Cloud Native Security Controls Mapping to NIST ( Phase II for #635)

[achetal01]

This project is Phase II for Issue #635 Cloud Native Security controls. This will be completed in collaboration with CCM from CSA.

Scope -

Mapping to existing frameworks and regulations (CSA, NIST, FedRamp, SOX, GDPR, etc.) Conversion to machine readable format (OSCAL, JSON, etc.) Inclusion of tests to validate/verify (both process and technical tests as appropriate) Application to security reviews to improve consistency of CNCF Security TAG reviews

This controls catalogue should also address requirements for Auditors for Cloud Native Platforms

Impact: Describe the customer impact of the problem. Who will this help? How will it help them?

Scope: How much effort will this take? ok to provide a range of options if or "not yet determined" for initial proposals. Feel free to include proposed tasks below or link a Google doc

TO DO

• [ ] Security TAG Leadership Representative: @achetal01

• [ ] Project leader(s): @JonZeolla

• [x] Project Members:[@pratiklotia] [@faisalrazzak] [@anners]

• [ ] Fill in addition TODO items here so the project team and community can see progress!

• [ ] Scope

• [ ] Deliverable(s)

• [ ] Project Schedule

• [ ] Slack Channel (as needed) #tag-security-controls

• [ ] Meeting Time & Day: Every other Tuesday at 2pm ET, starting 2022-05-31

Meeting Hangouts Link: (https://meet.google.com/gra-vpip-uvu)

• [ ] Meeting Notes (https://docs.google.com/document/d/1ARLHrZ4SKIEwnSKgDaa39vS19dVIH45RjfERBaJ1vlg/edit?usp=sharing)
• [ ] Meeting Details: https://meet.google.com/gra-vpip-uvu?pli=1
• [ ] Retrospective

[PushkarJ]

@achetal01 should we include SSDF mapping to TAG Security papers, in scope for this proposal too?

[anners]

Hopefully I am not too late to the party. I would like to contribute to this work.

[achetal01]

yes Pushkar we should add SSDF mappings to the Scope. Thanks

On Wed, Mar 2, 2022 at 4:08 PM Pushkar Joglekar @.***> wrote:

@achetal01 https://github.com/achetal01 should we include SSDF mapping to TAG Security papers, in scope for this proposal too?

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1057525259, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764U2I3IHRCQ2YILXHBTU577HFANCNFSM5MLQ4CUA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[achetal01]

Ann yes please comment on the issue as well so you can be added to the working group.

Thanks Aradhna

On Thu, Apr 14, 2022 at 3:56 PM ann wallace @.***> wrote:

Hopefully I am not too late to the party. I would like to contribute to this work.

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1099699721, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764TOOAXIORV3T7RBFXTVFCPBPANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>

[anners]

@achetal01 is this not the correct issue to comment on? If not can you let know the correct id and I will comment. TIA

[JonZeolla]

@PushkarJ @achetal01 I agree; we have been using SSDF behind the scenes in the first phase (#635) and it has been great to help crosswalk frameworks, and provide illustrative examples.

[JonZeolla]

Hi @anners this is the right issue to comment on for phase 2. We are wrapping up phase 1 in #635 in the next few weeks and should be moving over to this issue soon thereafter

[faisalrazzak]

@achetal01 @PushkarJ Happy to contribute w.r.t NIST SP 800-218 in Phase II of this mapping. Please include me.

[pratiklotia]

+1, continuing from phase1

[JonZeolla]

If you're interested in participating, please vote for what meeting time works best for you!

https://doodle.com/meeting/participate/id/b82gO95e/vote

[JonZeolla]

Voting will be open until May 11th

[JonZeolla]

@achetal01 can you please update the initial comment in this issue with the following:

• Project Members: @pratiklotia @faisalrazzak @anners
• Slack Channel: #tag-security-controls
• Meeting Time & Day: Every other Tuesday at 2pm ET, starting 2022-05-31
• Meeting Notes
• Meeting Hangouts Link

[achetal01]

Okay I will update the issue

Thanks

On Thu, May 12, 2022 at 7:15 AM JonZeolla @.***> wrote:

@achetal01 https://github.com/achetal01 can you please update the initial comment in this issue with the following:

• Project Members: @pratiklotia https://github.com/pratiklotia @faisalrazzak https://github.com/faisalrazzak @anners https://github.com/anners
• Slack Channel: #tag-security-controls
• Meeting Time & Day: Every other Tuesday at 2pm ET, starting 2022-05-31
• Meeting Notes https://docs.google.com/document/d/1ARLHrZ4SKIEwnSKgDaa39vS19dVIH45RjfERBaJ1vlg/edit?usp=sharing
• Meeting Hangouts Link https://meet.google.com/gra-vpip-uvu

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1125049844, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764TBOZ3V6P5W6GYUMG3VJUG77ANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>

[Keeifer]

Hi, stoked to be here but it looks look I am late to the party on 2022-05-31. Will there be another?

[JonZeolla]

Hi @Keeifer we meet every other week, meaning we have a meeting this Tuesday but I won't be there for this one. We also work asynchronously in #tag-security-controls in the CNCF slack.

[brandtkeller]

Leaving a comment to annotate my interest in supporting this activity. Some background in OSCAL leaves me interested in seeing how I can assist.

[JonZeolla]

@brandtkeller sounds great! Feel free to jump into the slack channel, and if you'd like the meeting invite you can direct message me your email address. We have a status meeting on 6/28 but mostly work asynchronously

[anners]

Should I be attending the policy-wg our tag-security-controls meeting to contribute to this?

[JonZeolla]

Hi @anners we chat in the #tag-security-controls channel in the CNCF slack and we have a biweekly meeting, next meeting is 7/26. Right now we aren't affiliated with the policy-wg but open to collaboration

[JonZeolla]

We are going to start working on this and managing our backlog in a repository - https://github.com/cloud-native-security-controls/controls-catalog

[mnm678]

I'm working on a related effort to map the supply chain security white paper to tooling: https://docs.google.com/spreadsheets/d/1LfAgoYesySfg7bkiUgihNWGDpyKsMNt6xTBi303IAcg/edit#gid=0, related to #960

[xee5ch]

Howdy, I read up on #635 to get current on a long hiatus and wanted to know how I and/or other members of the oscal.club community can pitch in to help with OSCAL bootstrapping (if that is in fact part of this issue and not scoped elsewhere). If I should direct my interest and attention somewhere else, such as cloud-native-security-controls/controls-catalog.

Love to see what you all have been up to, whether or not I am involved, keep up the good work!

[JonZeolla]

@xee5ch we're tracking our granular tasks on https://github.com/cloud-native-security-controls/controls-catalog and have a biweekly 45m meeting - next meeting 2pm Eastern on 8/9 (meeting notes and details links in the first post are still valid). We also chat in the CNCF slack in #tag-security-controls. Now would be a great time to get involved! I'm on vacation this week but looking forward to chatting more

[xee5ch]

next meeting 2pm Eastern on 8/9 (meeting notes and details links in the first post are still valid). We also chat in the CNCF slack in #tag-security-controls. Now would be a great time to get involved! I'm on vacation this week but looking forward to chatting more

Sounds good, I will try to follow up before that next meeting and/or try to attend. :-)

[JonZeolla]

@achetal01 / @lumjjb this is actively being worked on, should we update the labels from proposal to project?

[achetal01]

Yes that makes sense Jon Let’s change this to in work

On Wednesday, August 24, 2022, JonZeolla @.***> wrote:

@achetal01 https://github.com/achetal01 / @lumjjb https://github.com/lumjjb this is actively being worked on, should we update the labels from proposal to project?

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1226017002, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764R3DZ7Z6QYWHG6JGH3V2ZK4ZANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>

[lumjjb]

Sgtm.

Process wise, we should also do a presentation to the group on the proposed work and get feedback from the broader group.

On Thu, Aug 25, 2022, 12:00 AM Aradhna @.***> wrote:

Yes that makes sense Jon Let’s change this to in work

On Wednesday, August 24, 2022, JonZeolla @.***> wrote:

@achetal01 https://github.com/achetal01 / @lumjjb https://github.com/lumjjb this is actively being worked on, should we update the labels from proposal to project?

— Reply to this email directly, view it on GitHub <https://github.com/cncf/tag-security/issues/845#issuecomment-1226017002 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/ARO764R3DZ7Z6QYWHG6JGH3V2ZK4ZANCNFSM5MLQ4CUA

. You are receiving this because you were mentioned.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1226744913, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXLDBV7N4M4DPQD2QCYT7LV23VUPANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>

[JonZeolla]

We already have a task to create a roadmap. Once we have that it would be a good point to present

https://github.com/cloud-native-security-controls/controls-catalog/issues/16

[lumjjb]

sounds good, let's get that done, present and we can toggle to a project.

[JonZeolla]

We have a draft roadmap being worked out in #tag-security-controls and https://github.com/cloud-native-security-controls/controls-catalog/issues/16

[baiyungao]

I would love to contribute. please advise how to proceed.

[JonZeolla]

Hi @baiyungao you can start by joining us in the CNCF slack in #tag-security-controls or via the biweekly meetings in https://meet.google.com/gra-vpip-uvu every other Tuesday at 2pm ET (next meeting is 9/20). Looking forward to it!

[baiyungao]

Great! Thank you very much.

-Ben

On Wed, Sep 7, 2022 at 5:58 PM JonZeolla @.***> wrote:

Hi @baiyungao https://github.com/baiyungao you can start by joining us in the CNCF slack in #tag-security-controls or via the biweekly meetings in https://meet.google.com/gra-vpip-uvu every other Tuesday at 2pm ET (next meeting is 9/20). Looking forward to it!

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1239947229, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABB572JHFV2GXLVDDDXEF2LV5EFX5ANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>

[JonZeolla]

@achetal01 can you please update the meeting location to use Zoom?

Migrate to Zoom:

CNCF TAG Security is inviting you to a scheduled Zoom meeting.

Topic: TAG-Security Controls Working Group Time: This is a recurring meeting Meet anytime

Join Zoom Meeting https://zoom.us/j/95131392155

Meeting ID: 951 3139 2155 One tap mobile +16469313860,,95131392155# US +16465588656,,95131392155# US (New York)

Dial by your location +1 646 931 3860 US +1 646 558 8656 US (New York) +1 309 205 3325 US +1 312 626 6799 US (Chicago) +1 301 715 8592 US (Washington DC) +1 669 900 6833 US (San Jose) +1 719 359 4580 US +1 253 215 8782 US (Tacoma) +1 346 248 7799 US (Houston) +1 386 347 5053 US +1 564 217 2000 US +1 669 444 9171 US 877 369 0926 US Toll-free 855 880 1246 US Toll-free +1 778 907 2071 Canada +1 780 666 0144 Canada +1 204 272 7920 Canada +1 438 809 7799 Canada +1 587 328 1099 Canada +1 647 374 4685 Canada +1 647 558 0588 Canada 855 703 8985 Canada Toll-free Meeting ID: 951 3139 2155 Find your local number: https://zoom.us/u/aekQVctnFv

[JonZeolla]

@achetal01 when you get a chance can you make the meeting location update from above? Thanks!

[JonZeolla]

Slides for our 2022-09-05 TAG-Security presentation: https://docs.google.com/presentation/d/1h-tep3EDNw6WME1f-29ZELiIr4GxV31lrYprUwx_Xks/edit

[JonZeolla]

@lumjjb presentation occurred earlier this week and is linked above. Once I see the recording on YouTube I will link it here, we should be good to toggle this one to a project and also make sure it's added to the CNCF calendar?

[achetal01]

https://github.com/cncf/tag-security/issues/845

This is the correct issue

On Fri, Apr 15, 2022 at 8:32 AM ann wallace @.***> wrote:

@achetal01 https://github.com/achetal01 is this not the correct issue to comment on? If not can you let know the correct id and I will comment. TIA

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/845#issuecomment-1100179464, or unsubscribe https://github.com/notifications/unsubscribe-auth/ARO764TC4UXUQB7BQUVM3QLVFGD2BANCNFSM5MLQ4CUA . You are receiving this because you were mentioned.Message ID: @.***>

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[JonZeolla]

We are working to fold our outputs into other initiatives, then plan to complete this issue

[lumjjb]

@JonZeolla can you give an update on timeline for this and update the issue? Thanks!

[JonZeolla]

@lumjjb I will put something together

[anvega]

@JonZeolla Is there a status update to share here on the issue?

[JonZeolla]

@anvega we are currently working on generating OSCAL from the csv that we created in the previous phase but unfortunately have no expected timeline.

[JonZeolla]

Our goal is to couple OSCAL artifacts with future paper releases including new revisions using the OSCAL generator, and the current workload is to automate what we have for the supply chain best practices and cloud native security white paper v1 and v2

[anvega]

Thanks for the update, @JonZeolla. Is it fair to say that with no expected timeline, this is still an ongoing effort subsumed by those working as a workgroup around controls? If it's just business as usual or an active workstream for that workgroup, I suggest we close the issue as the work was already kickstarted. Is that good with you?

[JonZeolla]

@anvega I would like to keep this open until we fold the work we did back into this repo, including the OSCAL artifacts which are still WIP, then we can close.

[northdpole]

@JonZeolla , do you have a link to the CSV? I may have missed it but I couldn't find it somewhere

[JonZeolla]

@northdpole https://github.com/cloud-native-security-controls/controls-catalog/blob/main/controls/controls_catalog.csv for now but hopefully soon we will migrate it back into this repo

[northdpole]

@JonZeolla can I possibly convince you to add links to OpenCRE.org to this csv? This way your users get the ability to easily find the links between any other standard (NIST, ISO etc) and CNSWP as well as the ability to browse this info via chatbot and you join a growing list of major standard writers and governments who use opencre.org for control linking