We are currently exploring the use cases behind OCRL to determine if there is community interest in going forward with a new standard. We encourage you to participate in this exploration by offering feedback regarding the viability and usefulness of OCRL via the National Institute of Standards and Technology’s "Emerging Specifications Discussion List."
Please submit all feedback to firstname.lastname@example.org.
OCRL Specification (PDF, 147 KB)
OCRL Tutorial (PDF, 408 KB)
OCRL Schema, v1 (XSD, 42 KB)
OCRL Example Files (ZIP, 6 KB)
Open Checklist Reporting Language (OCRLTM) is a language for writing machine-readable XML definitions that gather information from systems and present it as a standardized report for human evaluation of policy compliance. Each generated report file corresponds to a single policy recommendation.
OCRL complements existing benchmark languages such as Extensible Configuration Checklist Description Format (XCCDF) and Open Vulnerability and Assessment Language (OVAL®) — which already provide capabilities for structuring security guidance in a machine-understandable way and describing how to gather and evaluate system information to determine compliance — by addressing those instances where a human is necessary to determine compliance with a given policy recommendation, or where XCCDF and OVAL do not have the necessary capability to evaluate collected information for compliance with a recommendation. For example, a policy recommendation that states, “The user should disable unnecessary services on the computer,” requires human judgment to determine what services are unnecessary. An OCRL Definition could be written to provide a report of all the services running on the computer, which could then be used by a person to determine whether any unwanted services are present.
OCRL was specifically designed to work with the XCCDF and OVAL benchmark authoring languages. While OCRL documents can be used alone by a software program to create one or more reports, by using OCRL in conjunction with OVAL more automation can be called out from an XCCDF document than using OVAL alone, resulting in significantly enhanced capabilities for benchmark automation.