, and vulnerability disclosures into an OSCAL-inspired structure, ensuring that all this information can be linked, versioned, and audited. Some OSCAL models, like the POA&M, have been simplified or extended, while new fields have been introduced to capture transparency requirements of the EU Cyber Resilience Act (CRA). In this way, OSCAL serves as the technical backbone, and the DSP builds on top of it to deliver a concrete solution for digital products.
DOSS and the European momentum around OSCAL
DOSS has been a key player in bringing OSCAL to the European cybersecurity agenda. Through its work on the DSP, DOSS has demonstrated to both ECSO and NIST how OSCAL can be applied in practice, particularly in the context of devices and regulatory requirements like the CRA.
These efforts have contributed directly to the launch of the OSCAL Task Force at ECSO (https://ecs-org.eu/?publications=actions-beyond-words-automating-audits-for-streamlined-cybersecurity-compliance-in-europe), a working group that will coordinate and promote OSCAL adoption across Europe. Over the past year, UMU has participated in numerous discussions with ECSO and NIST, presenting the DSP as a reference case and paving the way for broader European collaboration.
The first Task Force meeting will be held on September 24th 2025, with participation from DOSS alongside other European projects such as COBALT and EMERALD. The group’s objective is to harmonize approaches, reduce the burden of compliance, and develop automated, interoperable solutions for cybersecurity documentation.
Looking ahead
OSCAL provides the language and structure, while the DSP shows how it can be adapted and extended to address concrete needs such as device security and CRA compliance. In Europe, initiatives like EUROSCAL and the new ECSO Task Force show a growing interest in making OSCAL part of the cybersecurity conversation.
For DOSS, this represents both recognition of the work already achieved and an opportunity to contribute to shaping how OSCAL evolves in the European context—helping to ensure that transparency, automation, and security-by-design move from theory into practice for the entire digital device ecosystem.
Links:
Presentation of ECSO OSCAL Task force: https://ecs-org.eu/ecso-uploads/2025/04/ECSO_OSCAL-Role-in-European-Cybersecurity-Public-Policy_23-Apr-2025_Pub_v1.pdf
Launch of ECSO OSCAL Task force: https://ecs-org.eu/events/actions-beyond-words-automating-audits-for-streamlined-cybersecurity-compliance-in-europe/
NIST OSCAL Webinars: https://pages.nist.gov/OSCAL/learn/presentations/mini-workshop/
DOSS: Supporting certification and CRA compliance through the DOSS Device Security Passport: https://drive.google.com/uc?export=download&id=1qzX-tc6icvkzfUvrWqzlP15z6bKQESsY
