The Latest in the OSCAL Hub: AI Makes OSCAL Easy

The average regulator must spend days manually creating a machine-readable version of their requirements as an OSCAL catalog. OSCAL Hub’s new AI features mean this can be done in minutes.

When RegScale launched OSCAL Hub in December 2025 as a free, open-source platform (with plans to donate to the OSCAL Foundation), the mission was straightforward: give Authorizing Officials (AOs) an easy button and give compliance teams a way to stop reviewing security packages in Word. The original release changed how ATO packages were built and reviewed. This release expands on that functionality to make OSCAL easier to generate and share across the ecosystem.

Manual OSCAL authoring is the bottleneck nobody talks about. You look up control language, write narratives, and reformat everything into valid JSON or XML by hand. 83% of organizations say manual compliance work causes moderate or major delays, and 58% burn through 2,000+ person-hours per year on evidence collection alone.

The problem runs deeper than evidence collection. First-draft authoring, document validation, and monthly POA&M reconciliation each pull qualified people into work that should be automated. This release attacks all three.

Here is what a sneak peek at what is new.

AI wizards that draft your OSCAL documents

Five new AI Wizards generate a working OSCAL document from a PDF, a URL, or pasted text. Drop in a security plan PDF, and the SSP Wizard produces a control-implementation-populated draft, ready to review and refine. The Component Definition Wizard turns a STIG or CIS guide into a mapped OSCAL Component Definition. The POA&M Wizard converts a penetration test report or Excel spreadsheet into a structured POA&M item.

Each organization brings its own Anthropic API key, configured at the org-admin level. The key is encrypted at rest, token usage is tracked per session, and the output is real, schema-valid OSCAL. Not a summary. Not a starter kit. An actual working document that your team can edit, validate, and publish.

For teams that need to encode internal validation rules for automated assessment, the AI Rule Generator writes Metapath constraint code from a plain-English description, runs synthetic positive and negative tests to verify the logic, and saves it to your organization’s validation profile. Non-engineers can now author compliance validation rules in minutes.

Visual builders for every OSCAL type

Getting AI to produce a first draft is half the problem. Your team still needs to edit, validate, and finalize. The new structured builders cover every OSCAL document type: Catalogs, Profiles, Component Definitions, SSPs, Assessment Plans, Assessment Results, and POA&Ms.

Each builder steps through the document structure, validates against the OSCAL Metaschema at each step, and surfaces errors inline as you type. Power users get a Monaco code editor with dark mode and one-click UUID regeneration. AI-generated drafts hand off directly into the builder, so the workflow from generation to publication is unbroken.

The efficiency gain is measurable: what previously required over 1,000 hours of manual SSP writing in Word now takes two hours using validated templates. That is the difference between compliance as a bottleneck and compliance as an enabler.

Continuous Controls Monitoring for authorization packages

ConMon teams ingest a fresh FedRAMP POA&M each month and spend hours reconciling it against the prior snapshot. OSCAL Hub now handles that automatically. Upload a FedRAMP Rev 5 POA&M XLSX or an OSCAL POA&M JSON, and the reconciliation engine categorizes every item: new, closed, modified, unchanged, removed, or re-opened.

KPI tiles, four time-series charts, and a paginated items drawer replace the ad-hoc Excel work. Auditors and program managers see exactly what changed since the last reporting cycle, with full lineage preserved. This is Continuous Controls Monitoring applied to the authorization workflow, built in as a first-class feature on every authorization package.

Share your compliance work with the community

The new Public Data Mart at /catalog makes it possible to publish any OSCAL artifact: catalogs, overlays, baseline mappings, component libraries. Three visibility tiers give you precise control: Private (you only), Organization (your team), and Public (world-readable).

Public items are browseable without a login. Downloads are gated to authenticated users so attribution data is preserved. The catalog is also accessible via API for teams pulling OSCAL content into automation workflows. Your internal compliance work can become a public knowledge resource, or you can build on what others have already published.

A platform that supports itself

Two features in this release address what happens after the document is built. A full built-in user guide at /guide covers every capability across 50+ pages, organized into 10 sections, with a context-sensitive Help button on every screen that links directly to the relevant page. New users answer their own questions with built in self-help features.

An in-app ticketing system replaces the scattered email threads and Slack messages that compliance tools typically generate. Bug reports and feature requests are filed directly from the avatar menu, tracked with full thread history, and closed with email notifications at every state transition. Admins get a searchable panel with volume, aging, and resolution metrics. Nothing gets lost; everything has a record.

Together, these features close the loop on the user experience. A platform that is hard to use and hard to get help with creates adoption drag. OSCAL Hub now removes both.

Compliance-as-code at production scale

OSCAL Hub started as a place to build OSCAL documents. This release makes it a compliance platform: AI generation, visual editing, Continuous Controls Monitoring, multi-tenant authorization management, a public knowledge layer for the community, and now the support infrastructure a usable platform requires.

RegScale customers can connect OSCAL Hub directly into their Continuous Controls Monitoring workflows, closing the loop from document creation to ongoing monitoring. The teams burning 2,000+ hours per year on manual evidence collection are exactly the ones this release was built for. RegScale’s platform already delivers 90% faster compliance certifications and a 60% reduction in audit preparation effort. OSCAL Hub’s latest release extends that velocity to every layer. Get free access to OSCAL Hub or connect with our team to see a live demo of RegScale.