From 890dc218ad7aeb380c2642d218e9575bf7bd309f Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:02:17 -0400 Subject: [PATCH 01/11] Create litreview.md --- litreview.md | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 litreview.md diff --git a/litreview.md b/litreview.md new file mode 100644 index 0000000..9ec7fc8 --- /dev/null +++ b/litreview.md @@ -0,0 +1,54 @@ +# Overview + +OSCAL can help streamline the generation and maintenance of A&A artifacts through automation. Currently, these activities are time-consuming and labor-intensive. Steps for the adoption of OSCAL to realize ATO-as-Code are: +1. define a strategy +2. make a plan +3. ready your organization +4. adopt OSCAL +5. tweak your success trajectory through good governance and continuous improvement. + +Note that i) and ii) may not be combined and labeled a strategic plan because there is no “strategic plan.” The strategy is an integrative set of choices that positions the organization on a playing field of your choice in the most successful way. That strategy must be coherent, doable, and actionable. Planning does not have to have any such coherence and is just a list of actionable activities required to deliver on that strategy. + +Legislation (EO 14028, FISMA 2022) continues to be published, mandating advances in risk-based cybersecurity, modernization, and the adoption of next-generation security principles. This efficiency in process automation, advanced data processing, and expanded analytics capabilities is self-evident and creates a “data fabric” that allows agencies to achieve deeper insights and make evidence-based decisions. While data fabrics improve transparency, enable automation, and can provide more comprehensive governance and security controls, making it easier to comply with data privacy and compliance regulations, they are not to be confused with the data decentralization, autonomy, and productization of a federated or distributed GRC model that constitutes a “data mesh.” Data mesh is API-driven for developers, focuses on organizational change, and emphasizes the significance of people and processes. This results in greater collaboration between people and technology through a socio-technical approach of having domain experts own the data they create. Data fabric requires writing code for the APIs to interface, is technology-centric, and is an architectural approach that effectively manages the intricacies of data and metadata in a cohesive manner focusing on using technology and automation to connect and manage data. OSCAL enables the idea of a data fabric existing virtually in a data mesh environment by assembling a data record through the inheritance of the OSCAL artifact. Consequently, figure 1b illustrates a potential ‘strategy’ for automating an activity-centric process where a data record does not need to exist in one repository of a single platform. + +# Literature Review + +This is a collection of resources. + +Table 1. Literature Review and Artifacts +| Source | Overview | Relevant | Current | +| ---- | ----- | ----- | ------ | +| [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL | No | No date | +| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges in using OSCAL | Yes | Last update June 2023(?). | +| [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Yes | Oct 2023 | + +# Current Status + +https://www.fedramp.gov/using-the-fedramp-oscal-resources-and-templates/ +https://github.com/GSA/fedramp-automation +https://pages.nist.gov/OSCAL/ + + +NIST Walkthrough tutorials: https://pages.nist.gov/OSCAL/learn/tutorials/ + +NISTS walkthrough tutorials seem like some of the best and most extensive documentation for developers to review; they detail how to create various OSCAL content, and when visiting the OSCAL GitHub, there are many examples of the data to review. ( https://github.com/usnistgov/OSCAL ) + +GSA Fedramp Automation Github: https://github.com/GSA/fedramp-automation/tree/master The GSA fed ramp automation Git Hub includes various tools and guides to use and automate OSCAL for the FEDRAMP process. The guides are targeted at developers looking to implement solutions for leveraging OSCAL. Directions included cover SSPs, POAMS, SAPs, and SARs. + +Gocomply FEDRAMP Github: https://github.com/GoComply/fedramp Tool for manipulating official fed ramp assets + +CIS controls in OSCAL: https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository CIS has created a version of their controls in OSCAL format + +OSCAL Layers and Models: https://pages.nist.gov/OSCAL/concepts/layer/ Nists page on the layers and Models of OSCAL provides an excellent view of how each piece works together; additionally this can be very helpful for understanding the interconnection between components for automating the ATO process. + +Easy Dynamics OSCAL Whitepaper: https://www.easydynamics.com/wp-content/uploads/2022/05/OSCAL-WP-1.pdf Easy Dynamics has a little white paper that summarizes what OSCAL is and what it can do in addition to an overview of a framework for OSCAL adoption consisting of a 6 step process for use in the SDLC process. Here are those steps: + +Identify Target System +Educate Stakeholders +Select Target OSCAL artifacts +Define Responsibility +Develop Ongoing monitor approach +Implement OSCAL artifacts +Balisage Paper: The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer : https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html + +This was an interesting read from a security control tool developer. I wasn’t sure whether to include it, but I wanted to share for the larger group to read. The abstract is for reference: "Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams intended to clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? What does this say about relying on derived data models in tools that support the specification? A cautionary tale involving security control baselines from National Institute of Standards and Technology Special Publication 800-53 provides some answers — and insights." From 52a576db8fd34a8b95747ad0dbf817031e4e7f3a Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:06:11 -0400 Subject: [PATCH 02/11] Update litreview.md --- litreview.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/litreview.md b/litreview.md index 9ec7fc8..0de7361 100644 --- a/litreview.md +++ b/litreview.md @@ -4,7 +4,7 @@ OSCAL can help streamline the generation and maintenance of A&A artifacts throug 1. define a strategy 2. make a plan 3. ready your organization -4. adopt OSCAL +4. adopt OSCAL either through a tool or through a developer approach. 5. tweak your success trajectory through good governance and continuous improvement. Note that i) and ii) may not be combined and labeled a strategic plan because there is no “strategic plan.” The strategy is an integrative set of choices that positions the organization on a playing field of your choice in the most successful way. That strategy must be coherent, doable, and actionable. Planning does not have to have any such coherence and is just a list of actionable activities required to deliver on that strategy. @@ -19,13 +19,12 @@ Table 1. Literature Review and Artifacts | Source | Overview | Relevant | Current | | ---- | ----- | ----- | ------ | | [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL | No | No date | -| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges in using OSCAL | Yes | Last update June 2023(?). | +| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges in using OSCAL | Yes | Last update June 2023(?). | | [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Yes | Oct 2023 | +| [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Collection of OSCAL-formatted artifacts and guides to get strated with OSCAL for FedRAMP. | Yes | Sep 2023 | # Current Status -https://www.fedramp.gov/using-the-fedramp-oscal-resources-and-templates/ -https://github.com/GSA/fedramp-automation https://pages.nist.gov/OSCAL/ From 534c47bbcf96845e1367189f9bd2f09c63aaa95f Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:22:51 -0400 Subject: [PATCH 03/11] Update litreview.md --- litreview.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/litreview.md b/litreview.md index 0de7361..6059d96 100644 --- a/litreview.md +++ b/litreview.md @@ -16,24 +16,21 @@ Legislation (EO 14028, FISMA 2022) continues to be published, mandating advances This is a collection of resources. Table 1. Literature Review and Artifacts -| Source | Overview | Relevant | Current | +| Source | Overview | Audience | Relevant | Current | | ---- | ----- | ----- | ------ | -| [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL | No | No date | -| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges in using OSCAL | Yes | Last update June 2023(?). | -| [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Yes | Oct 2023 | -| [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Collection of OSCAL-formatted artifacts and guides to get strated with OSCAL for FedRAMP. | Yes | Sep 2023 | +| [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL. | Developers | No | No date | +| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience | Yes | Last update June 2023(?). | +| [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Developers | Yes | Oct 2023 | +| [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Various tools and guides to use and automate OSCAL for the FEDRAMP process. | Developers | Yes | Sep 2023 | # Current Status https://pages.nist.gov/OSCAL/ - NIST Walkthrough tutorials: https://pages.nist.gov/OSCAL/learn/tutorials/ NISTS walkthrough tutorials seem like some of the best and most extensive documentation for developers to review; they detail how to create various OSCAL content, and when visiting the OSCAL GitHub, there are many examples of the data to review. ( https://github.com/usnistgov/OSCAL ) -GSA Fedramp Automation Github: https://github.com/GSA/fedramp-automation/tree/master The GSA fed ramp automation Git Hub includes various tools and guides to use and automate OSCAL for the FEDRAMP process. The guides are targeted at developers looking to implement solutions for leveraging OSCAL. Directions included cover SSPs, POAMS, SAPs, and SARs. - Gocomply FEDRAMP Github: https://github.com/GoComply/fedramp Tool for manipulating official fed ramp assets CIS controls in OSCAL: https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository CIS has created a version of their controls in OSCAL format From e4ee5fd42c60122a0cdc084d1ea7e657dbecbd88 Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:23:50 -0400 Subject: [PATCH 04/11] Update litreview.md --- litreview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/litreview.md b/litreview.md index 6059d96..4ff09e3 100644 --- a/litreview.md +++ b/litreview.md @@ -45,6 +45,7 @@ Select Target OSCAL artifacts Define Responsibility Develop Ongoing monitor approach Implement OSCAL artifacts + Balisage Paper: The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer : https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html This was an interesting read from a security control tool developer. I wasn’t sure whether to include it, but I wanted to share for the larger group to read. The abstract is for reference: "Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams intended to clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? What does this say about relying on derived data models in tools that support the specification? A cautionary tale involving security control baselines from National Institute of Standards and Technology Special Publication 800-53 provides some answers — and insights." From 65167f16c176a526381494a5516e445f154eab03 Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:24:16 -0400 Subject: [PATCH 05/11] Delete White Paper Literature Review.md --- White Paper Literature Review.md | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 White Paper Literature Review.md diff --git a/White Paper Literature Review.md b/White Paper Literature Review.md deleted file mode 100644 index 324f366..0000000 --- a/White Paper Literature Review.md +++ /dev/null @@ -1,21 +0,0 @@ - -*************************************************************** -Bijan Bahari - Distortion Tech: -I only found a couple of good white papers that I thought would apply to us as a group. The best information, in my opinion, that provides much light on how OSCAL can be used to automate ATO activities is from NIST. - -OSCAL Layers and Models: https://pages.nist.gov/OSCAL/concepts/layer/ -Nists page on the layers and Models of OSCAL provides an excellent view of how each piece works together; additionally this can be very helpful for understanding the interconnection between components for automating the ATO process. - -Easy Dynamics OSCAL Whitepaper: https://www.easydynamics.com/wp-content/uploads/2022/05/OSCAL-WP-1.pdf -Easy Dynamics has a little white paper that summarizes what OSCAL is and what it can do in addition to an overview of a framework for OSCAL adoption consisting of a 6 step process for use in the SDLC process. Here are those steps: -1. Identify Target System -2. Educate Stakeholders -3. Select Target OSCAL artifacts -4. Define Responsibility -5. Develop Ongoing monitor approach -6. Implement OSCAL artifacts - -Balisage Paper: The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer : https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html - -This was an interesting read from a security control tool developer. I wasn’t sure whether to include it, but I wanted to share for the larger group to read. The abstract is for reference: "Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams intended to clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? What does this say about relying on derived data models in tools that support the specification? A cautionary tale involving security control baselines from National Institute of Standards and Technology Special Publication 800-53 provides some answers — and insights." -*************************************************************** From 0e7d1874f9d40ec84c499b850e4440789ea2bfb0 Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:24:29 -0400 Subject: [PATCH 06/11] Delete Developers Guide Literature Review.md --- Developers Guide Literature Review.md | 37 --------------------------- 1 file changed, 37 deletions(-) delete mode 100644 Developers Guide Literature Review.md diff --git a/Developers Guide Literature Review.md b/Developers Guide Literature Review.md deleted file mode 100644 index 7b501af..0000000 --- a/Developers Guide Literature Review.md +++ /dev/null @@ -1,37 +0,0 @@ - -*************************************************************** -Bijan Bahari - Distortion Tech: -There is a limited amount of resources targeted towards implementation for developers; however, I did find a few good resources to look at, and I did see many various tools to review. - -NIST Walkthrough tutorials: https://pages.nist.gov/OSCAL/learn/tutorials/ - -NISTS walkthrough tutorials seem like some of the best and most extensive documentation for developers to review; they detail how to create various OSCAL content, and when visiting the OSCAL GitHub, there are many examples of the data to review. ( https://github.com/usnistgov/OSCAL ) - -GSA Fedramp Automation Github: https://github.com/GSA/fedramp-automation/tree/master -The GSA fed ramp automation Git Hub includes various tools and guides to use and automate OSCAL for the FEDRAMP process. The guides are targeted at developers looking to implement solutions for leveraging OSCAL. Directions included cover SSPs, POAMS, SAPs, and SARs. - -OSCAL.Club: https://oscal.club/ -The OSCAL club is a community project to leverage OSCAL to create tools and work through challenges in using OSCAL. They maintain the awesome OSCAL GitHub with various projects and links. There is a litany of tools listed but below; I will be pulling out my thoughts on what would be the most pertinent ones: -• OSCAL GUI - https://github.com/brian-ruf/OSCAL-GUI - this is a GUI for interacting with OSCAL. The tool looks like it is mainly for viewing OSCAL data now and doing format conversion. However, the following is either in progress or will be implemented in the future: -o Metadata Management (all OSCAL layers) -o Profile Creation/Manipulation -o Catalog Creation/Manipulation -o Back-Matter Management (all OSCAL layers) -o OSCAL Format Conversion (XML/JSON to/from YAML) -o SSP Creation/Manipulation -o SSP FedRAMP Validation -o Identity management -o Access control (on a project-by-project basis) Functionality related to the assessment layers will be planned and developed as the syntax for those OSCAL layers is defined. -• SSP toolkit: https://github.com/CivicActions/ssp-toolkit - This is for generating an SSP from OSCAL content -• OSCAL REST API proposed standard: https://github.com/EasyDynamics/oscal-rest - this is a proposed REST API definition from easy dynamics. There will need to be interoperability between various tools with various functions, and a standardized REST API is essential in my opinion. - -OSCAL kit: https://github.com/GoComply/oscalkit -OSCAL kit is a barebones GO SDK for working with OSCAL. The SDK includes a CLI tool for processing OSCAL documents, converting between OSCAL-formatted XML, JSON, and YAML. - -Gocomply FEDRAMP Github: https://github.com/GoComply/fedramp -Tool for manipulating official fed ramp assets - -CIS controls in OSCAL: https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository - CIS has created a version of their controls in OSCAL format -*************************************************************** - From c2f77fbdcadc5adc209d3ea94a120dc3b60c445a Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:25:37 -0400 Subject: [PATCH 07/11] Update litreview.md --- litreview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/litreview.md b/litreview.md index 4ff09e3..dc18ea3 100644 --- a/litreview.md +++ b/litreview.md @@ -17,9 +17,9 @@ This is a collection of resources. Table 1. Literature Review and Artifacts | Source | Overview | Audience | Relevant | Current | -| ---- | ----- | ----- | ------ | +| ------ | -------- | -------- | -------- | ------- | | [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL. | Developers | No | No date | -| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience | Yes | Last update June 2023(?). | +| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience, but more Developers | Yes | Last update June 2023(?). | | [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Developers | Yes | Oct 2023 | | [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Various tools and guides to use and automate OSCAL for the FEDRAMP process. | Developers | Yes | Sep 2023 | From 24b100166b534060fc8e9e892e88940ad3d65260 Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Tue, 19 Sep 2023 10:11:11 -0400 Subject: [PATCH 08/11] Update litreview.md --- litreview.md | 45 ++++++++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/litreview.md b/litreview.md index dc18ea3..b6f79d3 100644 --- a/litreview.md +++ b/litreview.md @@ -1,10 +1,25 @@ # Overview -OSCAL can help streamline the generation and maintenance of A&A artifacts through automation. Currently, these activities are time-consuming and labor-intensive. Steps for the adoption of OSCAL to realize ATO-as-Code are: +Continuous ATO (C-ATO) is an organizational initiative to automate security compliance activity. In collaboration with industry, NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. A security team will likely only work with OSCAL indirectly but through a tool. The purpose of OSCAL is a standardized, machine-readable format to share artifacts between Governance, Risk, and Compliance (GRC) and software automation tools or programs. + +--- + +
+
+

Use Case 1: Leverage Security Artifacts Between Agencies

+

+ Agency A uses C-ATO to authorize a new platform. Agency B wants to authorize the same platform and leverage the machine-readable artifacts of Agency A to shorten their authorization process from months to days. +

+
+
+ +--- + +C-ATO can help streamline the generation and maintenance of A&A artifacts through automation. Currently, these activities are time-consuming and labor-intensive. Steps for C-ATO adoption: 1. define a strategy 2. make a plan 3. ready your organization -4. adopt OSCAL either through a tool or through a developer approach. +4. adopt C-ATO either through a tool or developer approach. 5. tweak your success trajectory through good governance and continuous improvement. Note that i) and ii) may not be combined and labeled a strategic plan because there is no “strategic plan.” The strategy is an integrative set of choices that positions the organization on a playing field of your choice in the most successful way. That strategy must be coherent, doable, and actionable. Planning does not have to have any such coherence and is just a list of actionable activities required to deliver on that strategy. @@ -16,35 +31,19 @@ Legislation (EO 14028, FISMA 2022) continues to be published, mandating advances This is a collection of resources. Table 1. Literature Review and Artifacts -| Source | Overview | Audience | Relevant | Current | +| Source | Overview | Audience | Relevant | Last Update | | ------ | -------- | -------- | -------- | ------- | | [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL. | Developers | No | No date | | [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience, but more Developers | Yes | Last update June 2023(?). | | [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Developers | Yes | Oct 2023 | | [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Various tools and guides to use and automate OSCAL for the FEDRAMP process. | Developers | Yes | Sep 2023 | +| [NIST OSCAL Tutorials](https://pages.nist.gov/OSCAL/learn/tutorials/) and [Github Repo](https://pages.nist.gov/OSCAL/learn/tutorials/) | NIST page providing step-by-step walk-throughs explaining how to create OSCAL content of various types. | Developers | Yes | +| [Gocomply FedRAMP/OSCAL Converter](https://github.com/GoComply/fedramp) | Take a FedRAMP/OSCAL formatted System Security Plan and output FedRAMP documents. Take OpenControl repository and produce FedRAMP/OSCAL formatted System Security Plans. | Developers | Yes | June 2023 | +| [CIS Controls in OSCAL](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository) | OSCAL-formatted version of CIS Controls | Developer | Oct 2022 | # Current Status -https://pages.nist.gov/OSCAL/ - -NIST Walkthrough tutorials: https://pages.nist.gov/OSCAL/learn/tutorials/ - -NISTS walkthrough tutorials seem like some of the best and most extensive documentation for developers to review; they detail how to create various OSCAL content, and when visiting the OSCAL GitHub, there are many examples of the data to review. ( https://github.com/usnistgov/OSCAL ) - -Gocomply FEDRAMP Github: https://github.com/GoComply/fedramp Tool for manipulating official fed ramp assets - -CIS controls in OSCAL: https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository CIS has created a version of their controls in OSCAL format - -OSCAL Layers and Models: https://pages.nist.gov/OSCAL/concepts/layer/ Nists page on the layers and Models of OSCAL provides an excellent view of how each piece works together; additionally this can be very helpful for understanding the interconnection between components for automating the ATO process. - -Easy Dynamics OSCAL Whitepaper: https://www.easydynamics.com/wp-content/uploads/2022/05/OSCAL-WP-1.pdf Easy Dynamics has a little white paper that summarizes what OSCAL is and what it can do in addition to an overview of a framework for OSCAL adoption consisting of a 6 step process for use in the SDLC process. Here are those steps: - -Identify Target System -Educate Stakeholders -Select Target OSCAL artifacts -Define Responsibility -Develop Ongoing monitor approach -Implement OSCAL artifacts +The following government-wide programs or agencies have adopted C-ATO and are leveraging OSCAL. Balisage Paper: The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer : https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html From 4c524996e56b377942519f087b2038f2dfc736ed Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Tue, 19 Sep 2023 10:11:46 -0400 Subject: [PATCH 09/11] Update litreview.md --- litreview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/litreview.md b/litreview.md index b6f79d3..5124c77 100644 --- a/litreview.md +++ b/litreview.md @@ -31,7 +31,7 @@ Legislation (EO 14028, FISMA 2022) continues to be published, mandating advances This is a collection of resources. Table 1. Literature Review and Artifacts -| Source | Overview | Audience | Relevant | Last Update | +| Source | Overview | Audience | Federal Relevant | Last Update | | ------ | -------- | -------- | -------- | ------- | | [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL. | Developers | No | No date | | [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience, but more Developers | Yes | Last update June 2023(?). | @@ -39,7 +39,7 @@ Table 1. Literature Review and Artifacts | [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Various tools and guides to use and automate OSCAL for the FEDRAMP process. | Developers | Yes | Sep 2023 | | [NIST OSCAL Tutorials](https://pages.nist.gov/OSCAL/learn/tutorials/) and [Github Repo](https://pages.nist.gov/OSCAL/learn/tutorials/) | NIST page providing step-by-step walk-throughs explaining how to create OSCAL content of various types. | Developers | Yes | | [Gocomply FedRAMP/OSCAL Converter](https://github.com/GoComply/fedramp) | Take a FedRAMP/OSCAL formatted System Security Plan and output FedRAMP documents. Take OpenControl repository and produce FedRAMP/OSCAL formatted System Security Plans. | Developers | Yes | June 2023 | -| [CIS Controls in OSCAL](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository) | OSCAL-formatted version of CIS Controls | Developer | Oct 2022 | +| [CIS Controls in OSCAL](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository) | OSCAL-formatted version of CIS Controls | Developers | Maybe | Oct 2022 | # Current Status From 50f8753e2c389cab6c822edd55ab11d997746ad9 Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Tue, 19 Sep 2023 10:12:18 -0400 Subject: [PATCH 10/11] Update litreview.md --- litreview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/litreview.md b/litreview.md index 5124c77..5da5c8e 100644 --- a/litreview.md +++ b/litreview.md @@ -34,10 +34,10 @@ Table 1. Literature Review and Artifacts | Source | Overview | Audience | Federal Relevant | Last Update | | ------ | -------- | -------- | -------- | ------- | | [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL. | Developers | No | No date | -| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience, but more Developers | Yes | Last update June 2023(?). | +| [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience, but more Developers | Yes | June 2023(?) | | [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Developers | Yes | Oct 2023 | | [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Various tools and guides to use and automate OSCAL for the FEDRAMP process. | Developers | Yes | Sep 2023 | -| [NIST OSCAL Tutorials](https://pages.nist.gov/OSCAL/learn/tutorials/) and [Github Repo](https://pages.nist.gov/OSCAL/learn/tutorials/) | NIST page providing step-by-step walk-throughs explaining how to create OSCAL content of various types. | Developers | Yes | +| [NIST OSCAL Tutorials](https://pages.nist.gov/OSCAL/learn/tutorials/) and [Github Repo](https://pages.nist.gov/OSCAL/learn/tutorials/) | NIST page providing step-by-step walk-throughs explaining how to create OSCAL content of various types. | Developers | Yes | 2023 | | [Gocomply FedRAMP/OSCAL Converter](https://github.com/GoComply/fedramp) | Take a FedRAMP/OSCAL formatted System Security Plan and output FedRAMP documents. Take OpenControl repository and produce FedRAMP/OSCAL formatted System Security Plans. | Developers | Yes | June 2023 | | [CIS Controls in OSCAL](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository) | OSCAL-formatted version of CIS Controls | Developers | Maybe | Oct 2022 | From 9d2131bc34473a121a3e56112c37d6cec2aa827e Mon Sep 17 00:00:00 2001 From: Ken Myers <61115074+idmken@users.noreply.github.com> Date: Tue, 19 Sep 2023 10:53:19 -0400 Subject: [PATCH 11/11] Update litreview.md --- litreview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/litreview.md b/litreview.md index 5da5c8e..00016ee 100644 --- a/litreview.md +++ b/litreview.md @@ -40,11 +40,11 @@ Table 1. Literature Review and Artifacts | [NIST OSCAL Tutorials](https://pages.nist.gov/OSCAL/learn/tutorials/) and [Github Repo](https://pages.nist.gov/OSCAL/learn/tutorials/) | NIST page providing step-by-step walk-throughs explaining how to create OSCAL content of various types. | Developers | Yes | 2023 | | [Gocomply FedRAMP/OSCAL Converter](https://github.com/GoComply/fedramp) | Take a FedRAMP/OSCAL formatted System Security Plan and output FedRAMP documents. Take OpenControl repository and produce FedRAMP/OSCAL formatted System Security Plans. | Developers | Yes | June 2023 | | [CIS Controls in OSCAL](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository) | OSCAL-formatted version of CIS Controls | Developers | Maybe | Oct 2022 | +| [Paper - A Cautionary Tale from a Security Control Baseline Tool](https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html) | Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams that clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? | Developers | Maybe | Aug 2021 | # Current Status The following government-wide programs or agencies have adopted C-ATO and are leveraging OSCAL. -Balisage Paper: The Model Made Me Do It! A Cautionary Tale from a Security Control Baseline Tool Developer : https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html - -This was an interesting read from a security control tool developer. I wasn’t sure whether to include it, but I wanted to share for the larger group to read. The abstract is for reference: "Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams intended to clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? What does this say about relying on derived data models in tools that support the specification? A cautionary tale involving security control baselines from National Institute of Standards and Technology Special Publication 800-53 provides some answers — and insights." +1) FedRAMP - Adopting and moving all FedRAMP-authorized services to C-ATO through OSCAL. +2) ?