+
+| Year
+ | Type
+ | Name
+ | Website
+ | Use-case
+
+ |
+| 2025
+ | Direct
+ | Singapore Government
+ | https://www.tech.gov.sg/
+ | Employ OSCAL with requirements to Add Specific Properties to a Set of Controls and Create Template SSPs for Distribution to Agencies.
+
+ |
+| 2024
+ | Direct
+ | US Department of Veterans Affairs (VA)
+ | https://www.va.gov/
+ | The uses VA uses trestle's capabilities to help automate their compliance documentation. Landmark achievement was submitting the first FedRAMP System Security Plan (SSP) in OSCAL format.
+
+ |
+| 2024?
+ | Direct
+ | Chicago Mercantile Exchange???
+ | https://www.cmegroup.com/
+ | ?
+
+ |
+| 2023
+ | Direct
+ | SunStone Secure
+ | https://sunstonesecure.com/
+ | Sunstone Secure leverages OSCAL Compass to streamline and automate the complex process of achieving FedRAMP compliance, specifically through in their "Digital Twin Compliance Platform" and "Artemis" AI-native platform.
+
+ |
+| 2023
+ | Direct
+ | Red Hat
+ | https://www.redhat.com/
+ | Red Hat Product Security Team automate security and compliance for products, enabling generation of machine-readable System Security Plans (SSPs) and other compliance artifacts.
+
+ |
+| 2022
+ | Direct
+ | Center for Internet Security
+ | https://www.cisecurity.org/
+ | CIS is actively embracing OSCAL toward facilitating the automation of the CIS Controls catalog and the intricate mapping process for both users and product vendors.
+
+ |
+| 2021
+ | Direct
+ | RegSscale/GovReady
+ | https://regscale.com/
+ | GovReady uses the open-source trestle tool as a core component of its compliance-as-code platform to automate and streamline the process of meeting regulatory requirements.
+
+ |
+| 2021
+ | Direct
+ | IBM
+ | https://www.ibm.com/
+ | Used by IBM Concert, IBM Cloud, IBM Security and Compliance Center.
+
+ |
If your organization is using OSCAL Compass and would like to be included in this list, please open a pull request.