



Today, Google Cloud is proud to submit to eMASS the complete OSCAL package for Department of Defense (DoD) Impact Level 5 (IL5). This represents a major milestone for us as it represents a step forward in supporting scalable compliance for Google Cloud and its customers.

Open Security Control Evaluation Language (OSCAL)

OSCAL (Open Security Control Assessment Language) is an open, machine-readable language for representing security control assessments developed by NIST. It is designed to facilitate the exchange of information about security controls between organizations and systems, enabling the automation of security assessments.

As organizations increasingly move from periodic audits to continuous administrative monitoring, the free flow of information in a consistent, machine-readable format becomes a key requirement. Google Cloud is considering leveraging OSCAL as its standard. The goal is to leverage a combination of data structures and tools to automate monitoring of security controls, protect data, and reduce risk.

Google Cloud OSCAL adoption and use

We are proud to be pioneers in OSCAL adoption. As a first step, we considered adopting his OSCAL data structure inside our own taxonomy, GRC tools, etc. This implementation was key to achieving an organized, comprehensive and consistent control and monitoring data structure.

Adopting the OSCAL taxonomy internally enables Google Cloud to consistently describe and evaluate its security controls. This helps improve your security posture and reduce the risk of security breaches. It also makes it easier to automate the process of assessing your security posture.

We have also developed internal tools to automatically generate OSCAL files in JSON and XML using internal controls and control monitoring metrics data.

We believe these efforts will make it easier for organizations to adopt and use OSCALs. We are continually working to develop and improve OSCAL and look forward to seeing what the future holds for this important security standard.

Drive compliance transparency and automation

Google Cloud’s adoption of OSCAL is a major step forward in achieving and supporting compliance. It provides a single source of truth for security documentation, allows you to standardize compliance deliverables, automate security assessments, automate remediation, and helps establish compliance transparency within your company.

Google Cloud is committed to enhancing, expanding, and supporting compliance to support our customers. In the future, we plan to explore options for externalizing packages in OSCAL format that customers can use to automate security assurance processes across multiple compliance frameworks.

We are also committed to working with NIST to help improve the OSCAL data model and help grow the OSCAL community.

