OSSA + NIST:
The Contract Layer for Secure AI Agents
Three NIST CAISI pillars. One missing layer. OSSA provides the agent contract specification that industry-led standards, open-source discovery, and agent security all require.
The Three NIST CAISI Pillars
In February 2026, NIST launched three parallel initiatives that collectively represent the most significant government action on AI agent standards to date.
Industry-Led Standards
The CAISI RFI (Docket NIST-2025-0035) asks: what standards exist for AI agent interoperability? What gaps remain? How should identity and governance be standardized?
The OSSA manifest specification — a vendor-neutral YAML schema that defines agent identity, capabilities, trust boundaries, and governance. Like OpenAPI standardized REST APIs, OSSA standardizes agent contracts.
Open-Source Discovery Protocols
The NCCoE AI Agent Identity Program focuses on how agents authenticate, discover each other, and verify trust across organizational boundaries.
DUADP — the Decentralized Universal AI Discovery Protocol. DNS-native discovery via .well-known endpoints, federated mesh, and trust-ranked results. Live at discover.duadp.org.
Agent Security & Identity
The AI Agent Standards Initiative coordinates security research across NIST, NSA, and CISA — targeting agent attack surfaces, supply chain risks, and adversarial manipulation.
Cedar policies for pre-execution authorization, W3C DID-based identity (GAID), cryptographic manifest signatures (x-signature), and provenance chains.
How OSSA + DUADP Address CAISI
Two independent layers, three pillars, complete coverage
OSSA Manifest-to-RFI Mapping
Every CAISI RFI question maps to a concrete OSSA manifest field
| CAISI RFI Area | OSSA Manifest Field | Mechanism |
|---|---|---|
| 1a - Critical AI Safety Challenges | spec.authorization, spec.guardrails | Cedar pre-authorization, content filtering, prompt injection detection |
| 1d - Standards to Develop | apiVersion, kind, metadata | Vendor-neutral YAML manifest schema (like OpenAPI for agents) |
| 2a - Agent Identity | metadata.identity.did | W3C DID Core 1.0 Global Agent IDs (GAIDs) |
| 2e - Authentication & Authorization | spec.authorization.engine | Cedar policies, autonomy modes, allowed/blocked action lists |
| 3a - Monitoring | spec.observability | OpenTelemetry tracing, security events, cost tracking |
| 3b - Observability Standards | spec.observability.tracing | OTel semantic conventions, Prometheus metrics, structured logging |
| 4a - Supply Chain Security | spec.compliance.sbom_pointer | CycloneDX/SPDX SBOMs, OSCAL component mapping |
| 4b - Component Integrity | metadata.x-signature | Ed25519/ECDSA cryptographic attestation, provenance chains |
| 4d - Compliance Frameworks | spec.compliance.frameworks | NIST SP 800-53 Rev 5, FedRAMP, SOC2 profiles via OSCAL |
NIST SP 800-53 Rev 5 Control Mapping
OSSA manifest security controls mapped to federal security controls
| Control | Name | OSSA Implementation |
|---|---|---|
| AC-3 | Access Enforcement | Cedar pre-authorization, allowed/blocked actions, autonomy mode |
| AC-6 | Least Privilege | Scoped tool permissions, action allowlists, network constraints |
| AU-2 | Audit Events | OpenTelemetry security_events, action.attempted/blocked logging |
| AU-12 | Audit Generation | Structured tracing with session/interaction IDs, cost tracking |
| IA-3 | Device Identification | W3C DID Global Agent ID (GAID), instance IDs |
| IA-5 | Authenticator Management | x-signature (Ed25519, ECDSA, JWT, VC), public key registry |
| SC-7 | Boundary Protection | Network constraints, sandbox configuration, trust boundaries |
| SI-3 | Malicious Code Protection | Content filtering guardrails, prompt injection detection events |
| SI-7 | Software Integrity | Cryptographic manifest signatures, SBOM validation, provenance chains |
| SA-11 | Developer Testing | Conformance test suites (Basic/Standard/Enterprise), 121 test suites |
Security Controls in Practice
A single OSSA manifest encodes identity, authorization, observability, and supply chain
apiVersion: v0.4.6
kind: Agent
metadata:
name: compliant-agent
namespace: gov.nist.caisi
identity:
did: "did:web:openstandardagents.org:agents:compliant-agent"
x-signature:
type: Ed25519
value: "base64-encoded-signature"
publicKey: "base64-encoded-public-key"
issuer: "did:web:openstandardagents.org"
spec:
role: Secure AI agent with full NIST alignment
llm:
provider: anthropic
model: claude-sonnet-4-6
# Trust Boundaries (Cedar pre-authorization)
authorization:
engine: cedar
policies:
- effect: permit
principal: { type: "User", role: "analyst" }
action: "read_report"
- effect: forbid
principal: { type: "Agent" }
action: "delete_data"
autonomy:
mode: supervised
allowed_actions: [read, analyze, report]
blocked_actions: [delete, modify_config, exfiltrate]
# Observability (OpenTelemetry)
observability:
tracing:
provider: otlp
endpoint: "https://otel.example.com"
security_events:
- action.attempted
- action.blocked
- prompt_injection.detected
# Supply Chain (SBOM + OSCAL)
compliance:
sbom_pointer: "./sbom.cdx.json"
frameworks: ["NIST-SP-800-53-r5", "FedRAMP-Moderate"]
oscal_component: "./ossa-oscal-component.json"Live Demos & Resources
See the OSSA + DUADP stack in production
DUADP Discovery Explorer
Live federated agent discovery across DUADP nodes. Search agents, skills, and tools by capability.
VisitAgent Marketplace
Browse OSSA-compliant agents with verified manifests, trust tiers, and Cedar policy previews.
VisitCedar Policy Engine
181 Cedar statements across 13 policy sets. Live pre-authorization for agent actions with full audit trail.
VisitCAISI RFI Docket
Docket NIST-2025-0035 on regulations.gov
OSSA Specification
Agent contract schema, security controls, and extensions
DUADP Protocol
Decentralized Universal AI Discovery Protocol
NIST Validated the Gap OSSA Fills
Full whitepaper on NIST alignment, the four-layer stack, and the contract layer gap
Enterprise Compliance
SOC2, NIST SP 800-53 mapping, FedRAMP profiles
Interactive Schema Explorer
Explore the complete OSSA JSON Schema
Production Reference Implementation
Live Cedar authorization integrated with GitLab CI/CD — proving the contract layer works.
Cedar Policy Engine + GitLab Security Policies
The OSSA project operates a live compliance engine that evaluates 13 Cedar policy sets (181 statements) via WebAssembly in under 100ms. This is the first known integration of Cedar authorization with GitLab CI/CD pipelines, demonstrating NIST SP 800-53 AC-3 (Access Enforcement) in a real DevSecOps workflow.
How It Works
NIST SP 800-53 Controls Demonstrated
Key Dates
NIST CAISI and NCCoE timeline
Read the Full Whitepaper
NIST Validated the Gap OSSA Fills: the four-layer stack, manifest-to-RFI mapping, and what comes next.