Export in OSCAL format

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • CAM supports the Open Security Controls Assessment Language (OSCAL) used by the National Institute of Standards and Technology (NIST) that provides control-related information in standardized machine-readable formats. CAM supports Catalog, Profile, SSP, Assessment Plan (AP), and Assessment Results (AR) models.

    Source tables to fetch data for the models

    Source table JSON property
    Catalog
    Control objective controls
    Control Objective to Control objective requirement statements parts
    Test template to Assessment procedure assessment objective parts
    Control Objective guidance
    Test Template Assessment-method (Examine)
    Test Template Assessment-method (Interview)
    Profile
    Baseline Control Include-controls
    Baseline Control Exclude-controls
    SSP
    Authorization boundary components
    Authorization package leveraged-authorization
    Authorization boundary security-impact-level
    Control requirement statements
    Authorization boundary by-components
    Information type Information-types
    Assessment Plan
    Engagement assessment-plan
    Engagement metadata metadata (title, state, objectives, progress, dates, budget)
    Users metadata.parties
    Roles metadata.roles, responsible-parties
    Control tests local-definitions.activities
    Assessment procedures local-definitions.activities.steps
    Controls in scope reviewed-controls
    Package reference import-ssp.href
    Assessment Results
    Engagement results (actual dates, actual cost, state, percent complete)
    Engagement metadata metadata (responsible parties, roles, parties, props)
    Control tests local-definitions.activities, results.attestations
    Assessment procedures local-definitions.activities.steps, results.attestations.parts.parts
    Reviewed controls results.reviewed-controls
    AP reference import-ap.href
    Note:
    When you generate OSCAL files for an authorization package, the export includes overlays from two sources: overlays applied directly to the authorization package, and overlays from any associated control tailoring requests. Previously, only package-level overlays were included in the export.

    The number of overlay catalog files generated reflects the total number of distinct overlays across the authorization package and any associated control tailoring requests. For example, if a package has two overlays and a control tailoring request introduces a third, the export produces three overlay catalog files.

    The OSCAL export files also include control tailoring request data. Each requested change in the implemented requirements section contains a reference to its control tailoring request and the associated control objective. The metadata section of the OSCAL export files includes:

    • Responsible parties: the CTR assigned-to role, alongside existing package and boundary role assignments
    • Roles: CTR-specific roles exported alongside existing package roles
    • System characteristics props: props representing control tailoring request data for traceability

    Previously, the Generate OSCAL button was a split button that let you select individual models to export (such as SSP, Assessment Plan, or Assessment Report). The button is now a unified action that generates all applicable OSCAL models for the package in a single operation. The models generated depend on the package configuration. When the export is complete, a Download button appears.

    For more information, see the following topics: