OSCAL (Open Security Controls Assessment Language) is the NIST-led, machine-readable format for security control assessments. The System Security Plan (SSP) is the master document that maps an organisation's controls to a framework. DEFONEOS produces an OSCAL SSP for every customer; the SSP is the master evidence document; the SIGIL pack is the chain of custody for the SSP's claims.
This page is the technical deep-dive on the DEFONEOS OSCAL SSP pipeline. It documents the 16 control families, the 240 tests, the 6-hour pipeline duration, the NIST 800-53 Rev 5 mapping, and the three output formats (JSON, YAML, XML). The page is written for the named CISO, security architect, and OSCAL engineer inside a customer organisation.
| # | Family | NIST 800-53 Rev 5 identifier | DEFONEOS coverage |
|---|---|---|---|
| 1 | Access Control | AC | AC-1 to AC-25 (25 controls) |
| 2 | Awareness and Training | AT | AT-1 to AT-6 (6 controls) |
| 3 | Audit and Accountability | AU | AU-1 to AU-16 (16 controls) |
| 4 | Assessment, Authorisation, Monitoring | CA | CA-1 to CA-9 (9 controls) |
| 5 | Configuration Management | CM | CM-1 to CM-14 (14 controls) |
| 6 | Contingency Planning | CP | CP-1 to CP-13 (13 controls) |
| 7 | Identification and Authentication | IA | IA-1 to IA-13 (13 controls) |
| 8 | Incident Response | IR | IR-1 to IR-10 (10 controls) |
| 9 | Maintenance | MA | MA-1 to MA-7 (7 controls) |
| 10 | Media Protection | MP | MP-1 to MP-9 (9 controls) |
| 11 | Physical and Environmental Protection | PE | PE-1 to PE-23 (23 controls) |
| 12 | Planning | PL | PL-1 to PL-11 (11 controls) |
| 13 | Program Management | PM | PM-1 to PM-32 (32 controls) |
| 14 | Personnel Security | PS | PS-1 to PS-9 (9 controls) |
| 15 | Risk Assessment | RA | RA-1 to RA-7 (7 controls) |
| 16 | System and Services Acquisition | SA | SA-1 to SA-23 (23 controls) |
| 17 | System and Communications Protection | SC | SC-1 to SC-39 (39 controls) |
| 18 | System and Information Integrity | SI | SI-1 to SI-23 (23 controls) |
| 19 | Supply Chain Risk Management | SR | SR-1 to SR-13 (13 controls) |
| 20 | Account Management, Wireless, Mobile Code, etc. | AC/WA/MC | Misc (10 controls) |
The 16 control families are grouped into 20 NIST 800-53 Rev 5 control classes. DEFONEOS covers all 20 classes. The 240 tests are sampled across the 20 classes; the sampling is statistically significant (95% confidence, ±3% margin).
The 240 tests are organised into 6 categories:
| Category | Test count | What is tested |
|---|---|---|
| Configuration tests | 60 | Hardening baselines, CIS benchmarks, NCSC device-guides |
| Identity tests | 40 | Authentication, authorisation, account lifecycle |
| Audit tests | 35 | Log generation, log integrity, log retention |
| Network tests | 30 | Segmentation, encryption-in-transit, TLS configuration |
| Data tests | 45 | Encryption-at-rest, key management, data classification |
| Incident-response tests | 30 | SEV-1 to SEV-4 detection, escalation, recovery |
| Total | 240 |
Each test has a unique identifier (e.g., T-CONF-001 through T-CONF-060 for configuration tests). The test result is SIGIL-anchored; the SIGIL pack is the chain of evidence for the test's pass/fail status.
The DEFONEOS OSCAL SSP pipeline takes 6 hours to run, end-to-end. The 6 hours are distributed as follows:
The 6-hour pipeline is the same for every customer; the configuration is parameterised; the SIGIL pack is the chain of evidence that the pipeline ran against the customer's environment.
DEFONEOS produces the SSP in three machine-readable formats:
JSON is the default format for machine consumption. The SSP is a single JSON document that conforms to the OSCAL JSON schema. The JSON document is SIGIL-anchored; the SIGIL chain is the chain of evidence for the document's integrity.
YAML is the human-readable format for engineering teams. The YAML document is generated from the JSON; the YAML is round-trip-safe (YAML → JSON is a deterministic transformation).
XML is the legacy format for OSCAL consumers that have not yet adopted JSON. The XML is generated from the JSON via the OSCAL XML schema; the XML is round-trip-safe.
All three formats are byte-equivalent in content; they differ only in syntax. The customer chooses the format that matches their downstream toolchain.
The OSCAL SSP maps the 16 control families to NIST 800-53 Rev 5 (the authoritative catalogue). The mapping is:
| OSCAL family | NIST 800-53 Rev 5 family | Coverage |
|---|---|---|
| Access Control | AC | 25/25 |
| Audit and Accountability | AU | 16/16 |
| Configuration Management | CM | 14/14 |
| Identification and Authentication | IA | 13/13 |
| Incident Response | IR | 10/10 |
| Risk Assessment | RA | 7/7 |
| System and Services Acquisition | SA | 23/23 |
| System and Communications Protection | SC | 39/39 |
| System and Information Integrity | SI | 23/23 |
| Supply Chain Risk Management | SR | 13/13 |
All 10 NIST 800-53 Rev 5 high-impact families are fully covered. The mapping is the audit backbone for any US federal customer; the SIGIL pack is the chain of evidence.
The non-cooperative audit asks 5 questions. The OSCAL SSP answers all 5:
The 6-hour pipeline produces 8 output artefacts:
All 8 artefacts are SIGIL-anchored; all 8 are the chain of evidence; the bundle is the customer-ready audit pack.