Skip to main content

What Is OHDF?

Charles Hu6/6/24About 5 min

A Look Ahead

In this section, we will cover:

What is OHDF?

The OASIS Heimdall Data Format (OHDF) is a security data format used to normalize generated data exports from various security tools into a single common data format usable by the Security Automation Framework (SAF) tool suite. The format is defined by the OHDF schema and its goal is to provide a simple and intuitive means for representing security data context, requirements, and measures.

OASIS Open

OASIS Open is an international standards body that works on the development and advancement of open source technological standards. OHDF is currently in the process of becoming an OASIS Open standard.

For more information on the OHDF charter for OASIS Open, refer here.

OHDF's goal is to provide:

  • Standardization: Defining data elements in a consistent and contextualized manner.
  • Normalization: Processing any format's data elements into another format's data elements in a consistent and reliable manner.

Why OHDF?

In a field saturated with data format standards, what sets OHDF apart from the rest? Why should you use OHDF for your project?

In the realm of cybersecurity, many security data exports suffer from a plethora of shortcomings and oversights. This creates critical issues such as:

  • Many security tools not providing context to relevant categorization standards for comparison across security tools.​
  • Security tools typically generating data in unique formats that require multiple dashboards and utilities to process.​
  • It taking too much time to process different security data types, data in disparate locations, and inconsistent semantics of a data element between formats.​

What makes OHDF stand out is its goal of standardization and normalization, which sets out to address these aforementioned problems. OHDF aims to create a simple, reliable, and targetable security standard, culminating in a data format that bridges and unifies the many diverse and disparate representations of security data.

Features

By using OHDF, you can leverage the plethora of built-in features that help standardize and normalize security data across your project. This includes features such as:

1. Consistent integration, aggregation, and analysis of security data from all available sources.​

  • Enforces consistent schema fields through consciously designed data format mappings.
  • Supports data format conversion from numerous established security tools such as AWS Security Hub's AWS Security Finding Format (ASFF) and Tenable Nessus' Nessus file format.
  • Allows the integration of currently unsupported security tool data formats through the development of OHDF mappers for the OHDF Converters library.
OHDF can ingest and standardize a plethora of security data formats.
OHDF can ingest and standardize a plethora of security data formats.

2. Preserving data integrity with original source data.

  • Uses mappings which maximize meaningful schema field conversions.
  • Leverages schema fields passthrough and raw to preserve the original data in its entirety.
  • Allows for bidirectional format conversions to and from OHDF.
A mapping between Format A and OHDF.
A mapping between Format A and OHDF.

3. Maximizing interoperability and data sharing.​

  • Provides a consistent and standardized format for communication.
  • Provides an easily ingestible data format and tools to improve user readability.

4. Facilitating the transformation and transport of data between security/management processes or technologies.​

  • Provides a clear schema for technologies/processes to support.
  • Includes a simple file format that technologies/processes can accept.
  • Compatible with Heimdall to provide data visualization.
OHDF can help bridge the gap between security tool outputs and security assessors.
OHDF can help bridge the gap between security tool outputs and security assessors.

5. Allowing for the mapping and enrichment of security data to relevant compliance standards (GDPR, NIST SP 800-53, CCIs, PCI-DSS, etc.).

  • Uses mappers which provide and append relevant categorization standards to converted security tool data.

What Are All These Abbreviations?

The aforementioned terms are all security related guidelines, frameworks, or implementations. The following are explanations on terms that are commonly used in this course:

NIST

The National Institute of Standards and Technology (NIST) is a U.S. agency that "promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life."

More information can be found here.

NIST RMF

The NIST Risk Management Framework (NIST RMF) provides "a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle."

More information can be found here.

NIST SP 800-53 Controls/Requirements

The NIST Special Publication 800-53 (NIST SP 800-53s) "provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks."

More information can be found here.

  • NIST SP 800-53 control example:
AC-17 REMOTE ACCESS
Control:
a. Establish and document usage restrictions, configuration/connection requirements, and
implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections.
DISA

The Defense Information Systems Agency (DISA) is a U.S. agency conducting "DODIN (Department of Defense information networks) operations to enable lethality across all warfighting domains in defense of our nation."

More information can be found here.

CCIs

Control Correlation Identifiers (CCIs) are "standard identifiers and descriptions by DISA that aim to correlate high-level policy expressions and low-level technical implementations of security requirements." They are analogous to NIST SP 800-53 controls in that they both provide security and privacy controls. CCIs specifically address a single requirement and collate corresponding NIST SP 800-53 controls.

More information can be found here.

  • CCI example:
CCI-000002: Disseminate the organization-level; mission/business process-level; and/or system-level access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles.

References:
- NIST: NIST SP 800-53 (v3): AC-1 a
- NIST: NIST SP 800-53 Revision 4 (v4): AC-1 a 1
- NIST: NIST SP 800-53 Revision 5 (v5): AC-1 a 1 (a)
- NIST: NIST SP 800-53A (v1): AC-1.1 (iii)

Benefits

Depending on your role, leveraging OHDF can help streamline and improve how you interact with your project's security processes in a myriad of ways:

  • For Commercial and Vendor Cybersecurity Partners:

    • OHDF defines a standardized, interoperable target format that vendor tools can consume across their customer base consistently and that is easily managed within the product lifecycle.

  • For the Open Source Community:

    • OHDF enables easy integration with commercial solutions without the need for direct partnerships.

  • For Government Agencies:

    • OHDF can streamline business processes by having a standard, open source, machine-readable format for all security data.

  • For Academia:

    • OHDF offers a structured way to communicate and enhance research findings throughout the security community.

  • For Corporate and Federal CISOs/CIOs:

    • OHDF can increase visibility across the enterprise by taking advantage of normalized security data in a standard format that supports risk information interoperability from a broad range of inputs to support security risk decision-making.

  • For Security Engineers:

    • OHDF can reduce resource requirements for multiple security data types by standardizing formatting across disparate security tools.

  • For Risk Managers:

    • OHDF can improve decision making by using a standardized format to facilitate automation, standardize communication requirements, and inform risk-based analysis.

  • For DevSecOps/Software Engineers:

    • OHDF can streamline CI/CD processes by leveraging a standardized format to collate/aggregate normalized security data to support automated and continuous security processes.

What Else?

You can read more about OHDF here.

A Look Back

In this section, we covered:

  • What OHDF is

    • OHDF is a security data format used to normalize generated data exports from various security tools into a standard common data format usable by the SAF tool suite.

  • Why you should use OHDF

    • OHDF provides a simple, reliable, and targetable security standard which bridges and unifies the many diverse and disparate representations of security data in the field of cybersecurity.

  • How you can use OHDF in your work

    • OHDF provides a plethora of built-in features which help you achieve standardization and normalization of your project's security data.

  • Who benefits from OHDF and how

    • OHDF can help you streamline and ease how you specifcally process and interact with security data in your project.

Knowledge Check

Where is OHDF used?

OHDF can be found in a plethora of projects but is officially used in the SAF tool suite. This includes tools such as Heimdall, a visualization tool for security data.

How do security tool exports get converted into OHDF?

Security tool exports are converted into OHDF through the use of OHDF mappers, which convert the data elements of an export into the corresponding data elements in OHDF.

Apache-2.0 | Copyright Β© 2022 - The MITRE Corporation
Copyright Β© 2025 Charles Hu