OSCAL Export
GOVERN exports compliance data in NIST OSCAL (Open Security Controls Assessment Language) format. OSCAL is the federal standard for machine-readable security documentation, enabling automated compliance validation and continuous ATO programs.
Supported OSCAL Models
| OSCAL Model | Description | GOVERN Support |
|---|---|---|
| Catalog | Control definitions | Consumed (NIST 800-53) |
| Profile | Control baselines | Consumed (FedRAMP High/Mod/Low) |
| Component Definition | System component descriptions | Generated |
| System Security Plan | Full SSP in OSCAL | Generated |
| Assessment Plan | SAP skeleton | Generated |
| Assessment Results | Automated control findings | Generated |
| Plan of Action & Milestones | POA&M items | Generated |
Generating OSCAL Exports
System Security Plan (SSP)
govern compliance export \ --framework nist-800-53 \ --baseline moderate \ --format oscal-json \ --output ssp.json
# XML formatgovern compliance export \ --framework nist-800-53 \ --baseline moderate \ --format oscal-xml \ --output ssp.xmlAssessment Results
govern compliance export \ --type assessment-results \ --period 2026-01-01/2026-03-31 \ --format oscal-json \ --output assessment-results-q1-2026.jsonPOA&M
govern compliance export \ --type poam \ --status open \ --format oscal-json \ --output poam.jsonAutomated SSP Updates
GOVERN can automatically update OSCAL SSP content when:
- System components change (new AI systems added/removed)
- Control implementations change (policy updates)
- Inventory changes (new users, endpoints)
Configure automatic SSP updates:
compliance: oscal: autoUpdate: enabled: true triggerOn: - system_added - system_removed - policy_changed - user_added - user_removed repository: type: git url: https://github.com/agency/oscal-ssp branch: main commitOnUpdate: trueContinuous ATO Integration
GOVERN supports cATO programs by providing:
- Automated control testing — GOVERN continuously tests implemented controls and records results
- OSCAL Assessment Results — Results exported in machine-readable format
- Risk posture dashboard — Real-time view of control health
- Threshold alerting — Alert when control health drops below ATO risk tolerance
cATO Workflow
GOVERN monitors → findings exported as OSCAL →consumed by GovDASH or eMASS →AO reviews automated findings →continuous authorization maintainedIntegration with eMASS
GOVERN can push OSCAL data to DoD eMASS (Enterprise Mission Assurance Support Service):
govern compliance push \ --target emass \ --system-id $EMASS_SYSTEM_ID \ --api-key $EMASS_API_KEY \ --format oscal-jsonThis updates the eMASS system record with the latest control implementation evidence.