OSCAL Report generation for Output

[brandtkeller]

Lula should default to generating OSCAL artifacts based on the input validated.

This will be blocked by the availability of golang supported OSCAL libraries for any OSCAL model required for this output.

[brandtkeller]

Decision here is urgent - as we will need to implement support in go-oscal before we can generate these in Lula.

To clear up ambiguity - current discussion was around the suitability for use of the Assessment Results model.

Discussion points for posterity:

• Current understanding is that the value of the modularity of the Component Definition supports the integration with GRC tooling as an augmented data source towards SSP. Building up a collection of Component Definitions to describe a system provides value at the Implementation Layer through the ability to pick and choose the components required for your needs.
• The validations in the component-definition serve as a plan for a future system - but not any one system specifically.
• Conducting the validation activity is where we cross-over from the Implementation Layer to the Assessment Layer.
• The findings of the assessments are ultimately results - generating this model artifact MAY make sense. Many GRC tools will perform the relational linking required to connect a component-definition implemented requirement to an assessment result and/or other SSP data.
• Lula can then begin to iterate and fill in connective tissue as deemed valuable - IE can we backwards create the plan from results?

[CloudBeard]

Disclaimer

Using the FedRAMP versions as visual examples as the 800-53 repo has adding the SAP/SAR the examples as a to do on their work board.

Discussion

Looking through the FedRAMP SAP (Security Assessment Plan) and SAR (Security Assessment Results) they two are linked together Link.

Further the SSP is linked in the SAP Link.

I will say FedRAMP is a bit different because your SSP, SAP, and SAR are items you need in the FedRAMP process so it makes sense they are closely tied together.

I believe the main output from Lula needs to be the SAR (SAP could be a by product that is also generated) and I believe we could generate the main parts of those based on the rules in the component definitions that say how each control is going to be tested. Maybe include a description line within the rule that briefly explains what the rule is doing and that description can be used in the SAP to say this is how we are testing what we say we are doing.

The question im not 100% sure on is do we create a config file that user modify to fill in the top parts of the SAP/SAR? Items like CSP, Who the plan is for, Security Team members, emails, etc admin items. Thinking along the lines the component generator config files.