NIST Engagement on Common Controls Initiative

[mcleo-d]

Description

This issue contains an email conversation for transparency between NIST and the Engage with NIST on Controls WG who are engaging NIST to extend the OSCAL standard.

---

From @valmihai to NIST We've been working with the folks at FINOS (on CC here), on the Common Cloud Controls initiative.

The Common Cloud Controls programme has been established within FINOS to provide a mechanism for Financial Institutions to avoid concentration risk between Cloud Service Providers (CSP) by defining a common set of controls that can be implemented in a CSP to allow potential migration between clouds. These controls are designed to specifically mitigate threats identified during threat modelling of the specific risks aimed at cloud services. The aim is to define the controls in a codified form leveraging OSCAL along with codified test cases that validate the efficacy of those controls and mitigation the threat.

We would like to partner with NIST and the OSCAL community to understand where best to add the codified implementation, threat and efficacy test cases within OSCAL. We would be particularly interested if prior art exists or there are existing partners who would be willing to work on this.

Please let us know if this is something you'd be open to engaging with the team, and if so, @mcleo-d can help coordinate a call for everyone.

[mcleo-d]

Good morning, Val.

Francesco – nice meeting you again 😊 Jonathan, a pleasure to reconnect. Vikram and Rachel – hello again. Aric, Paul , David, and James – a pleasure virtually meeting you. James – have we met this past July at I4 Forum?

I am thrilled to learn of, and support this initiative as it aligns well with two of my ‘hats’ I wear at NIST (see signature highlights).

Codifying (digitalizing) the representation of the controls in OSCAL provides tremendous advantage as it:

• supports standardized (cheaper, faster, better) security automation (continuous assessment and monitoring) against any regulatory framework represented in OSCAL (through OSCAL mapping), not only the Common Cloud Controls
• allows GRC tools that “speak” OSCAL to exchange information in real time.

Codifying in OSCAL the test cases that validate the efficacy of the controls, and the threat mitigations is supported today but we are eager to understand if a more robust mechanism is needed.

I will be more than happy to support this effort with knowledge, connect interested parties, involve the community and the team when needed. Our OSCAL community is open to anyone interested to join and we can also invite them to collaborate as long as we can launch a open call for collaboration. We can also establish a financial, international public community of interest as part of our community and the FINOS team can be the driving force. If other non-public frameworks are necessary for this collaboration, please let me know and we can discuss the options.

Thank you. Looking forward to hearing back from you or James.

Dr. Michaela Iorga Senior Security Technical Lead for Cloud Computing

[mcleo-d]

From @jonmuk

Michaela thank you for your quick response.

It’s great to hear that your many ‘hats’ align to our approach within the CCC initiative to codify controls. We are eager to work together on OSCAL and would welcome the opportunity to join the community. Please do forward any details on the areas within OSCAL where control efficacy and threat mitigation sit at the moment as that would be very interesting and inform our approach to leveraging OSCAL. We would also be happy to engage in whatever approach or mechanism you see fit to join the existing community.

If possible it may be beneficial to have a quick call after taking a look at the existing work so that we can demonstrate the use cases we are looking to leverage OSCAL for.

Many thanks

Jon Meadows

[mcleo-d]

Hi Jonathan,

Please find below some preliminary information for you and your team’s perusal.

-- NIST: OSCAL website: https://www.nist.gov/oscal

-- NIST OSCAL GitHub (public): https://www.github.com/usnistgov/OSCAL

-- OSCAL lobby on Gitter (chat channel with the community): https://gitter.im/usnistgov-OSCAL/Lobby (STRONGLY RECOMMENDED)

-- 3rd Annual OSCAL Workshop (recorded): https://www.nist.gov/news-events/events/2022/03/3rd-open-security-controls-assessment-language-oscal-workshop . The videos are tagged better here: https://pages.nist.gov/OSCAL/learn/presentations/oscal-workshop-2022-03/

--- 4th Annual OSCAL Conference (recorded): https://www.nist.gov/news-events/events/2023/05/4th-open-security-controls-assessment-language-oscal-conference-and -- Blog: https://www.nist.gov/blogs/cybersecurity-insights/foundation-interoperable-and-portable-security-automation-revealed

-- OSCAL Adopters' Mini Workshop Series opened primarily to our community members to present their OSCAL adoption https://csrc.nist.gov/Projects/open-security-controls-assessment-language/oscal-adopters-workshops

-- An OSCAL 101 (Educational) Workshop Series https://csrc.nist.gov/Projects/open-security-controls-assessment-language/oscal-education-workshops

Of particular interest to you and your team might be CNCF’s (Francesco Beltramini’s and Robert Ficaglia’s) presentation at the 4th OSCAL OSCAL Conference: https://cdnapisec.kaltura.com/index.php/extwidget/preview/partner_id/684682/uiconf_id/31013851/entry_id/1_e861yoyu/embed/dynamic#t=08:23

I will be out of the office next week, so please let me know when would you like to chat after Sept 11.

[mcleo-d]

Hi Michaela,

It's fantastic to meet you and thank you for the wonderful introduction and resource provided to the team in this thread. I'm James McLeod, FINOS Director of Community, and I'm helping to coordinate the Common Cloud Controls project with Jonathan, Val and the wider team.

I've taken the information provided and have dropped it into the project's GitHub repo so it's collaboratively shared and not lost in inboxes. I have also added you to our project meetings, the next of which is "Engage with NIST on Controls" on September 14th at 12pm EST / 5pm BST. 

It would be awesome if you or a member of the NIST team could join the group.

Unfortunately, it wasn't me who you met at the I4 Forum. However, please let me know where you're based and I'm sure we can arrange to meet if we're ever in the local area.

Speak soon,

James.

[mcleo-d]

This issue has been closed as @iMichaela from NIST has engaged with the CCC working group on #23 and is helping to consult and guide the group.