Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jun 23 18:17
    wendellpiez commented #562
  • Jun 22 18:16
    Rene2mt synchronize #935
  • Jun 22 13:31
    ohsh6o commented #969
  • Jun 22 07:22
    butler54 labeled #971
  • Jun 22 07:22
    butler54 labeled #971
  • Jun 22 07:22
    butler54 opened #971
  • Jun 22 00:14
    wendellpiez synchronize #970
  • Jun 21 21:59
    wendellpiez synchronize #970
  • Jun 21 21:53
    wendellpiez commented #562
  • Jun 21 21:26
    Rene2mt synchronize #935
  • Jun 21 19:22
    wendellpiez commented #966
  • Jun 21 19:21
    wendellpiez commented #966
  • Jun 21 18:57
    wendellpiez opened #970
  • Jun 21 16:24
    david-waltermire-nist commented #969
  • Jun 21 16:20
    david-waltermire-nist edited #969
  • Jun 21 13:50
    ohsh6o edited #969
  • Jun 19 02:15
    ohsh6o edited #969
  • Jun 19 02:00
    ohsh6o opened #969
  • Jun 19 01:41
    ohsh6o edited #968
Michaela Iorga
@iMichaela
The new version of TRADES Tool is now available online and is based on state-of-the-art modeling methodologies, and it provides an integrated workbench for systems security engineers as well as for systems engineers to design secured systems. https://github.com/IAI-Cyber/TRADES/
3 replies
Congratulations to @adaussy , @tairlo @Avi
Arthur Daussy
@adaussy

@iMichaela Thanks. For the moment the integration is quite light:

  • We can import any OSCAL Catalog and use any Control defined in it
  • The edition of an OSCAL catalog are quite light for the moment.

We plan to improve the handling of user properties in the next release. @david-waltermire-nist thanks for your support

mruge
@mruge
been going in circles about how to parse IaC to generate some amount of OSCAL, for building sBOMS, or components, etc. Let me know if anyone is interested in brainstorming or bouncing ideas about that around, let me know and can find a good place for that. I don't want to muddy up this channel :)
13 replies
Michaela Iorga
@iMichaela
@adaussy It is a great tool overall - I like it - and I hope OSCAL will help you enhance other features and be able to integrate with other GRC tools in the future.
Alexander Stein
@ohsh6o

Is this workshop slide deck moved or has it been relocated somewhere?

https://pages.nist.gov/OSCAL/downloads/OSCAL-workshop-20191105.pdf

David Waltermire
@david-waltermire-nist
2 replies
SilentEsper
@SilentEsper
will the provided-uuid on the inherited field in the by-component assembly always refer to a leveraged authorization?
Michaela Iorga
@iMichaela
SilentEsper
@SilentEsper
ah, that helps, thanks @iMichaela
Michaela Iorga
@iMichaela
@SilentEsper The ‘export / provided-uuid`describes in teh leveraged SSP what may be inherited.
Ray Gauss II
@rgauss
@ohsh6o, should I file an issue in the fedramp-automation repo for JSON profiles missing JSON rlinks in the catalog back-matter resources, (somewhat similar to usnistgov/oscal-content#59, though in this case there is not a media type / extension mismatch) or is this a known issue?
2 replies
David Waltermire
@david-waltermire-nist
The new docs pages are online. We are working to get the rest of the 1.0.0 release done. There are a few broken links to release pages right now that will be fixed.
xee5ch
@xee5ch:matrix.org
[m]

Is there a reason we enforce disable-output-escaping as always true and not parameterize it? Is the processing instruction wrapper just to be cautious and inspect the JSON prior to returning it? I notice running the transform on the shell with the command line does not wrap, and I got caught trying to figure this out when converting a catalog programmaticly with eXist-DB and XQuery/XSLT, but not shell. Took me a while to figure this out.

https://github.com/usnistgov/OSCAL/blob/main/json/convert/oscal_catalog_xml-to-json-converter.xsl#L74-L76

11 replies
xee5ch
@xee5ch:matrix.org
[m]
I guess I thought you all did customization of data and don't just "cast it to JSON" so I guess I need to read more of these scripts. :-) (Sorry, I started using Matrix because the Gitter clients are bad, still trying to get a hang of all the threading!)
22 replies
David Waltermire
@david-waltermire-nist
FYI. We are still migrating the OSCAL content to OSCAL 1.0.0. This will be done later today.
Gary Gapinski
@GaryGapinski
Will https://raw.githubusercontent.com/usnistgov/OSCAL/release-1.0/xml/schema/oscal_complete_schema.xsd be the "canonical" URI for the composite 1.0.0 OSCAL schema, or will it live elsewhere?
20 replies
SilentEsper
@SilentEsper
will the 800-82 catalog be available in oscal?
8 replies
Brian Ruf
@brian-ruf

All: I’ve mostly just lurked in this group since departing the FedRAMP PMO and the NIST OSCAL Program at the end of February, and wanted to break that silence to congratulate all of you for achieving OSCAL 1.0.0 this week!

This would not have been possible without contributions from so many of you on this channel.

We would not be here at all if Michaela hadn’t been so tenacious with her vision for OSCAL and convinced NIST to fund it, and then went on to be the champion for it across government, industry, and even across continents.

We would also not be here if not for Dave’s technical vision and leadership - keeping us prioritized and on track - and incorporating lessons learned from similar initiatives.

Wendell’s amazing knowledge of XML and its associated technologies, his ability to churn out robust XSLT, and his decades of insights/experience with similar efforts were also critical to reaching this point.

Others like Andrew, Anil, AJ, Dmitry, and Avril have all contributed significantly to OSCAL’s arrival at this point.

Departing was a difficult decision, so this week is bitter/sweet for me. I’m proud to say I was a part of this community and was able to contribute to this critical milestone.
Many vendors were waiting for 1.0.0 before they invested. Now they can!
I am eager to see all of the positive ways OSCAL will disrupt our industry.
THIS is when everything changes!
Congratulations!

1 reply
Wendell Piez
@wendellpiez
Thanks for the kind words @brian-ruf, as well as for your own essential contributions to the effort -- Here's to much OSCALing to come --!
Alexander Stein
@ohsh6o
I like to think of OSCAL as a continuous work in progress, a Ruf draft if you will. ;-) (OK, I’ll see my self out now that I keep the old traditions alive.)
Wendell Piez
@wendellpiez
I can hear the yeah yeah in my head.
SilentEsper
@SilentEsper
I am very grateful that the official release includes the complete schema, it really made re-generating the types a breeze!
Michaela Iorga
@iMichaela
@brian-ruf I still consider you one of us… and we would not have been here without your three years hard work and dedication to this project. Thank you very much for your kind words, AND as I told the world on LinkedIn - WE thank you for being a member of our family for as long as it lasted and want you to know we keep the arms open… in case you find the time and energy to come back :)
1 reply
David Waltermire
@david-waltermire-nist
I just released a tagged version of the OSCAL content aligned with OSCAL 1.0.0.
1 reply
mruge
@mruge
Are there any examples for AP and ARs, like there are for the implementation layer?
16 replies
Alexander Stein
@ohsh6o
Thanks for having me today, do you all want me to convert the presentation to PDF to post it up somewhere?
mosi-k-platt
@mosi-k-platt
that would be great
mosi-k-platt
@mosi-k-platt
@ohsh6o Thx for presenting on the dataset origin & versioning issue today. The reason I asked @iMichaela about work with the UCF because the issue reminds me of the use case for Self-Describing Policies, Processes and Procedures (https://pages.nist.gov/OSCAL/about/use-cases/#self-describing-policies-processes-and-procedures) - except for controls. When @wendellpiez mentioned verification, it seems a collaboration with UCF would be a great way to do that since they already document and map controls and frameworks in machine readable format. It would be very cool if controls from a trusted source like UCF could be used in the OSCAL catalog model and contain all the info you outlined as necessary for "dataset origin and versioning". It would be even cooler if UCF provided an integration that vendors could use to verify and update catalogs with the latest info from UCF.
8 replies
SilentEsper
@SilentEsper
I'm very happy to see these questions being surfaced! I've come up with a temporary solution, but I would love to be extremely confident in the ability to import oscal document and resolve resources, links and imports
Wendell Piez
@wendellpiez
I just made a PR into the oscal-tools repo that could be useful (to @ohsh6o @mruge @degenero at least) - it contains an XSLT you can use to produce valid 'stub' documents. In my branch (before merging) this is at https://github.com/wendellpiez/oscal-tools/tree/updates-v1.0.0-jun2021/xslt/generate/generate-oscal.xsl
Please comment on the PR especially if this is useful usnistgov/oscal-tools#19
(And @GaryGapinski yes, this XSLT is generated from Metaschema source by the XSLT next to it.)
Alexander Stein
@ohsh6o
Sweet, I check it out later!
8 replies
Alexander Stein
@ohsh6o

So forgive my ignorance but I am trying to track down documentation and example references that break schema. A previously existing SAP field prop[@name=“updates-uuid’] is referenced in some remarks without a custom @ns tag in docs, but I do not see a lot of explanation about this being supported in OSCAL.

https://github.com/GSA/fedramp-automation/blob/master/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml#L395-L408

Is this an old, obsolete, and unsupported prop in the OSCAL namespace? I cannot find anything explicitly about updates-uuid in either NIST or FedRAMP docs.

Is there any background on this that anyone recalls?
Alexander Stein
@ohsh6o

Ok 2nd inquiry: does it stand to reason inside a assessment-subject of a given type that inside it you would exclude-subject or include-subject where it does not match the same type? This seems repetetive but I had not noticed before.

https://github.com/GSA/fedramp-automation/blob/master/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml#L755

https://github.com/GSA/fedramp-automation/blob/master/templates/sap/xml/FedRAMP-SAP-OSCAL-Template.xml#L761

Would you use this to exclude specific others kind of types nested within //assessment-subject[@type=“component”]? Because I am not sure how else you would want them to not match.

Wendell Piez
@wendellpiez
@ohsh6o if there are linked information sets that carry other or contradictory -- or even confirming -- information about (nominal) types, that is informative. I can see a system emitting warnings saying "you said type X but I see type Y." Alternatively you could leave things unchecked and "correct in proof" -- by seeing what bubbles up.
24 replies
David Waltermire
@david-waltermire-nist
It appears that pages.nist.gov is having some issues. I contacted the server admins. Waiting to hear back from them.
1 reply
Michaela Iorga
@iMichaela
It had issues last night too…
Alexander Stein
@ohsh6o
It wasn’t only me? I thought it was just me. I noticed my cellular 4G network could resolve it (pages.nist.gov) and nist.gov on my residential home network. Any data that could help you?
Wendell Piez
@wendellpiez
@liamquin hey can you remind me and @ohsh6o if there is an XML-syntax expression for XQuery in some form? XQuery serialized (and consumable) as XML, I mean ... say you wanted to generate XQuery programmatically.
6 replies
David Waltermire
@david-waltermire-nist
@ohsh6o I don't think so.
1 reply
Ray Gauss II
@rgauss
@david-waltermire-nist, you mentioned you’d be able to take a look at the PR for the broken example component definition: usnistgov/oscal-content#74. Do you know if that will happen sometime soon, or should we workaround the issue for now?
1 reply
Wendell Piez
@wendellpiez
Appearing with giants on the Balisage program: https://www.balisage.net/2021/Program.html. Late-breaking program just announced -- many awesome papers including one from @joshualubell.
5 replies
Alexander Stein
@ohsh6o
Also, if you do not mind, I fixed usnistgov/oscal-content#73 upstream with FedRAMP repo so this can be closed, thanks!
SilentEsper
@SilentEsper
I am planning to start supporting XML, what is the simplest way to convert XML to json and json to XML?
also does anyone use yaml?
4 replies