OPEN SECURITY CONTROLS

ASSESSMENT LANGUAGE

(OSCAL) – ENABLED FEDRAMP

AUTOMATION

November 7, 2018

Federal IT Security ConferenceOperational Track – Session 5Brian J. Ruf, CISSP, PMPFedRAMP PMO

OSCAL OVERVIEW

1

Creating a security package is overwhelming! So is adjudicating 45-100 of them each year!!

We MUST become more efficient! OSCAL makes it possible!

OSCAL ENABLES INTEROPERABILITY

2

3PAOs

CSPs

Xacta

EMASS

DOJ CSAM

RSA Archer

Under FedRAMP

CSPs and 3PAOs

manually create a

large volume of

structured security

information using

Word, Excel, and PDF,

which requires manual

adjudication.

Agencies and other

organizations are

using a variety of tools

that typically don’t

interoperate very well.

OSCAL ENABLES INTEROPERABILITY

3

3PAOs

CSPs

Xacta

EMASS

DOJ CSAM

RSA ArcherNIST

OSCAL

OSCAL is like a Rosetta Stone that

enables tools and organizations to

exchange information via automation

OSCAL GOALS

o Enable automated traceability from selection of security controls through implementation and assessment

o Enable automated mapping to multiple compliance frameworks

o Provide a common language for:

o software and service providers to express implementation guidance against security controls

o sharing how security controls are implemented

o sharing assessment results

o Target formats: XML and JSON

4

NIST’s

Goals for

OSCAL

o Expedite the creation, assessment, and adjudication of security artifacts

o Shift level-of-effort away from compliance, and toward risk management

o Enable interoperable automation for Cloud Service Providers (CSPs) , Accredited Third Party Assessment Organizations (3PAOs), and FedRAMP

FedRAMP’s

Goals for

OSCAL

5

OSCAL OVERVIEW

CONCEPTUAL FRAMEWORK

NIST SP 800-53 & 53AOther Compliance Regimes

PCI, SOC2, ISO-27001

NIST Baselines (H, M, L)FedRAMP Baselines

Other Baselines

SSPProduct

Definitions

SAPSAR,

POA&MOther Audit

Results

6

OSCAL OVERVIEW

CONCEPTUAL FEDRAMP IMPLEMENTATION

OSCAL CATALOGNIST 800-53 r4

NIST 800-53A r4

Control Specification:• Requirement Statement• Guidance• Parameter Definition• Review Objectives

Control Specification

Control Specification

Control Specification

OSCAL PROFILENIST 800-53 r4 – High

Control Pointer

Control Pointer

Control Pointer

Control Specification

Control Specification Control Pointer

OSCAL PROFILEFedRAMP – High

FedRAMP ControlModifications:• Guidance• Parameter Constraints• Review Objectives

IMPLEMENTATIONFedRAMP SSP

CSP Information

Roles & Responsibilities

Ports, Protocols & Services

Control Details

Control Details:• Responsible Roles• Implementation Status• Control Origination• Parameter Values• Solution Explanation

Control Pointer

Control Pointer

Control Pointer

Control Pointer

Control Pointer

Control Modifications

Control Details

Control Details

Control Details

FedRAMP Extensions & Validation Rules

Ch 1 – 12 & Attachments

Ch 13: Controls

An OSCAL-compliant SSP will trace back through

its applicable baselines, to the underlying

compliance source.

7

OSCAL OVERVIEW

CONCEPTUAL VENDOR PRODUCT/SERVICE IMPLEMENTATION

Vendor Data File (OSCAL)Apache 2.4.33

(Configuration Baseline US Federal – Moderate)

AC-2 Control Details:• Solution Explanation

Ports: 80, 443Protocols: http, httpsService: web application

IMPLEMENTATIONFedRAMP SSP

CSP Information

Roles & Responsibilities

Ports, Protocols & Services

AC-2

Control Details

Control Details

Vendor Data File (OSCAL)PostgreSQL 10.4

(Configuration Baseline US Federal – Moderate)

AC-2 Control Details:• Solution Explanation

AU-12 Control Details

Port: 5432Protocol: sqlService: RDBMS

Control Details

Control Details

Ports: 80, 443Protocols: http, httpsServices: web application

Ports: 5432Protocols: sqlServices: RDBMS

Apache Control Details

PostgreSQL Control Details

PostgreSQL Control Details

AU-12

As a CSP

selects

products, the

SSP will

automatically

populate with

base content

about each

component’s

ability to satisfy

controls.

Although this

still needs to be

manually

tailored to the

system-specific

implementation,

it provides the

majority of the

content

necessary.

8

OSCAL OVERVIEW

UPDATED MODEL / ROADMAP

We are here

NIST SP 800-53NIST SP 800-53A

ISO-27000COBIT

PCIHIPAAGLBA

NIST SP 800-53 HighNIST SP 800-53 ModNIST SP 800-53 Low

FedRAMP HighFedRAMP Moderate

FedRAMP LowTest Case Workbooks

Finalizing Draft SSP

Specification

Ramping up Pilot Activities

800-53 Rev 5 Transition

FedRAMP SAP

Test Case WB

Tools

FedRAMP SAR

POA&M

Red Text: CompleteBlue Text: Future Plans

CY19 Q3 Pilot Preparations:

o Modeled all SSP content and several attachments in YMAL

o Mocked up an SSP and attachments in OSCAL-compliant XML

o Meeting with select CSPs and vendors to participate and/or become early adopters

o Compiled list of 89 common SSP verifications (IN-PROGRESS):

o 98% can benefit from automation

o 60% can be fully automated

9

PUTTING IT TOGETHER

CSP

3PAO

OSCAL Leveraging Agency

Leveraging Agency

Leveraging Agency

OSCAL

OSCAL

SSP, Inventory, POA&M

SAPSAR

Package

A CSP can use any

tool to manage their

SSP and inventory,

provided they can be

published in OSCAL-

compliant files.

Each 3PAO can develop their own

assessment automation tools, as

long as they publish OSCAL-

compliant SAP and SAR content.

FedRAMP automation

accelerates package

validation when

receiving content in

OSCAL.

Leveraging

agencies

can import

OSCAL-

compliant

content

into any

A&A tool

they use.

OSCAL TEAMOSCAL OVERVIEW: https://pages.nist.gov/OSCAL

REPOSITORY: https://github.com/usnistgov/OSCAL

OSCAL NEWS MAILING LIST: oscal-updates@nist.gov

DEVELOPERS’ MAILING LIST: oscal-dev@nist.gov

OSCAL QUESTIONS: oscal@nist.gov

FedRAMP QUESTIONS: info@fedramp.gov

FedRAMP RESOURCES: https://fedramp.gov

Brian Ruf: Brian.Ruf@gsa.gov or Brian.Ruf@noblis.org

o Michaela Iorga (NIST): Project lead, NIST

o David Waltermire (NIST): Technical lead, NIST

o Wendell Piez (NIST): XML / Data modeling SME

o Brian Ruf: FedRAMP Automation SME, FedRAMP PMO

o Peter Crayton: Technical Writer, FedRAMP PMO

o Anil Karmel (Contractor): Manages contract vehicle through which SMEs are sub-contracted

o Andrew Weiss (Vendor): Represents Docker and container community

o Gabe Alford (Vendor), Red Hat Inc.

o Ted Steffan (Vendor), AWS, Security Partner Strategist

OSCAL Project Information

10

FedRAMP Information

Direct

11

QUESTIONS / DISCUSSION

12

END

13

SHOW AND TELL

14

SHOW AND TELL

15

SHOW AND TELL