OSCAL Export Format

OSCAL (Open Security Controls Assessment Language) is a machine-readable format that GRC platforms (Archer, MetricStream, ServiceNow), auditors, and regulators accept. Export your compliance data as OSCAL to integrate with existing compliance tools.

What Is OSCAL?

OSCAL is an XML/JSON standard for representing:

• System descriptions
• Control requirements
• Control implementations (how you satisfy requirements)
• Assessment results
• Artifacts (evidence)

Instead of PDF reports (hard to parse), OSCAL is structured data that software can read.

When to Use OSCAL

• Uploading to GRC platform — MetricStream, Archer, Workiva accept OSCAL
• Auditor integration — Large firms use OSCAL for continuous audit workflows
• Regulatory submission — Some regulators accept OSCAL (EU, NIST programs)
• Cross-organization sharing — Vendors use OSCAL to show compliance to customers

How to Export

1. Go to Compliance > Reports > [Report]
2. Click Export
3. Select OSCAL (JSON or XML)
4. Choose:
   • Scope: Which systems, frameworks, controls
   • Include: Full documentation, summary, or references only
5. Click Download

OSCAL file can be imported into GRC platform or sent to auditor/regulator.

Next Steps

• Generate audit report: Audit-Ready Reports
• Export to ServiceNow/Jira: Jira/ServiceNow Integration