OSCAL XML and YAML Version of CMS ARS 3.1 Controls

[tohch4]

Is it possible we publish the XML and YAML alongside the JSON? I am willing to help with this. :-)

[andres-gov]

@tohch4 we definitely welcome collaboration. @TMCamp can you provide guidance?

[tohch4]

@andres-gov and @TMCamp: per the documents here, are you generating these profiles with GovReady? Are you using some other tool?

[Tom-Camp]

@tohch4 - we are not generating the catalog using GovReady. We used some Python scripts to generate the catalog and are trying to determine whether to incorporate them into GovReady or to build a set of OSCAL tools. We are leaning towards building a set of tools that can be incorporated into any application. For example, we've built a few tools around Open Control, one pieces of which is converting Open Control components to OSCAL JSON: CivicActions Compliance-IO; https://github.com/CivicActions/compliance-io/blob/main/examples/oc_to_oscal_components.py

[tohch4]

Ok cool, I will take a look at those scripts, they sound interesting.

@Tom-Camp , are you going to build a whole alternative pipeline and supporting tooling to implement the whole profile resolution spec? In the interim, using the freely available tooling from NIST (FedRAMP does the same) to take the raw catalogs and deriving the FISMA Low, Moderate, and High impact profiles would make long-term sustainability much easier if you are down for it.

Can we meet some time and discuss?

[openprivacy]

@tohch4 We would like someone to build profile resolution tooling in Python and JSON. If that ends up being us, we'll do it. ;-) We have not started yet (we're still getting our heads around the process) and we are also investigating how components may be composed to provide implementation statements and enable assessment processes for an application (once the catalog has been resolved).

[tohch4]

We would like someone to build profile resolution tooling in Python and JSON ...

@openprivacy, nice to see you in these here parts! Are you tracking that work here or against the CivicAction/compliance-io repositories?

[openprivacy]

@tohch4 - We're building tools in several places: several repos under github.com./CivicActions, several in CMS-branded github. Goal is to make everything that we can FOSS and useful for all toolsets/applications/GRCs (though I like thinking outside the GRC...). Ultimately, we'd like to have a reference set of vetted components in a Federal Compliance Library git repo, perhaps with a set of reference tools for profile resolution, component composition, overlays, gap analysis, verification processes and assessment support. It would be great to have everything under one root, but it may be even better to create a distributed suite of tools that provide specific capabilities that can be used separately or together. Goal is to raise all boats and make everyone's life easier while increasing security and supporting continuous authorization. (Oh, and world peace.)

I saw your FedRAMP work, which is awesome. Where are you putting (would you like to put) your focus now?

[tohch4]

Ultimately, we'd like to have a reference set of vetted components in a Federal Compliance Library git repo, perhaps with a set of reference tools for profile resolution, component composition, overlays, gap analysis, verification processes and assessment support.

I have colleagues in my team who are interested in contributing to this effort, based on the agency-wide policy control work that every one of our delivery teams in CMS does and is repetitive. Would that be in the FCL repo? Is the FCL repo extant and public yet?

and world peace.

I guess we'll get there. 😆

[openprivacy]

This is great. Yes, we see standard sets of controls (like the cmscloud-inherited controls from the compliance as a service team) being made available across CMS and ideally sanitized so that could be made available across all federal agencies (and maybe the private sector, too). We have the beginnings of a component library, but nothing published yet. That said, I'm thinking that a manifest similar to code.json may enable the FCL to be distributed, which would be ideal as an agency could "subscribe" to both internal (private) as well as public libraries.

We should talk about how we can best collaborate.

[andres-gov]

@openprivacy @Tom-Camp @toch4 any next steps on this?

[openprivacy]

A couple ideas...

We're pulling the ARS Moderate profile into Blueprint now. As 800-53rev4 -> rev5 OSCAL transformations are being worked on (see e.g. http://xml.garygapinski.com/OSCAL/800-53-compare.html) I'd like to see us create similar comparisons and perhaps automate a few processes for migrating from ARS 3.1 -> 5.0.

Related, I know several groups are generating CDEFs (Component Definitions). Preparing our component library for public access would be beneficial to all as we likely would learn a lot through feedback (and perhaps help a few others along the way).

[tohch4]

I would be interested in exploring this next week, @openprivacy and @andres-gov. I will be on leave and can focus on it. When should we discuss?

[xee5ch]

@tohch4 seems is inactive now, but I am ready to pick this up. I see the ATO Blueprint code has been released public now :clap:, but this means the source of truth will be the OSCAL JSON export of the catalog from that tool?

How are you using this to track changes from the core CMS ARS/RMF CISO's team in ISPG for the ARS 3.1 to 5.0 transion? The CISO has been publicly messaging on social media his request for comment.

As a community member, I am big supporter of CMS since you are the first consumer agency of OSCAL to lead by example, so I am excited to get involved. :-)