I am excited to announce significant updates to the OSCAL Rest OpenAPI Specification and am looking forward to public feedback so we can improve it as a community!
This is an open-source specification that freely enables the exchange of OSCAL XML, JSON and YAML content between tools and organizations.
We defined the specification using REST principles and the OpenAPI 3.1 standard. Following this standard, developers can assert identities and access tokens via HTTP headers. Each implementation can adjudicate and manage access as the organization sees fit.
The specification now offers endpoints to create, manage and retrieve snapshots. This enables security teams to capture the state of documentation at the time of assessment or adjudication. The specification calls on implementations to make the snapshot timestamp immutable and offers endpoints to manage snapshot labels and tags.
The specification’s attachment handling now honors REST principles while balancing performance and flexibility. When a client requests OSCAL content, it receives that content without its attachments; however, the attachment endpoints are embedded in the href fields. Each attachment may be retrieved or replaced with separate API calls. This enables the client to govern if, when, and how the individual attachments are transferred.
Attachment endpoints use the OSCAL resource UUID to reference the attachment itself. Additional endpoints enable the client to update the OSCAL resource content that describes the attachment. For better insight on handling attachments, check out the usage scenarios page.
Please review the specification and provide feedback either via email (oscal@oscal.io) or by opening an issue in the Easy Dynamics oscal-rest GitHub repository.
Key Features:
- Tool-to-Tool / Org-to-Org Transfers
- OSCAL XML, JSON and YAML Formats
- Robust File Attachment Handling
- OSCAL Content Snapshots
- Profile Resolution Snapshots
- OpenAPI 3.0-compliant Specification
