Design Proof-of-Concept End-to-End Assessment Process

[mlysaght2017]

Feature Request

Description of Problem:

We need to design a comprehensive end-to-end process for assessing the security posture of generic cloud services and generating detailed reports using NIST OSCAL (Open Security Controls Assessment Language), so that we can ensure consistent, thorough, and transparent evaluations of cloud service security while leveraging a standardized framework. The process will include the intake of cloud services from the cloud service taxonomy WG, the definition and selection of relevant controls, the execution of assessments, and the reporting of results.

Potential Solutions:

Acceptance Criteria:

• Define a standardized assessment methodology that can be applied to any generic cloud service, incorporating NIST OSCAL.
• Develop a set of tools and templates aligned with NIST OSCAL to facilitate the assessment process.
• Create a detailed workflow that outlines each step of the assessment, including intake, control definition/selection, preparation, execution, analysis, and reporting, in compliance with NIST OSCAL standards.
• Implement mechanisms for continuous monitoring and reassessment using NIST OSCAL.
• Design a reporting format that clearly communicates the assessment results, findings, and recommendations, following NIST OSCAL guidelines.
• Validate the process through pilot assessments of selected cloud services.
• Present the finalized process and reporting format to the working group for approval.

Define Assessment Methodology:

• [ ] Research and review existing security assessment methodologies, with a focus on those utilizing NIST OSCAL.
• [ ] Identify key components and best practices to incorporate into our methodology.
• [ ] Document the standardized methodology for assessing the security posture of cloud services using NIST OSCAL.

Create Detailed Workflow:

• [ ] Outline each step of the assessment process, ensuring alignment with NIST OSCAL standards:
• [ ] Intake: Define the initial intake process for a cloud service, including gathering basic information and context.
• [ ] Control Definition/Selection: Establish a process for defining and selecting relevant controls from the control catalog specific to the cloud service being assessed.
• [ ] Preparation: Detail the preparatory steps needed before executing the assessment.
• [ ] Execution: Outline the execution phase, including the use of tools and templates.
• [ ] Analysis: Describe the process for analyzing collected data and assessment results.
• [ ] Reporting: Define the steps for generating and communicating the assessment report.

Implement Continuous Monitoring:

• [ ] Design mechanisms for ongoing monitoring of security posture using NIST OSCAL.
• [ ] Define triggers and criteria for reassessment based on changes in the cloud service environment or threat landscape.

Design Reporting Format:

• [ ] Develop a standardized reporting template that includes an executive summary, detailed findings, risk ratings, and recommendations, formatted according to NIST OSCAL.
• [ ] Ensure that the report format is clear, concise, and tailored to the needs of different stakeholders (e.g., technical teams, management).

Pilot Assessments:

• [ ] Conduct pilot assessments on selected cloud services using the defined process and tools aligned with NIST OSCAL.
• [ ] Gather feedback and identify areas for improvement in the methodology, tools, and reporting format.
• [ ] Make necessary adjustments based on pilot assessment results.

Documentation and Presentation:

• [ ] Document the entire assessment process, including methodology, tools, workflow, and reporting format, ensuring compliance with NIST OSCAL.
• [ ] Prepare a presentation to share the final process with the security working group.
• [ ] Seek approval and feedback from the working group for any final adjustments.

Stakeholders:

Security Working Group Members

Priority: High

Estimated Effort: 4-6 weeks

Dependencies:

• Access to cloud services for pilot assessments
• Availability of assessment tools and resources compliant with NIST OSCAL

[github-actions[bot]]

This issue will be closed as stale in 7 days. Please update this issue if it is still needed.

[github-actions[bot]]

This issue will be closed as stale in 7 days. Please update this issue if it is still needed.

[github-actions[bot]]

Closed as stale. An update may reopen this issue.