Import in OSCAL format

  • Release version: Zurich
  • Updated December 29, 2025
  • 1 minute to read

    • Import Open Security Controls Assessment Language (OSCAL) formatted Catalog, System Security Plan (SSP), and Plan of Action and Milestones (POA&M) into Continuous Authorization and Monitoring using a guided playbook experience that validates data and manages conflicts.

    The Continuous Authorization and Monitoring (CAM) Open Security Controls Assessment Language (OSCAL) import feature provides a structured process for integrating security control data from external sources. This guided experience supports importing JSON files in Catalog, System Security Plan (SSP), Plan of Action and Milestones (POA&M) and Assessment Plan (AP) models using the OSCAL format developed by the National Institute of Standards and Technology (NIST).

    CAM supports OSCAL version 1.1.2.

    The import process guides you through structured stages from the OSCAL Import landing page. The landing page displays previously imported OSCAL files with their current statuses. Select New Import from the All OSCAL Imports landing page to start a new import.

    The import process follows these structured stages.
    • The Details stage captures import information including the OSCAL model, source, and notification recipients for import status updates.
    • The Attachments stage accepts file uploads for OSCAL-formatted content corresponding to the selected model. For Catalog OSCAL model, upload the catalog file to proceed. For SSP OSCAL model, upload catalog, profile, SSP, overlay files if applicable, and POA&M files if needed. For POA&M OSCAL model, upload one or more POA&M files linked to the same authorization package.
    • The Package Mapping stage associates Plan of Action and Milestones (POA&M) files with specific authorization packages. This stage applies only when selecting the POA&M OSCAL model.
    • The Roles and Responsibilities stage assigns users to specific roles for the imported files. These users maintain their roles throughout each step in the authorization package. This stage applies only when selecting the System Security Plan (SSP) Open Security Controls Assessment Language (OSCAL) model.
    • The Preview and Override stage displays files for upload with counts of records to be created or skipped. Take appropriate actions including importing, skipping, or overriding records. You can override only files in the skipped state. Overriding a package overrides all associated package data.
    For step-by-step instructions on importing each OSCAL model, see the following topics:

    For more information on the OSCAL import error and control catalog, see the OSCAL Import [KB1794095] article in the Now Support Knowledge Base.