diff --git a/Developers Guide Literature Review.md b/Developers Guide Literature Review.md deleted file mode 100644 index 7b501af..0000000 --- a/Developers Guide Literature Review.md +++ /dev/null @@ -1,37 +0,0 @@ - -*************************************************************** -Bijan Bahari - Distortion Tech: -There is a limited amount of resources targeted towards implementation for developers; however, I did find a few good resources to look at, and I did see many various tools to review. - -NIST Walkthrough tutorials: https://pages.nist.gov/OSCAL/learn/tutorials/ - -NISTS walkthrough tutorials seem like some of the best and most extensive documentation for developers to review; they detail how to create various OSCAL content, and when visiting the OSCAL GitHub, there are many examples of the data to review. ( https://github.com/usnistgov/OSCAL ) - -GSA Fedramp Automation Github: https://github.com/GSA/fedramp-automation/tree/master -The GSA fed ramp automation Git Hub includes various tools and guides to use and automate OSCAL for the FEDRAMP process. The guides are targeted at developers looking to implement solutions for leveraging OSCAL. Directions included cover SSPs, POAMS, SAPs, and SARs. - -OSCAL.Club: https://oscal.club/ -The OSCAL club is a community project to leverage OSCAL to create tools and work through challenges in using OSCAL. They maintain the awesome OSCAL GitHub with various projects and links. There is a litany of tools listed but below; I will be pulling out my thoughts on what would be the most pertinent ones: -• OSCAL GUI - https://github.com/brian-ruf/OSCAL-GUI - this is a GUI for interacting with OSCAL. The tool looks like it is mainly for viewing OSCAL data now and doing format conversion. However, the following is either in progress or will be implemented in the future: -o Metadata Management (all OSCAL layers) -o Profile Creation/Manipulation -o Catalog Creation/Manipulation -o Back-Matter Management (all OSCAL layers) -o OSCAL Format Conversion (XML/JSON to/from YAML) -o SSP Creation/Manipulation -o SSP FedRAMP Validation -o Identity management -o Access control (on a project-by-project basis) Functionality related to the assessment layers will be planned and developed as the syntax for those OSCAL layers is defined. -• SSP toolkit: https://github.com/CivicActions/ssp-toolkit - This is for generating an SSP from OSCAL content -• OSCAL REST API proposed standard: https://github.com/EasyDynamics/oscal-rest - this is a proposed REST API definition from easy dynamics. There will need to be interoperability between various tools with various functions, and a standardized REST API is essential in my opinion. - -OSCAL kit: https://github.com/GoComply/oscalkit -OSCAL kit is a barebones GO SDK for working with OSCAL. The SDK includes a CLI tool for processing OSCAL documents, converting between OSCAL-formatted XML, JSON, and YAML. - -Gocomply FEDRAMP Github: https://github.com/GoComply/fedramp -Tool for manipulating official fed ramp assets - -CIS controls in OSCAL: https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository - CIS has created a version of their controls in OSCAL format -*************************************************************** - diff --git a/White Paper Literature Review.md b/White Paper Literature Review.md deleted file mode 100644 index 324f366..0000000 --- a/White Paper Literature Review.md +++ /dev/null @@ -1,21 +0,0 @@ - -*************************************************************** -Bijan Bahari - Distortion Tech: -I only found a couple of good white papers that I thought would apply to us as a group. The best information, in my opinion, that provides much light on how OSCAL can be used to automate ATO activities is from NIST. - -OSCAL Layers and Models: https://pages.nist.gov/OSCAL/concepts/layer/ -Nists page on the layers and Models of OSCAL provides an excellent view of how each piece works together; additionally this can be very helpful for understanding the interconnection between components for automating the ATO process. - -Easy Dynamics OSCAL Whitepaper: https://www.easydynamics.com/wp-content/uploads/2022/05/OSCAL-WP-1.pdf -Easy Dynamics has a little white paper that summarizes what OSCAL is and what it can do in addition to an overview of a framework for OSCAL adoption consisting of a 6 step process for use in the SDLC process. Here are those steps: -1. Identify Target System -2. Educate Stakeholders -3. Select Target OSCAL artifacts -4. Define Responsibility -5. Develop Ongoing monitor approach -6. Implement OSCAL artifacts - -Balisage Paper: The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer : https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html - -This was an interesting read from a security control tool developer. I wasn’t sure whether to include it, but I wanted to share for the larger group to read. The abstract is for reference: "Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams intended to clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? What does this say about relying on derived data models in tools that support the specification? A cautionary tale involving security control baselines from National Institute of Standards and Technology Special Publication 800-53 provides some answers — and insights." -*************************************************************** diff --git a/litreview.md b/litreview.md new file mode 100644 index 0000000..00016ee --- /dev/null +++ b/litreview.md @@ -0,0 +1,50 @@ +# Overview + +Continuous ATO (C-ATO) is an organizational initiative to automate security compliance activity. In collaboration with industry, NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. A security team will likely only work with OSCAL indirectly but through a tool. The purpose of OSCAL is a standardized, machine-readable format to share artifacts between Governance, Risk, and Compliance (GRC) and software automation tools or programs. + +--- + +
+
+

Use Case 1: Leverage Security Artifacts Between Agencies

+

+ Agency A uses C-ATO to authorize a new platform. Agency B wants to authorize the same platform and leverage the machine-readable artifacts of Agency A to shorten their authorization process from months to days. +

+
+
+ +--- + +C-ATO can help streamline the generation and maintenance of A&A artifacts through automation. Currently, these activities are time-consuming and labor-intensive. Steps for C-ATO adoption: +1. define a strategy +2. make a plan +3. ready your organization +4. adopt C-ATO either through a tool or developer approach. +5. tweak your success trajectory through good governance and continuous improvement. + +Note that i) and ii) may not be combined and labeled a strategic plan because there is no “strategic plan.” The strategy is an integrative set of choices that positions the organization on a playing field of your choice in the most successful way. That strategy must be coherent, doable, and actionable. Planning does not have to have any such coherence and is just a list of actionable activities required to deliver on that strategy. + +Legislation (EO 14028, FISMA 2022) continues to be published, mandating advances in risk-based cybersecurity, modernization, and the adoption of next-generation security principles. This efficiency in process automation, advanced data processing, and expanded analytics capabilities is self-evident and creates a “data fabric” that allows agencies to achieve deeper insights and make evidence-based decisions. While data fabrics improve transparency, enable automation, and can provide more comprehensive governance and security controls, making it easier to comply with data privacy and compliance regulations, they are not to be confused with the data decentralization, autonomy, and productization of a federated or distributed GRC model that constitutes a “data mesh.” Data mesh is API-driven for developers, focuses on organizational change, and emphasizes the significance of people and processes. This results in greater collaboration between people and technology through a socio-technical approach of having domain experts own the data they create. Data fabric requires writing code for the APIs to interface, is technology-centric, and is an architectural approach that effectively manages the intricacies of data and metadata in a cohesive manner focusing on using technology and automation to connect and manage data. OSCAL enables the idea of a data fabric existing virtually in a data mesh environment by assembling a data record through the inheritance of the OSCAL artifact. Consequently, figure 1b illustrates a potential ‘strategy’ for automating an activity-centric process where a data record does not need to exist in one repository of a single platform. + +# Literature Review + +This is a collection of resources. + +Table 1. Literature Review and Artifacts +| Source | Overview | Audience | Federal Relevant | Last Update | +| ------ | -------- | -------- | -------- | ------- | +| [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL. | Developers | No | No date | +| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience, but more Developers | Yes | June 2023(?) | +| [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Developers | Yes | Oct 2023 | +| [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Various tools and guides to use and automate OSCAL for the FEDRAMP process. | Developers | Yes | Sep 2023 | +| [NIST OSCAL Tutorials](https://pages.nist.gov/OSCAL/learn/tutorials/) and [Github Repo](https://pages.nist.gov/OSCAL/learn/tutorials/) | NIST page providing step-by-step walk-throughs explaining how to create OSCAL content of various types. | Developers | Yes | 2023 | +| [Gocomply FedRAMP/OSCAL Converter](https://github.com/GoComply/fedramp) | Take a FedRAMP/OSCAL formatted System Security Plan and output FedRAMP documents. Take OpenControl repository and produce FedRAMP/OSCAL formatted System Security Plans. | Developers | Yes | June 2023 | +| [CIS Controls in OSCAL](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository) | OSCAL-formatted version of CIS Controls | Developers | Maybe | Oct 2022 | +| [Paper - A Cautionary Tale from a Security Control Baseline Tool](https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html) | Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams that clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? | Developers | Maybe | Aug 2021 | + +# Current Status + +The following government-wide programs or agencies have adopted C-ATO and are leveraging OSCAL. + +1) FedRAMP - Adopting and moving all FedRAMP-authorized services to C-ATO through OSCAL. +2) ?