AWS ships Spring 2026 SOC reports in OSCAL
Machine-readable assurance only helps if customers can trust the mapping, not just admire the JSON package in Artifact.
TL;DR
AWS released its Spring 2026 System and Organization Controls 1 and 2 reports in Open Security Controls Assessment Language format through AWS Artifact, alongside the PDF reports. The package covers 188 services for April 1, 2025 through March 31, 2026. AWS says it is the first major cloud provider to offer key compliance reports to customers in NIST’s machine-readable OSCAL format, a useful claim for automation teams but still vendor-stated.
AWS has put its Spring 2026 System and Organization Controls 1 and 2 reports into Open Security Controls Assessment Language, the National Institute of Standards and Technology machine-readable format better known as OSCAL. Customers can download the OSCAL package as a distinct item in AWS Artifact, along with the conventional PDF reports. The reports cover 188 services over the 12-month period from April 1, 2025 through March 31, 2026.
For compliance teams, the practical value is obvious: SOC evidence that can be parsed by tooling instead of re-keyed from a PDF. That is not magic, and it does not make AWS’s controls more effective. It changes the evidence handling problem. The engineer or governance, risk, and compliance team can start treating the SOC package as structured input for workflows, mappings, checks and internal review queues.
The caveat is equally obvious. AWS says it is the first major cloud provider, as of June 2026, to offer key compliance reports to customers in OSCAL format. Fine, but that is AWS’s claim, and the hard part is not producing JSON. The hard part is whether customers, assessors and tools can rely on the structure and semantics without rebuilding the old PDF review process in a more fashionable file format. FedRAMP has been pushing OSCAL-enabled digital authorization packages and automated validations for years, including a 2024 pilot focused on clearer package formation and validation checks, but this AWS release is SOC evidence, not a FedRAMP authorization package (https://csrc.nist.gov/csrc/media/Projects/open-security-controls-assessment-language/images-media/OSCAL%20Mini%20Workshop%20Series%20Presentation%209.18.2024.pdf).
Monday morning, AWS customers should not treat this as a new control requirement. They should check whether their GRC tooling can ingest the Artifact package, whether the 188 in-scope services match their actual architecture, and whether any internal SOC review procedures can be updated to preserve the machine-readable evidence instead of printing the future back into a spreadsheet.
Published ·Deep Fathom