Ruf Risk is proud to be an inaugural member of the Open Security Controls Assessment Language (OSCAL) Foundation! This critical global partnership between government, industry and academia was launched to advance the development and adoption of standards to automate cyber security practices.
Brian Ruf supported the Foundation’s formation as the inaugural board chair, where he is excited to see participation from some of the biggest names in the industry, such as Google and AWS; as well as several governments including the United States, Canada, and members of the European Union. The financial industry is also well represented.
Brian was thrilled to support the Foundation’s formal launch on February 10th, 2025, which was well-attended by government and industry representatives and featured a compelling keynote address from Hart Rossman, Vice President, Global Services Security at AWS where he calls OSCAL the bridge that will enable better accuracy and continuous improvement that is the future state of cybersecurity.
During the launch event, Brian took the stage with RegScale CEO, Travis Howerton and Easy Dynamics CTO , Pirooz Javan as part of a discussion panel focused on FedRAMP’s adoption of OSCAL. The event also included panels discussing international adoption of OSCAL as well as the use case for OSCAL in the financial sector. A recording of this event is available.
The Foundation is hosting a Beginner’s Guide to OSCAL webinar on April 10th, and facilities a weekly Technology Working Group as well as a bi-weekly Engagement Working Group, both of which open to the public. The Technology Working group is focused on advancing the OSCAL specification and clarifying best-practices, while the Engagement Working Group is focused on resources that allow organizations to better understand the goals and use-cases for OSCAL adoption as well as how to get started. Brian is active in both working groups.
Going forward expect the OSCAL Foundation to be the unifying voice for organizations adopting OSCAL. The US Government’s traditional authorization processes will often be part of the discussion; however, expect to see other certifying bodies such as the Cloud Security Alliance, financial sector adoption and heavy emphasis on using OSCAL for continuous compliance monitoring. Please contact Ruf Risk if you would like to know more about the OSCAL Foundation or our involvement with it.