Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • May 24 15:57
    aj-stein-nist edited #1286
  • May 24 15:50
    aj-stein-nist labeled #1286
  • May 24 15:49
    aj-stein-nist edited #1286
  • May 24 15:48
    david-waltermire-nist milestoned #1286
  • May 24 15:47
    david-waltermire-nist assigned #1286
  • May 24 15:44
    aj-stein-nist commented #1150
  • May 24 15:41
    aj-stein-nist labeled #1286
  • May 24 15:41
    aj-stein-nist labeled #1286
  • May 24 15:41
    aj-stein-nist opened #1286
  • May 24 15:39
    david-waltermire-nist milestoned #1270
  • May 24 15:39
    david-waltermire-nist assigned #1270
  • May 24 15:33
    david-waltermire-nist milestoned #1280
  • May 24 15:33
    david-waltermire-nist assigned #1280
  • May 24 15:28
    david-waltermire-nist milestoned #1283
  • May 24 15:28
    david-waltermire-nist assigned #1283
  • May 24 14:13
    aj-stein-nist commented #1150
  • May 23 13:27
    aj-stein-nist commented #1284
  • May 23 13:25
    aj-stein-nist assigned #1284
  • May 23 08:09
    github-actions[bot] labeled #1284
  • May 23 08:09
    github-actions[bot] labeled #1284
IvanDrag0
@IvanDrag0

I think the released OSCAL 1.0.2 zip file wasn't generated correctly. The JSON schema files all have the following line in them instead of the actual JSON schema:

ERROR: xml-to-json: Element map must have no text content line XX column XX

6 replies
David Waltermire
@david-waltermire-nist
Just updated the draft schema Gist with new schemas based on the latest Java Schema Generator code and OSCAL v1.0.2. There are two variations for each of the JSON and XML schemas. The "no-inline" variants have all types defined as global types. The "inline" variants have types which are declared inline in the metaschema inlined, with the exception of choice/oneOf groups in JSON, which are still global to avoid serious bloat.
Gabriella Forbis
@gewbus
Hello everyone, I'm a college student who is very interested in learning more about OSCAL and it's current development. I am new here to the OSCAL community and hope to learn how to use OSCAL, how it works, and to be able to appreciate everyone's work. I hope it's okay for me to join this lobby and learn about everyone's work and experience :)
5 replies
Peter Burkholder (@pburkholder)
@pburkholder
Randomly - how does NIST get to use these nice cloud services that don't have FedRAMP authorizations? (Blue Jeans, Checkbox) -- Do they know something about how to interpret the regulations that I'm missing?
18 replies
degenaro
@degenaro
I seem to be out of sync with respect to model review meetings. The next one is Friday April 8th 10:00?
22 replies
connerlphillippi
@connerlphillippi

Hello everyone! Based on OSCAL's current direction with rules & tests, could the below example of control <> rule <> test <> component relationships be critiqued at a conceptual level, models aside? CC @Apostolos-Delis

Context
Tech: The organization is on AWS.
Control framework under assessment: "Custom"

Control XYZ: All applicable data is encrypted at-rest within {{system_name}}'s environment

Rule (1): Cloud infrastructure datastores are encrypted at-rest utilizing AES-256 or an equivalent, at minimum

  • Test (1): AWS S3 buckets are encrypted at-rest via server-side encryption utilizing AES-256

    • Component Set (a): S3 bucket; count 5; location: account xyz, us-gov-east-1
      • Component Scopes: Custom, NIST 800-53
    • Component Set (b): S3 bucket; count 10; location: account xyz, us-east-1
      • Component Scopes: Custom, SOC 2, ISO 27001
    • Assessment Results: 15/15 S3 buckets in Custom scope are encrypted at rest via 256-bit AES encryption

  • Test (2): RDS databases are encrypted at-rest utilizing AES-256

    • [Same flow as above]

Rule (2): End user devices are encrypted at-rest utilizing AES-256 or an equivalent, at minimum

  • Test (1): User devices are encrypted at-rest utilizing AES-256 via Microsoft Intune

    • Component Set (c): Windows machine; count 100
      • Component Scopes: Custom, NIST 800-53, SOC 2, ISO 27001, HIPAA
    • Assessment Results: 100/100 Windows devices in Custom scope are encrypted at rest via 256-bit AES encryption

  • Test (2): User devices are encrypted at-rest utilizing AES-256 via JumpCloud

    • Component Set (d): Ubuntu machine; count 50
      • Component Scopes: Custom, NIST 800-53, SOC 2, ISO 27001, HIPAA
    • Assessment Results: 50/50 Ubuntu devices in Custom scope are encrypted at rest via 256-bit AES encryption
3 replies
Fen Labalme
@openprivacy
I just came across mention of the "OSCAL Inheritance and Responsibility Model" in a FedRAMP presentation - is such being planned or has it been replaced by another process?
8 replies
Al S
@xee5ch_:matrix.org
[m]
But is that inherited from the org or kind of a pass through from AWS?
Surely AWS is handling the fire control for their data centers not CMS. But components allow for that flexibility! :-)
3 replies
Gary Gapinski
@GaryGapinski

The OSCAL SSP XML Schema allows <set-parameter> subordinate to both <implemented-requirement> and <statement>``<by-component>. I have not found any documentation which asserts that <set-parameter> as a <implemented-requirement> child is overridden by <set-parameter> at any <implemented-requirement>``<statement>``<by-component>. Furthermore, I cannot find any documentation which confines <set-parameter> @param-id to a statement which cites the parameter in a related <insert>. Document order cannot be used (since <statement>s have no explicit ordering; they may have a hierarchy but no hierarchy is mandated).

I intend to interpret <statement>``<by-component>``<set-parameter> as trumping <implemented-requirement> <set-parameter>(for corresponding parameter identifiers) .

I also intend to constrain <statement>``<by-component>``<set-parameter> to be valid only when the referenced parameter occurs in the same statement.

Having multiple <set-parameter>s for a single parameter seems a bit odd with or without any explicitly defined primacy.

39 replies
Alexander Stein
@aj-stein-nist

Hello party people. There was wonderful participation in the 2nd OSCAL REST API Standardization meeting. Many desired the creation of a GitHub repository to create issues, discuss work, and move forward on the REST API standardization effort. First, let's pick a home for that repo. Please review the discussion post and feel free to vote or ad your own recommendation.

https://github.com/usnistgov/OSCAL/discussions/1202

They are linked in the above issue, but here is a direct link to the meeting notes as well.

https://hackmd.io/iQEXWmn_QRalExbrsZslsQ

mruge
@mruge
Is there a recurring meeting for the oscal API discussion? Apparently I can't be trusted to make my own appointment on a calendar.
2 replies
David Waltermire
@david-waltermire-nist
Looks like there are multiple vulnerabilities in the Git client. These are fixed in the latest releases (>= 2.35.2).
Gary Gapinski
@GaryGapinski
Related to parameter precedence in SSPs,
<?xml version="1.0" encoding="UTF-8"?>
<?xml-model schematypens="http://www.w3.org/2001/XMLSchema" title="OSCAL complete schema" href="https://raw.githubusercontent.com/usnistgov/OSCAL/v1.0.2/xml/schema/oscal_complete_schema.xsd" ?>
<catalog
    uuid="d30847a0-d1be-4c68-9dc7-b3d43dc71c12"
    xmlns="http://csrc.nist.gov/ns/oscal/1.0">
    <metadata>
        <title />
        <last-modified >2022-04-18T20:45:25Z</last-modified>
        <version>0.1</version>
        <oscal-version>1.0.2</oscal-version>
    </metadata>
    <param
        id="one">
        <value>always</value>
    </param>
    <group>
        <title />
        <param id="one">
            <value>sometimes</value>
        </param>
        <control
            id="one">
            <title />
            <part id="one_smt" name="statement">
                <p>Be careful <insert type="param" id-ref="one"/>.</p>
            </part>
        </control>
    </group>
</catalog>
mruge
@mruge
Anyone have recommendations for how to express conditional implemented requirements. For example, i want to write a Component Defenition such at that a control is implemented IFF a particular config parameter is set. Is this best done as two different CDEFs (one with, and one without), with a label enableing or disableing the implmented requirement, or....something else?
35 replies
Alexander Stein
@aj-stein-nist
image.png

I have a question re 800-60v2 Revision 1 information types. For C.3.5.9, the tl;dr is "this is a kind of meta information type, you make a synthetic impact categorization for the confidentiality, impact, and availability triad.

Since OSCAL has a base and selected attributed for information-types in the system-information of the system-characteristics of a system-security-plan. Per the docs, the base has a cardinality of 1 (so, required), what would I put if there technically is no base value? SP800-60v2r1 docs above.

Code snippet below:
          {
            "uuid": "5820d24a-487a-4748-8bd2-ea4318337816",
            "title": "Information sharing information",
            "description":"TBD",
            "categorizations": [
              {
                "system": "https://doi.org/10.6028/NIST.SP.800-60v2r1",
                "information-type-ids": [
                  "C.3.5.9"
                ]
              }
            ],
            "confidentiality-impact": {
              "base": "????",
              "selected": "fips-199-moderate"
            },
            "integrity-impact": {
              "base": "????",
              "selected": "fips-199-moderate"
            },
            "availability-impact": {
              "base": "????",
              "selected": "fips-199-moderate"
            }
          }
35 replies
Alexander Stein
@aj-stein-nist
Following up on @GaryGapinski and @Ikendiken's feedback during today Lunch with Devs meeting: who else has feedback about how similar data elements are named or the names relate to one another? I believe Gary gave the example of parameters versus params and their relationship to set-parameters. Also discussed was how the `implemented-requirement pertains to control implementation statements (or so they are often called in pre-OSCAL SSPs and misc security documents). What others?
5 replies
Al S
@xee5ch_:matrix.org
[m]
Dave's Dos and Donts sounds awesome!
Wendell Piez
@wendellpiez
@gregelin FRBR is a rough-ready model used by bibliographers and catalogs to describe things in their collections. https://en.wikipedia.org/wiki/Functional_Requirements_for_Bibliographic_Records
2 replies
Gary Gapinski
@GaryGapinski

I posed a question during the 2022-04-29 OSCAL Model Review regarding how to declare an authoritative DNS service component.
I chose the following. Comments welcomed.

      <component type="DNS-authoritative-service"
                 uuid="d7d0d99c-a14b-4f3e-b126-e7dc0dd90454">
         <title>Authoritative DNS service</title>
         <description>
            <p>Authoritative DNS service for the following zones.</p>
         </description>
         <prop name="asset-type" value="service"/>
         <prop name="DNS-zone" value="example.com.">
            <remarks>
               <p>An example of a DNS zone (sometimes referred to as a domain or sub-domain). The zone name resembles a host name but is
                                specifically a DNS resource name of the SOA RR for the zone.</p>
            </remarks>
         </prop>
         <prop name="DNS-zone" value="example.org"/>
         <status state="operational"/>
         <protocol name="domain"><!-- ☚ Note the use of IANA service name (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml) --></protocol>
         <remarks>
            <p>Each zone must have a DNS SOA RR at the authoritative service.</p>
         </remarks>
      </component>

The related Schematron validation is on an ephemeral (at this time) branch.

degenaro
@degenaro
Hi @david-waltermire-nist , is there yet a link to an available json outline comprising the "complete-with-mapping" given by the XML here https://gist.github.com/david-waltermire-nist/ad5fba71ccfe4d5a07b6b8b07238b0d4?
1 reply
Lance Bragstad
@rhmdnd
Hi folks - I've walked through the various models and I'm curious if there are any examples where a software component has automated steps associated with it for scanning purposes. Is this something that can be expressed using control-implementations or something else?
9 replies
David Waltermire
@david-waltermire-nist
I released a new version (v0.7.0) of metaschema-java yesterday. Working on liboscal-java now.
5 replies
Vikas Agarwal
@vikas-agarwal76

Trestle v1.0.1 Release

We have recently released stable / production version of Trestle v1.0.1 (an Open Source OSCAL SDK) supporting latest NIST OSCAL v1.0.2 standard. Trestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. This stable version includes many new capabilities, updates to streamline the command line interface by making the options consistent across various commands, and numerous bug fixes. It can be installed as a Python package from PyPi - https://pypi.org/project/compliance-trestle/ or can be downloaded from Github - https://github.com/IBM/compliance-trestle

3 replies
1z10
@1z10:matrix.org
[m]
Hi @david-waltermire-nist I would like to start using the library liboscal-java. Is there some example on how to use it to load a JSON OSCAL catalog?
7 replies
1z10
@1z10:matrix.org
[m]
Thanks, I will try
1z10
@1z10:matrix.org
[m]

Hi @david-waltermire-nistthanks, I was able to load the NIST SP800-53 Catalog from https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json

Now I'm trying to model the CIS Controls to OSCAL following this TRESTLE demo: https://github.com/MaurizioCasciano/compliance-trestle-demos/tree/CIS-Controls/CIS_controls

CIS Controls seems to have two extra fields I would like to map in OSCAL format: Asset Type and Security Function. To which control OSCAL property could they be mapped? Is there something equivalent with the NIST SP 800-53 controls?

48 replies
Gerardo Lisboa
@gvlx:matrix.org
[m]
Yes, temporal parameters must encoded into numeric expressions. For instance, in sql these can be encoded as ranges with something like "(interval 1 year) > period".
Gerardo Lisboa
@gvlx:matrix.org
[m]
Maybe all these questions have already been answered elsewhere. Would you like to consider using the OASIS' DMN standard as a basis for your decision models? You could use its FEEL language as a textual representation too. Here is a site with some examples:
3 replies
https://learn-dmn-in-15-minutes.com/
Alexander Stein
@aj-stein-nist

@GaryGapinski re the discussion in today's meeting about semantic relations for different things

The nature of the reference depends on the types of the nodes in the graph. E.g., control to control, control to resource, resource to control, control to group, etc.

being only encoded in @rel

is the nature solely defined by @rel (despite the related nodes)?

the wonderful answer is: it depends on the types of nodes in the graph as you put it. We talked about identifiers but you can tell it talking about this thing when we talk about identifiers and their uniqueness in usnistgov/OSCAL#941.

15 replies
David Waltermire
@david-waltermire-nist
I just released OSCAL 1.0.4. This patch release fixes a defect in the JSON schemas released with OSCAL 1.0.3. Please use this release instead of the 1.0.3 release.
Lance Bragstad
@rhmdnd
I was reading through the example catalog and I'm wondering if s1.1.1-prm11 is a typo? I wasn't able to find a reference to it anywhere else but the document does have s1.1.1-prm1 - https://github.com/usnistgov/oscal-content/blob/main/examples/catalog/yaml/basic-catalog.yaml#L61
Wendell Piez
@wendellpiez
@rhmdnd that sure looks right. That sample was made by hand IIRC. Just made usnistgov/oscal-content#106 thank you!
Lance Bragstad
@rhmdnd
@wendellpiez thanks for confirming - I was going to push a patch but I wanted to make sure I wasn't getting in the way of an automated process. I'll get something up for review in a few minutes
Wendell Piez
@wendellpiez
It's a fair question. It needs to be patched at the source.
... which is probably not the YAML, actually ...
Lance Bragstad
@rhmdnd
https://github.com/usnistgov/oscal-content/blob/main/src/examples/catalog/xml/basic-catalog.xml you mean?
Wendell Piez
@wendellpiez
Indeed (I just pasted that same link into my buffer, ha)
Lance Bragstad
@rhmdnd
usnistgov/oscal-content#95 is already up for review
2 replies
Wendell Piez
@wendellpiez
Oh perfect! See, this is the repo with the most work piled up on us... lemme annotate that Issue I just made.
We could probably use more and enriched examples, also.
Lance Bragstad
@rhmdnd
Ok - I left a comment on the review, too. Thanks for the help!
Wendell Piez
@wendellpiez
You are welcome and thanks for helping improve things as well --
Lance Bragstad
@rhmdnd
I actually have a question on catalog parameters - is another model (AP, SSP) supposed to be the mechanism for selecting the parameter?
11 replies
Lance Bragstad
@rhmdnd
@rgauss Do you know if there has been any interest in expanding the oscal-rest definition to include an assessment results endpoint?
4 replies
mruge
@mruge
lazy and stupid question. Where is the tool that lets us convert between JSON/YAML/XML I thought it remembered someone talking about it, but its not on https://pages.nist.gov/OSCAL/tools/ or https://github.com/oscal-club/awesome-oscal
5 replies
degenaro
@degenaro
Dave & AJ, I have the hugo based website running. How do I get the mapping model updates installed? Thx!
23 replies