search

finos / common-cloud-controls

FINOS Common Cloud Controls
https://www.finos.org/common-cloud-controls-project
Other
34 stars 39 forks source link

Define vision and purpose for OSCAL Representation of CCC working group #42

Closed mcleo-d closed 8 months ago

mcleo-d commented 1 year ago

Due date : 20th October 2023

This GitHub issues represents part of the roadmap defined by the OSCAL working group on https://github.com/finos/common-cloud-controls/issues/13

### Tasks
- [x] Define vision and purpose for NIST / OSCAL working group
- [x] Define the end target for the working group - For example, stop regenerating processes
jonmuk commented 1 year ago

I had thought about putting together an MSVR but given that ideally this should be a short running working group, perhaps overkills.

My thoughts on vision for the working group:

TheFoxAtWork commented 1 year ago

I would add: establish a framework/mechanism/function to update FINOS CCC in OSCAL as regulatory, control, and other compliance frameworks evolve and change.

This allows the group to reach closure and defines expectations for those updates to persist beyond the group's lifespan.

rachkim00 commented 1 year ago

If we can go more specific on the third bullet:

The expected output would be a definition of where these elements are represented along with an example OSCAL document showing a sample service representation

I would add that the output to be actual CCC OSCAL Control Catalog, Profile (where applicable, if we decide to use profile to create MITRE/Threat relationship to common controls the Taxonomy working group is building), and Component definition of each major CSP services.

iMichaela commented 1 year ago

If we can go more specific on the third bullet:

The expected output would be a definition of where these elements are represented along with an example OSCAL document showing a sample service representation

I would add that the output to be actual CCC OSCAL Control Catalog, Profile (where applicable, if we decide to use profile to create MITRE/Threat relationship to common controls the Taxonomy working group is building), and Component definition of each major CSP services.

I agree with @rachkim00. Moreover, the threats mapping to controls can be initiated in a catalog or profile, but in my opinion, only at the implementation level (Component Definition or SSP) one can attest to the fact that X implementation of the control is reasonable and will probably provide resilience against Y threat action. A control in a catalog is something someone needs to implement using particular technologies, settings, configurations. Assessing the correct implementation would be part 1) of the assessment. Assessing the ability to provide resiliency against threat Y is part 2) of the assessment. But it needs to be considered in the context of a concrete implementation.

rachkim00 commented 1 year ago

Good point @iMichaela. In that sense, I think we may need to consider designing SSP template, based on how CCC would like the information of threat-control relationship is expressed (do we want to tell CSPs what threats are addressed by implementing CCC or do we want CSPs to tell us what threats are addressed by implementing CCC in their services/environment?).

I think we need to decide if we want to: 1) express MITRE ATT&CK domains as "control group" to group controls in the catalog; or, 2) pre-define security baseline based on the threat -> multiple profiles; or, 3) designate a SSP template for CSP to use and input the threat that is being addressed as part of the control implementation.

Something to discuss and brainstorm with the working group! :-)

mcleo-d commented 1 year ago

@jonmuk, @iMichaela and @rachkim00

It would be great to bring this issue to conclusion. There is great content in the comments that should be transferred into the repo as a markdown doc or inner ReadMe.

It would be great to get your guidance on how to close.

James.

rachkim00 commented 11 months ago

Based on the comment history, here's the vision I have summed up:

  1. Work with industry partners to define how to represent the CCC in OSCAL. Including threats (leveraging MITRE), controls and test cases.
  2. If this requires changes to OSCAL, work with NIST community to discuss changes, note this may not be required.
  3. The expected output would be:
  1. Establish a framework and change management process to update FINOS CCC in OSCAL as regulatory, control, and other compliance frameworks evolve and change

@jonmuk and @iMichaela, if you both agree, we can publish this as our vision and close this issue.

robmoffat commented 10 months ago

This was somewhat discussed in the CCC All Hands meeting today. @iMichaela requested that the sample OSCAL from @l1ttlej1m 's white paper be contributed as text to the CCC repository so that it could be iterated upon.

Dropping this request here as it seems like part of the vision @rachkim00 outlines above.

@maoo @karlmoll

robmoffat commented 10 months ago

Looking at the PDF this appears to be just an image - @crawfordchanel to ask @l1ttlej1m for the original source code. @rachkim00 will summarise in README once she has this.

rachkim00 commented 10 months ago

Looking at the PDF this appears to be just an image - @crawfordchanel to ask @l1ttlej1m for the original source code. @rachkim00 will summarise in README once she has this.

@crawfordchanel Hi Chanel- any updates on the original source code?

crawfordchanel commented 10 months ago

Hi @robmoffat @rachkim00 @iMichaela

Yes. Here is the original code from the Citi Whitepaper

controls:

value: (CCC.C1) prose: "Platform must enforce authentication with MFA."

class: CCC parts:

value: (CCC.C4) prose: "Successful attempt to use local authentication to access a resource should be monitored and alerted on."

value: M1032-Validate class: CCC parts:

THEN platform must enforce multi-factor authentication for each user"

local credential THEN service should deny action for all principles"

local credential THEN record the action and alert"

iMichaela commented 10 months ago

@crawfordchanel - Thank you for the provided information. Is anyone that generated the data available to talk with and clearly understand the intend? I have to confess, I do not understand what was the intention to represent. From the pdf document I used the 2 tables available that help me analyze the provided data. Please note - I might have misunderstood the initial data.

In OSCAL, a control is anything a system/service needs to implement and with needs to be assessed.

GROUP ID GROUP TTITLE CONTROL ID CONTROL TITLE MITIGATED THREAD CONTROL CLASS CONTROL STATEMENT GUIDANCE HAS PARENT
IA Identification and Authentication C001-M1032 Multi-Factor Authentication mitre-attack Implement multi-factor authentication for access to accounts. Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator
C001.C1 ccc-preventative Platform must enforce authentication with MFA. C001-M1032
C001.C2 ccc-preventative Local Authentication must be disabled and only allow multi-factor authentication. C001-M1032
C001.C3 ccc-detective Monitor API action that disables MFA. C001-M1032
C001.C4 ccc-detective Successful attempt to use local authentication to access a resource should be monitored and alerted on. C001-M1032

In the content provided above by you there is some data that I do not understand and I will need the original information to judge how to best represent it in OSCAL. Can you point to the page of the white paper from where the information is coming? Also, if there is data documented in the header but there is no need for such data to be captured in the OSCAL CCC catalog (e.g. mitigated threats), please comment and I will remove it.

Last, we need to generate a Markdown sample catalog and its OSCAL XML/JSON/YAML representation for other to review and understand how to represent the controls in OSCAL and decide what data to capture. Where can we create those files? Once the Markdown file is created, I can help with the OSCAL representation, and the conversion of the sample to JSON so people can also use (for example) the OSCAL catalog viewer: https://vierwer.oscal.io/catalog to visualize the data.

NOTE TO MYSELF: NEVER REPLY AT 1:00 AM AFTER A LONG DAY IN THE OFFICE! My apologies to all for all the typos and statements above that were not well explained.

crawfordchanel commented 10 months ago

Hi Michaela

The text provided is copied and pasted from the published FINOS CCC whitepaper. Section 3.6 “Logical Controls to Extended OSCAL” – pages 21-23. Please note, by the next OSCAL WG meeting, we will have a designated lead who will be more equipped to guide the team through Issue 42.

In the meantime, I will contact the Citi CCC team to address markdown catalogue ownership, its XML representation and where we will create it.

Thank you,

@. Chanel Crawford - VP CTO Policy, Innovation Enablement and Strategy Operations & Technology 3800 Citibank Center | Tampa, Florida 33610 E-mail: @*.**@*.***>

From: [github.com] Michaela Iorga @.> Sent: Tuesday, January 23, 2024 12:18 AM To: finos/common-cloud-controls @.> Cc: Crawford, Chanel [OT] @.>; Mention @.> Subject: Re: [finos/common-cloud-controls] Define vision and purpose for OSCAL Representation of CCC working group (Issue #42)

@crawfordchanel - Thank you for the provided information. Is anyone that generated the data that we can talk with to clearly it? I have to confess, I do not understand what was the intend to represent. From the pdf document I gather the following

@crawfordchanelhttps://urldefense.com/v3/__https:/github.com/crawfordchanel__;!!Jkho33Y!n-TUHTxUEhe43hIgDuy3VzNEhsuWkaykbn5csUy951v9Wd4TkMB0M60UaJYXrZ7FLhL51yqh9CIbrecivzSEkMK-Pb8L$ - Thank you for the provided information. Is anyone that generated the data that we can talk with to clearly it? I have to confess, I do not understand what was the intend to represent. From the pdf document I gather the following

In OSCAL, a control is anything a system/service needs to implement and with needs to be assessed.

In the content provided above by you there is some data that I do not understand and I will need the original information to judge how to best represent it in OSCAL. Can you point to the page of the white paper from where the information is coming? Also, if there is listed data in the header but there is no need for such information (e.g. mitigated threat) . please comment and I will remove it.

Last, we need a Markdown sample catalog and its XML representation. Where can they be create those files. Once the file is created, the https://vierwer.oscal.io/cataloghttps://urldefense.com/v3/__https:/vierwer.oscal.io/catalog__;!!Jkho33Y!n-TUHTxUEhe43hIgDuy3VzNEhsuWkaykbn5csUy951v9Wd4TkMB0M60UaJYXrZ7FLhL51yqh9CIbrecivzSEkE7yzaQk$ can be used to visualize the data.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/finos/common-cloud-controls/issues/42*issuecomment-1905308905__;Iw!!Jkho33Y!n-TUHTxUEhe43hIgDuy3VzNEhsuWkaykbn5csUy951v9Wd4TkMB0M60UaJYXrZ7FLhL51yqh9CIbrecivzSEkInvmL7S$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BDCEC6JDHQR73P6HLAH7PQLYP5BYVAVCNFSM6AAAAAA5JGIIWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBVGMYDQOJQGU__;!!Jkho33Y!n-TUHTxUEhe43hIgDuy3VzNEhsuWkaykbn5csUy951v9Wd4TkMB0M60UaJYXrZ7FLhL51yqh9CIbrecivzSEkEoNpUkw$. You are receiving this because you were mentioned.Message ID: @.**@.>>

iMichaela commented 10 months ago

@crawfordchanel - What is the "Extended OSCAL" mentioned in the document? OSCAL has native extension mechanisms but those are not the ones used in the example. Is there the Citi's intention to create and maintain an "Extended OSCAL" specification and a registry of all the namespaces (ns) proposed in the example?

rachkim00 commented 9 months ago

Based on today's (2/8) discussion, I will draft readme.md with reference to CFI readme.md and share with the community for more feedback/finalization.

crawfordchanel commented 8 months ago

Merge complete