Litreview #4
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # Overview | ||
|
|
||
| Continuous ATO (C-ATO) is an organizational initiative to automate security compliance activity. In collaboration with industry, NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. A security team will likely only work with OSCAL indirectly but through a tool. The purpose of OSCAL is a standardized, machine-readable format to share artifacts between Governance, Risk, and Compliance (GRC) and software automation tools or programs. | ||
|
|
||
| --- | ||
|
|
||
| <div class="usa-alert usa-alert--info"> | ||
| <div class="usa-alert__body"> | ||
| <h4 class="usa-alert__heading">Use Case 1: Leverage Security Artifacts Between Agencies</h4> | ||
| <p class="usa-alert__text"> | ||
| Agency A uses C-ATO to authorize a new platform. Agency B wants to authorize the same platform and leverage the machine-readable artifacts of Agency A to shorten their authorization process from months to days. | ||
|
There was a problem hiding this comment. Per NIST SP 800-37 Revision 2 Appendix F p. 163, this summary could allude to either ATO (authorize to operate) or ATU (authorize to use). Do we know which one is meant here? ATU could be what this use case means or a separate new use case. What is the relevance to the techdata group in this initiative? That changes what is shared and how (specifically, which instances of OSCAL models you share) and a bunch of process/mission changes that come with it. |
||
| </p> | ||
| </div> | ||
| </div> | ||
|
|
||
| --- | ||
|
|
||
| C-ATO can help streamline the generation and maintenance of A&A artifacts through automation. Currently, these activities are time-consuming and labor-intensive. Steps for C-ATO adoption: | ||
| 1. define a strategy | ||
| 2. make a plan | ||
| 3. ready your organization | ||
|
There was a problem hiding this comment. Re these adoption/maturity steps, this means the implied prerequisite environment is green field and an organization that is "starting from scratch" to use a metaphor? It might help to address these assumptions in the beginning of document regarding what is and isn't in scope of the the work. |
||
| 4. adopt C-ATO either through a tool or developer approach. | ||
| 5. tweak your success trajectory through good governance and continuous improvement. | ||
|
|
||
| Note that i) and ii) may not be combined and labeled a strategic plan because there is no “strategic plan.” The strategy is an integrative set of choices that positions the organization on a playing field of your choice in the most successful way. That strategy must be coherent, doable, and actionable. Planning does not have to have any such coherence and is just a list of actionable activities required to deliver on that strategy. | ||
|
|
||
| Legislation (EO 14028, FISMA 2022) continues to be published, mandating advances in risk-based cybersecurity, modernization, and the adoption of next-generation security principles. This efficiency in process automation, advanced data processing, and expanded analytics capabilities is self-evident and creates a “data fabric” that allows agencies to achieve deeper insights and make evidence-based decisions. While data fabrics improve transparency, enable automation, and can provide more comprehensive governance and security controls, making it easier to comply with data privacy and compliance regulations, they are not to be confused with the data decentralization, autonomy, and productization of a federated or distributed GRC model that constitutes a “data mesh.” Data mesh is API-driven for developers, focuses on organizational change, and emphasizes the significance of people and processes. This results in greater collaboration between people and technology through a socio-technical approach of having domain experts own the data they create. Data fabric requires writing code for the APIs to interface, is technology-centric, and is an architectural approach that effectively manages the intricacies of data and metadata in a cohesive manner focusing on using technology and automation to connect and manage data. OSCAL enables the idea of a data fabric existing virtually in a data mesh environment by assembling a data record through the inheritance of the OSCAL artifact. Consequently, figure 1b illustrates a potential ‘strategy’ for automating an activity-centric process where a data record does not need to exist in one repository of a single platform. | ||
|
|
||
| # Literature Review | ||
|
|
||
| This is a collection of resources. | ||
|
|
||
| Table 1. Literature Review and Artifacts | ||
| | Source | Overview | Audience | Federal Relevant | Last Update | | ||
| | ------ | -------- | -------- | -------- | ------- | | ||
| | [Air Force Office of the Chief Software Officer Training Page](https://software.af.mil/training/) | Recommended books, videos, and DAU resources for DevSecOps. Nothing specific to OSCAL. | Developers | No | No date | | ||
| | [Awesome OSCAL Github Repo](https://github.com/oscal-club/awesome-oscal) and [OSCAL Club Site](https://oscal.club/) | A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards. A community project to leverage OSCAL to create tools and work through challenges using OSCAL. | General Audience, but more Developers | Yes | June 2023(?) | | ||
| | [GO OSCAL SDK Github Repo](https://github.com/GoComply/oscalkit) | Barebones GO SDK for working with OSCAL. | Developers | Yes | Oct 2023 | | ||
| | [FedRAMP Automation OSCAL Guides and Templates](https://github.com/GSA/fedramp-automation) | Various tools and guides to use and automate OSCAL for the FEDRAMP process. | Developers | Yes | Sep 2023 | | ||
| | [NIST OSCAL Tutorials](https://pages.nist.gov/OSCAL/learn/tutorials/) and [Github Repo](https://pages.nist.gov/OSCAL/learn/tutorials/) | NIST page providing step-by-step walk-throughs explaining how to create OSCAL content of various types. | Developers | Yes | 2023 | | ||
| | [Gocomply FedRAMP/OSCAL Converter](https://github.com/GoComply/fedramp) | Take a FedRAMP/OSCAL formatted System Security Plan and output FedRAMP documents. Take OpenControl repository and produce FedRAMP/OSCAL formatted System Security Plans. | Developers | Yes | June 2023 | | ||
| | [CIS Controls in OSCAL](https://www.cisecurity.org/insights/blog/introducing-the-cis-controls-oscal-repository) | OSCAL-formatted version of CIS Controls | Developers | Maybe | Oct 2022 | | ||
| | [Paper - A Cautionary Tale from a Security Control Baseline Tool](https://www.balisage.net/Proceedings/vol26/html/Lubell01/BalisageVol26-Lubell01.html) | Even the best written specifications can be complicated documents to read and understand. Normative prose is often supported by tables and diagrams that clarify the specification. What happens when a tool developer interprets those clarifying features as a different model than the prose intends? | Developers | Maybe | Aug 2021 | | ||
|
|
||
| # Current Status | ||
|
|
||
| The following government-wide programs or agencies have adopted C-ATO and are leveraging OSCAL. | ||
|
|
||
| 1) FedRAMP - Adopting and moving all FedRAMP-authorized services to C-ATO through OSCAL. | ||
|
There was a problem hiding this comment. Has FedRAMP PMO or anyone in GSA officially described the FedRAMP process as cATO/C-ATO? I have never heard them describe themselves that way, so that it is interesting to attribute that label to them in this document. |
||
| 2) ? | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we going to reference the final DoD memo or the related NIST whitepaper (I believe it was NIST.CSWP.3 , which was later subsumed as part of NIST SP 800-37 Revision 2, where these concepts were originally defined?) Kessel Run staff helped establish the DoD interpretation, but it is rooted in whitepapers presenting a modern interpretation of C-ATO as a method of applying RMF or rather it was really Continuous RMF. These concepts seem important to define and source in this document as key assumptions, no?