search

opencontrol / discuss

a place to have conversations about OpenControl projects
https://github.com/opencontrol/discuss/issues
Other
16 stars 0 forks source link

OpenControl support for Overlays #49

Closed jokajak closed 6 years ago

jokajak commented 6 years ago

It's difficult for me to determine if the opencontrol framework supports the concept of overlays. An example overlay is the Privacy overlay from CNSSI 1253 Appendix F. There are other example overlays on https://www.cnss.gov/CNSS/issuances/Instructions.cfm.

From https://www.nist.gov/services-resources/software/baseline-tailor overlays are used in tailoring controls for different types of systems.

There is some nuance in overlays in that multiple can be applied to a system with conflicting customization.

I'm considering pre-processing tools that generate a standard for usage with the opencontrol framework.

Does opencontrol support the concept of overlays or tailoring without adjusting the standard?

gregelin commented 6 years ago

@jokajak The current OpenControl schemas supports overlays when the overlay is treated as additional controls and listed in a customized certification.

The current version of OpenControl supports additive control implementation descriptions, but does not really support customizing or substituting control implementation descriptions.

Let's say you have a simple overlay of an additional "top secret overlay" consisting of two additional controls (e.g., biometric factors and hardware cannot leave building). The basic steps would be:

  1. Specify a new control standard of "top secret overlay" listing controls TSO-1 and TSO-2
  2. Define a new certification that include your agency's FISMA-High controls AND TSO-1 and TSO-2. Now compliance-masonry can read a certification that combines your FISMA-High control list plus the overlay control list.
  3. Add the control narratives for TSO-1 and TSO-2 into the appropriate component.yaml files referencing your overlay standard and the controls.

The current shortcoming of the existing OpenControl framework is that cannot additively customize or replace a control implementation narrative found in an upstream component OpenControl files (e.g., included by dependency reference).

In other words, OpenControl and Compliance-Masonry do not have a model for dynamic handling of " Nuance in overlays in that multiple can be applied to a system with conflicting customization."

Instead you have to fork the upstream component repo, modify the content of forked repo to include the TSO-1 and/or TSO-2 control implementation descriptions for that component, and then reference the forked upstream component repo. (Of course, you could also make a merge request to include the TSO control language into the existing component repo, too.)

Hoep this helps. I could try to provide more details if you needed.