New Computer Language Promises More Security

New Computer Language Promises More Security

electromagnetic spectrum, Photo illus. soldiers by US National Archives

This post is also available in: heעברית (Hebrew)

A new computer language developed by NIST (US National Institute of Standards and Technology) could greatly improve the ability to quickly assess compliance and security in cloud environments, including those used by the US Defense Department’s JEDI, as well as those used by the Intelligence Community and the defense industrial base.

The Open Security Controls Assessment Language (OSCAL) offers the ability to represent cloud compliance and security requirements in machine-readable formats, such as the widely used Extensible Markup Language (XML), JavaScript Object Notation (JSON), and Yet Another Markup Language (YAML). 

Because OSCAL provides formats that are machine readable, it will enable a greater degree of compliance and security automation in what are already highly automated cloud environments, enabling assessments to keep pace with software development and IT operations.

OSCAL will make it easier to more quickly assess cloud environment compliance and security against custom as well as established cybersecurity standards, such as NIST Special Publication 800-53.

Currently, there is a huge push to implement DevSecOps and cloud Infrastructure as Code (IaC) in DoD’s cloud environments. DevSecOps and IaC are separate initiatives but are closely related. DevSecOps, which heavily relies upon IaC, provides opportunities to rapidly speed up how apps are developed and delivered to warfighters and warfighter support functions, such as logistics – shrinking the time it takes to develop and deliver apps from years, months, or weeks to hours or even minutes, in some cases.

But the same tech that enables this speed of delivery opens threat vectors that are increasingly targeted for hacking, security experts say. This is one reason many DoD entities are moving to zero-trust security. In the specific case of IaC, OSCAL provides the ability to automate compliance and security assessments in DevSecOps cloud environments, as reported by breakingdefense.com.