Code contribution for XSL transform and other code for NIST SP 800-53.xml integration

[gregelin]

I'd like to contribute some code for processing the NIST SP 800-53 controls from an 800-53 Control Server prototype developed earlier this year as part of research for DHS funded Homeland Open Security Technologies. The prototype has a python class SecControl that extracts 800-53 security control information from 800-53.xml published by NIST.

The files control2json.xsl and controlenhancement2json.xsl have the xpath and XSL for extracting individual controls into JSON. This could be modified to produce YAML. I also created a simple API producing a list of controls in Control Masonry YAML.

This thread is to coordinate integration issues prior to a pull request, in case there already is some activity in this area. Below is a version of @mogul's gliffy showing how 800-53-server code integrates.

diagram gliffy source

[geramirez]

@gregelin There hasn't been any activity other than a draft NIST-800-53 template. Also, I would love to learn more about 800-53-server.

[gregelin]

@ramirezg I have the current MVP-ish version of 800-53-server running as a demo at 800-53.govready.com. I haven't promoted it very much yet.

800-53-server's genesis was in wanting to represent the relationship among security controls. Turns out the NIST CSRC publishes assessment cases for 800-53 controls that explicitly list pre-cursor and successor-controls for each control. I think the 800-53-server is the first representation and visual representation of "control dependencies chains."

Part of the aim of the research for DHS HOST is how to map the 800-53 controls to CDM (Continuous Diagnostic and Monitoring). A core insight of the research is the need to first map many the high level guidance expressed in the NIST SP 800-53 to observable, measurable, repeatable daily activities performed by existing organizational roles. Implementing that involves code and data -- hence the 800-53-server.

Turning the 800-53 control data into something more programmable and reusable saves us all constantly slogging through XPATHs and XSL transformation of the 800-53.xml. Hence the SecControl python class. (It's still pretty early and I could use some help with formalizing it into a Python module.)

Right now I am using XSL and the standard (xsltproc)[http://xmlsoft.org/XSLT/xsltproc.html] unix library for extracting data. But that could be translated to pure python XML processing.

I think there is some big overlap obviously with control-masonry. @fen and I had been thinking about how we could start to represent information system data in the the 800-53-server, but it would have just been our JSON or YAML format. GSA 18F kicking the ball of on a data spec is really helpful.

[joshuamckenty]

Also also, the level of parallel activity on this is blowing my mind :)

Do we have an “open governance community” CI environment that we could use to run these transforms based on NIST updates to the upstream XML? If not, would that be of interest? I’m thinking IFTTT for compliance pipelines.

On Sep 30, 2015, at 12:52 PM, Gabriel Ramirez notifications@github.com wrote:

@gregelin https://github.com/gregelin There hasn't been any activity other than a draft NIST-800-53 template https://github.com/18F/control-masonry/blob/master/data/standards/NIST-800-53.yaml. Also, I would love to learn more about 800-53-server https://github.com/GovReady/800-53-server.

— Reply to this email directly or view it on GitHub https://github.com/18F/control-masonry/issues/11#issuecomment-144520854.

[gregelin]

@joshuamckenty The NIST upstream XML changes infrequently.

What I've found changes/happens frequently is the following:

• an organization interpreting how the high level 800-53 guidance applies to their organization or information system (this can be very repetitive and painful)
• an organization updating the implementation status and/or details of a control because of changes in the system (currently rarely happens b/c such a pain to hundred page word documents) or organization (this an organization taking template control implementations and customizing them to their organization.
• If we succeed at creating re-usable implemented control templates, it is likely people will be frequently customizing a the control implementations to their situation.

We definitely need a community around this topic. Chef has started a small community at https://medium.com/compliance-at-velocity . I've also been trying to figure out if a community focused on open compliance in government would make sense. What do you think?

[openprivacy]

This is all such great work! While "slogging through" FISMA and the RMF, it's clear that:

• some controls no longer make sense
• some new issues exist for which controls don't exist (or one must make a broad interpretation of an existing control for it to fit)
• creating static Word document artifacts is of limited use (and the time spent is largely counter-productive)

So what @gregelin and I have been talking about is a way to:

• easily view the controls online
• identify the controls that make sense for a particular application
• add policy text inline with controls that require policy
• add pointers to results returned from tests that ensure control implementation
• add pointers to code that run such tests (could point to OpenSCAP or custom tests)
• create a open source hub of control implementations/templates sorted by language, OS, etc. with some form of reputation assessment so people can choose those that work best in their situation

Basically, I don't want to have to go through the "traditional" static process ever again, and no one else should have to either.

[gregelin]

@openprivacy's comments reminded me of another issue @joshuamckenty that is really important: waivers.

A waiver is an instance-specific acceptance of a failing baseline control.

Waiver management is crap in compliance tools that I have seen.

Currently, most scanning tools show a control as either implemented (passing) or not implemented (failing). However, it is incredibly common to have a control in your baseline you know is going to fail, or you know is going to fail in a particular environment like development.

In order to intelligently integrate compliance into our Agile and DevOps processes, we need to be able to grab a baseline set of controls and then intentionally implement a temporary (or environment-specific) waiver for the controls we know we are not yet ready to implement at that stage of development.

With waivers we could coordinate 100% green from reusable baseline controls in our automated testing pipeline while simultaneously knowing that 50% of the controls are actually pending full implementation.

Without waivers, we end up removing baseline controls from the tested profile, or continuously writing explaining particular fail results over and over again and why something is not really failing. (Believe me, you have to explain it each time a new person in the organization looks at the status.)

Having waivers we can turn on and off during development, by environment, or by information system would allows to re-use baselines while being able to track intention.

[openprivacy]

An excellent example of one time a waiver is needed is for IA-5 (aka CCE-27051-2) for which OpenSCAP contains the text:

To specify password maximum age for new accounts, edit the file ... A value of 180 days is sufficient for many environments. The DoD requirement is 60.

But in our cloud-based case we don't allow password access at all, only via SSH pubkey. But to satisfy this control in OpenSCAP, we have to set an expiration, and then ignore it in PAM. Crazy! Waivers in OpenSCAP may enable this someday, or a framework like this one that only runs tests that are implemented.

[joshuamckenty]

We actually built a good framework for passing/failing/waivered tests as part of the DefCore/Refstack project in OpenStack. (Also driven by YAML hierarchies that were generated from spreadsheets, so there are some patterns here.)

I’ll see if @zehicle will join this thread to discuss.

On Oct 1, 2015, at 1:59 PM, Fen Labalme notifications@github.com wrote:

An excellent example of one time a waiver is needed is for IA-5 (aka CCE-27051-2) for which OpenSCAP contains the text:

To specify password maximum age for new accounts, edit the file ... A value of 180 days is sufficient for many environments. The DoD requirement is 60.

But in our cloud-based case we don't allow password access at all, only via SSH pubkey. But to satisfy this control in OpenSCAP, we have to set an expiration, and then ignore it in PAM. Crazy! Waivers in OpenSCAP may enable this someday, or a framework like this one that only runs tests that are implemented.

— Reply to this email directly or view it on GitHub https://github.com/18F/control-masonry/issues/11#issuecomment-144846568.

[joshuamckenty]

I think launching such a community would be a great topic for the keynote I’m giving at All Things Open towards the end of this month. What tools do we need beyond the GitHub repos?

On Oct 1, 2015, at 10:33 AM, Greg Elin notifications@github.com wrote:

@joshuamckenty https://github.com/joshuamckenty The NIST upstream XML changes infrequently.

What I've found changes/happens frequently is the following:

an organization interpreting how the high level 800-53 guidance applies to their organization or information system (this can be very repetitive and painful) an organization updating the implementation status and/or details of a control because of changes in the system (currently rarely happens b/c such a pain to hundred page word documents) or organization (this an organization taking template control implementations and customizing them to their organization. If we succeed at creating re-usable implemented control templates, it is likely people will be frequently customizing a the control implementations to their situation. We definitely need a community around this topic. Chef has started a small community at https://medium.com/compliance-at-velocity https://medium.com/compliance-at-velocity . I've also been trying to figure out if a community focused on open compliance in government would make sense. What do you think?

— Reply to this email directly or view it on GitHub https://github.com/18F/control-masonry/issues/11#issuecomment-144795128.

[gregelin]

I'm going to take a run at extracting my Python 800-53 processing code from []() and convert it to a python package for easier integration.

What seems best for a package name? For a submodule name for 800-53 / NIST RMF?

from Compliance import FISMA
from Compliance import NISTRMF
from ComplianceLib import FISMA
from PyComplianceLib import FISMA
from PyCompliance import NISTRMF

from ComplianceStandards import FISMA
from ComplianceStandards import PCI
from ComplianceStandards import NISTRMF
from PyComplianceStandards import NISTRMF

[gregelin]

@joshuamckenty, a talk about compliance as code community for FISMA at All Things Open would be great. Tools we need beyond repos in no particular order:

• Better, Faster OVAL/SCAP authoring tools
• Tools to connect GitHub repos (eg, like travis, waffle, etc)
• Automatic Artifacts (eg, Control-Masonry)
• Convert existing .docx System Security Plans to structured YAML
• An ISO-friendly, google doc-like editing interface so non-developers can help edit control descriptions
• Compliance Data Exchange Format in supply chain
• the waiver tooling
• Better, friendlier designed scan report format
• stuff @openprivacy mentioned, like pointing to code that executes the control

We also need people who are:

• interested in helping organize a hackathon this fall or early next year
• interested in outreach and doing workshops to Auditors, Developers, Executives, Sec Teams
• want to develop Compliance Data Exchange Format for supply chain

[mogul]

• An ISO-friendly, google doc-like editing interface so non-developers can help edit control descriptions

I've been thinking about this a bit... We will need something like what Federalist is doing for Jekyll/static sites to make editing comfortable. I really like the idea of a hackathon around this list, too!

[joshuamckenty]

So… why did you fork off of the gitbook project, then? ;)

Seriously, though - you should log in to gitbook.com http://gitbook.com/ and try the web editor. That was the major reason we started on that platform.

On Oct 3, 2015, at 9:40 AM, Bret Mogilefsky notifications@github.com wrote:

An ISO-friendly, google doc-like editing interface so non-developers can help edit control descriptions I've been thinking about this a bit... We will need something like what Federalist is doing for Jekyll/static sites https://18f.gsa.gov/2015/09/15/federalist-platform-launch/ to make editing comfortable. I really like the idea of a hackathon around this list, too!

— Reply to this email directly or view it on GitHub https://github.com/18F/control-masonry/issues/11#issuecomment-145263646.

[mogul]

It's nice, but I'm envisioning an editor which would explicitly prompt for references:, satisfies:, etc. that can provide drop-downs and auto-complete based on those YAML files, and show where gaps exist. If there's a way to do that with the GitBook editor, let me know!

[gregelin]

Swinging us back to specifics of "Code contribution for XSL transform and other code for NIST SP 800-53.xml integration"...

I'm happy to share that XSL transform code to extract controls from NIST SP 800-53.xml files is now Python Package! It's my first attempt at a Python Package, so be gentle and this could become a wonderful thing.

The package name is compliancelib pypi: https://pypi.python.org/pypi/compliancelib GitHub repo: https://github.com/govready/compliancelib-python

The long term goal is to make compliancelib into a library machine-readable compliance standards (FISMA, DIACAP, PCI, HIPPA) for the major code platforms. It would be like unirest. The library would focus on putting JSON/YAML/XML information about individual controls at developer's finger tips as well as cross referencing information.

Here is the updated gliffy diagram of what I'm thinking.

diagram gliffy source

[joshuamckenty]

That github repo is sadly not public :/

On Oct 13, 2015, at 7:19 AM, Greg Elin notifications@github.com wrote:

Swinging us back to specifics of "Code contribution for XSL transform and other code for NIST SP 800-53.xml integration"...

I'm happy to share that XSL transform code to extract controls from NIST SP 800-53.xml files is now Python Package! It's my first attempt at a Python Package, so be gentle and this could become a wonderful thing.

The package name is compliancelib pypi: https://pypi.python.org/pypi/compliancelib https://pypi.python.org/pypi/compliancelib GitHub repo: https://github.com/govready/compliancelib-python https://github.com/govready/compliancelib-python The long term goal is to make compliancelib into a library machine-readable compliance standards (FISMA, DIACAP, PCI, HIPPA) for the major code platforms. It would be like unirest http://unirest.io/. The library would focus on putting JSON/YAML/XML information about individual controls at developer's finger tips as well as cross referencing information.

— Reply to this email directly or view it on GitHub https://github.com/18F/control-masonry/issues/11#issuecomment-147728475.

[gregelin]

@joshuamckenty https://github.com/GovReady/compliancelib-python is now public.

[joshuamckenty]

Sweet!

On Oct 13, 2015, at 10:57 AM, Greg Elin notifications@github.com wrote:

@joshuamckenty https://github.com/joshuamckenty https://github.com/GovReady/compliancelib-python https://github.com/GovReady/compliancelib-python is now public.

— Reply to this email directly or view it on GitHub https://github.com/18F/control-masonry/issues/11#issuecomment-147795977.