Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
OPEN SECURITY CONTROLS
ASSESSMENT LANGUAGE
(OSCAL) – ENABLED FEDRAMP
AUTOMATION
November 7, 2018
Federal IT Security ConferenceOperational Track – Session 5Brian J. Ruf, CISSP, PMPFedRAMP PMO
OSCAL OVERVIEW
1
Creating a security package is overwhelming! So is adjudicating 45-100 of them each year!!
We MUST become more efficient! OSCAL makes it possible!
OSCAL ENABLES INTEROPERABILITY
2
3PAOs
CSPs
Xacta
EMASS
DOJ CSAM
RSA Archer
Under FedRAMP
CSPs and 3PAOs
manually create a
large volume of
structured security
information using
Word, Excel, and PDF,
which requires manual
adjudication.
Agencies and other
organizations are
using a variety of tools
that typically don’t
interoperate very well.
OSCAL ENABLES INTEROPERABILITY
3
3PAOs
CSPs
Xacta
EMASS
DOJ CSAM
RSA ArcherNIST
OSCAL
OSCAL is like a Rosetta Stone that
enables tools and organizations to
exchange information via automation
OSCAL GOALS
o Enable automated traceability from selection of security controls through implementation and assessment
o Enable automated mapping to multiple compliance frameworks
o Provide a common language for:
o software and service providers to express implementation guidance against security controls
o sharing how security controls are implemented
o sharing assessment results
o Target formats: XML and JSON
4
NIST’s
Goals for
OSCAL
o Expedite the creation, assessment, and adjudication of security artifacts
o Shift level-of-effort away from compliance, and toward risk management
o Enable interoperable automation for Cloud Service Providers (CSPs) , Accredited Third Party Assessment Organizations (3PAOs), and FedRAMP
FedRAMP’s
Goals for
OSCAL
5
OSCAL OVERVIEW
CONCEPTUAL FRAMEWORK
NIST SP 800-53 & 53AOther Compliance Regimes
PCI, SOC2, ISO-27001
NIST Baselines (H, M, L)FedRAMP Baselines
Other Baselines
SSPProduct
Definitions
SAPSAR,
POA&MOther Audit
Results
6
OSCAL OVERVIEW
CONCEPTUAL FEDRAMP IMPLEMENTATION
OSCAL CATALOGNIST 800-53 r4
NIST 800-53A r4
Control Specification:• Requirement Statement• Guidance• Parameter Definition• Review Objectives
Control Specification
Control Specification
Control Specification
OSCAL PROFILENIST 800-53 r4 – High
Control Pointer
Control Pointer
Control Pointer
Control Specification
Control Specification Control Pointer
OSCAL PROFILEFedRAMP – High
FedRAMP ControlModifications:• Guidance• Parameter Constraints• Review Objectives
IMPLEMENTATIONFedRAMP SSP
CSP Information
Roles & Responsibilities
Ports, Protocols & Services
Control Details
Control Details:• Responsible Roles• Implementation Status• Control Origination• Parameter Values• Solution Explanation
Control Pointer
Control Pointer
Control Pointer
Control Pointer
Control Pointer
Control Modifications
Control Details
Control Details
Control Details
FedRAMP Extensions & Validation Rules
Ch 1 – 12 & Attachments
Ch 13: Controls
An OSCAL-compliant SSP will trace back through
its applicable baselines, to the underlying
compliance source.
7
OSCAL OVERVIEW
CONCEPTUAL VENDOR PRODUCT/SERVICE IMPLEMENTATION
Vendor Data File (OSCAL)Apache 2.4.33
(Configuration Baseline US Federal – Moderate)
AC-2 Control Details:• Solution Explanation
Ports: 80, 443Protocols: http, httpsService: web application
IMPLEMENTATIONFedRAMP SSP
CSP Information
Roles & Responsibilities
Ports, Protocols & Services
AC-2
Control Details
Control Details
Vendor Data File (OSCAL)PostgreSQL 10.4
(Configuration Baseline US Federal – Moderate)
AC-2 Control Details:• Solution Explanation
AU-12 Control Details
Port: 5432Protocol: sqlService: RDBMS
Control Details
Control Details
Ports: 80, 443Protocols: http, httpsServices: web application
Ports: 5432Protocols: sqlServices: RDBMS
Apache Control Details
PostgreSQL Control Details
PostgreSQL Control Details
AU-12
As a CSP
selects
products, the
SSP will
automatically
populate with
base content
about each
component’s
ability to satisfy
controls.
Although this
still needs to be
manually
tailored to the
system-specific
implementation,
it provides the
majority of the
content
necessary.
8
OSCAL OVERVIEW
UPDATED MODEL / ROADMAP
We are here
NIST SP 800-53NIST SP 800-53A
ISO-27000COBIT
PCIHIPAAGLBA
NIST SP 800-53 HighNIST SP 800-53 ModNIST SP 800-53 Low
FedRAMP HighFedRAMP Moderate
FedRAMP LowTest Case Workbooks
Finalizing Draft SSP
Specification
Ramping up Pilot Activities
800-53 Rev 5 Transition
FedRAMP SAP
Test Case WB
Tools
FedRAMP SAR
POA&M
Red Text: CompleteBlue Text: Future Plans
CY19 Q3 Pilot Preparations:
o Modeled all SSP content and several attachments in YMAL
o Mocked up an SSP and attachments in OSCAL-compliant XML
o Meeting with select CSPs and vendors to participate and/or become early adopters
o Compiled list of 89 common SSP verifications (IN-PROGRESS):
o 98% can benefit from automation
o 60% can be fully automated
9
PUTTING IT TOGETHER
CSP
3PAO
OSCAL Leveraging Agency
Leveraging Agency
Leveraging Agency
OSCAL
OSCAL
SSP, Inventory, POA&M
SAPSAR
Package
A CSP can use any
tool to manage their
SSP and inventory,
provided they can be
published in OSCAL-
compliant files.
Each 3PAO can develop their own
assessment automation tools, as
long as they publish OSCAL-
compliant SAP and SAR content.
FedRAMP automation
accelerates package
validation when
receiving content in
OSCAL.
Leveraging
agencies
can import
OSCAL-
compliant
content
into any
A&A tool
they use.
OSCAL TEAMOSCAL OVERVIEW: https://pages.nist.gov/OSCAL
REPOSITORY: https://github.com/usnistgov/OSCAL
OSCAL NEWS MAILING LIST: [email protected]
DEVELOPERS’ MAILING LIST: [email protected]
OSCAL QUESTIONS: [email protected]
FedRAMP QUESTIONS: [email protected]
FedRAMP RESOURCES: https://fedramp.gov
Brian Ruf: [email protected] or [email protected]
o Michaela Iorga (NIST): Project lead, NIST
o David Waltermire (NIST): Technical lead, NIST
o Wendell Piez (NIST): XML / Data modeling SME
o Brian Ruf: FedRAMP Automation SME, FedRAMP PMO
o Peter Crayton: Technical Writer, FedRAMP PMO
o Anil Karmel (Contractor): Manages contract vehicle through which SMEs are sub-contracted
o Andrew Weiss (Vendor): Represents Docker and container community
o Gabe Alford (Vendor), Red Hat Inc.
o Ted Steffan (Vendor), AWS, Security Partner Strategist
OSCAL Project Information
10
FedRAMP Information
Direct
11
QUESTIONS / DISCUSSION
12
END
13
SHOW AND TELL
14
SHOW AND TELL
15
SHOW AND TELL