RegScale this week added an open source hub through which organizations can collect and organize compliance data based on the Open Security Controls Assessment Language (OSCAL) framework.

Announced at the OSCAL Plugfest conference, the OSCAL Hub provides a central repository that makes it simpler for more organizations and government agencies to embrace a framework that eliminates the need to rely on spreadsheets and paper-based processes to gain authorizations to, for example, move forward with a construction project.

RegScale CEO Travis Howerton said the company is opting to make OSCAL Hub available under an open source license administered via the OSCAL Foundation to reduce a major adoption hurdle for organizations looking to transition to managing authorizations as code.

Originally developed by the National Institute of Standards and Technology (NIST), the OSCAL framework defines cybersecurity controls in machine-readable formats such as JSON, XML, and YAML to make it simpler to automate authorization workflows. Potential use cases for OSCAL span everything from enabling validated OSCAL data to be embedded into DevOps workflows and continuous integration/continuous delivery (CI/CD) pipelines to automating entire government, risk and compliance (GRC) workflows.

The overall goal is to convert an authorization process that previously required months to complete into a set of programmatic workflows that can be completed in a matter of minutes, said Howerton.

While managing compliance-as-code has been around as a concept now for many years, adoption has remained uneven. There are, for example, many government agencies that are still relying on manual workflows to process authorization requests, noted Howerton.

Just as importantly, compliance-as-code also significantly reduces the amount of time required to audit projects to ensure authorizations are being followed, he added. Automating workflows encourages anyone applying for an authorization to adhere to standards because it’s just simpler to do the right thing from the very start of the process, noted Howerton.

Hopefully, there will come a day soon when artificial intelligence (AI) agents are applied in a way that automates authorizations even faster without introducing any undue security risks. In the meantime, any organization that needs to request an authorization from another entity has a vested interest in encouraging that organization to adopt OSCAL, said Howerton.

The challenge, however, will be overcoming the amount of technical and cultural hurdles that often conspire to slow the pace of innovation. Fortunately, there is a lot more interest these days in automation to streamline workflows, especially in U.S. Federal agencies where the number of employees available to manage authorizations has sharply declined.

Regardless of political persuasion, most of the individuals performing any type of compliance task don’t enjoy the often massive amount of tedium involved. The simple fact is that there is a massive amount of opportunity to reduce costs in a way that should result in a better experience for everyone involved. The issue is assembling the amount of political will and economic resources required to change a set of workflows that in many ways have not fundamentally changed in decades.