Compton-US
commented
2 years ago Sharing what I have so far.
Summary
There is a desire to produce a model that can be used to represent the Customer Responsibility Matrix (CRM) or Shared Security Responsibility Matrix (SSRM) documents. In order to encompass both cases, I will refer to this as a Responsibility Matrix Model.
The System Security Plan and Component Definition models contain attributes that support the communication of information related to implementation of controls, the status of the implementation and assignment of responsibility to roles. These data address how requirements are satisfied, but lack attributes that support communicating to another party what the remaining responsibilities are for a particular system, component and/or control.
If the System Security Plan and Component Definition supported the ability to define this responsibility, and the requirements to be passed to other entities, it would likely address the gap that appears to exist for producing a responsibility matrix from these two models.
Document Review
After review of four publicly accessible CRM documents, the following fields were common to each:
| Field | Description | Sample |
|---|---|---|
| Control ID | Typically the identifier of a control imported from a catalog of controls (e.g. NIST 800-53). | AC-8, CP-8 |
| Control Name | Typically the name/title of a control imported from a catalog of controls (e.g. NIST 800-53). | System Use Notification |
| Control Description | Typically the description of a control imported from a catalog of controls (e.g. NIST 800-53). | See 800-53 Catalog |
| Control Origination (Ownership/Responsibility) | Assigns responsibility for a control. | Provider, Shared, Customer |
| Implementation Model/Entity | Assigns the responsibility for the defined implementation detail to a group or entity. | IaaS, PaaS, SaaS, Customer Provided |
| Implementation Details | This is a narrative field that outlines the manner and context of implementation of a control's requirements. | Variable prose, may contain paragraphs |
| Implementation Status | Indicates the extent of progress for a control's implementation. | Implemented, Partially Implemented, Planned, Alternative |
| Implementation Requirement (Responsibility) | Outlines the required customer actions to address the requirement, or a portion of a requirement when the implementation is a shared responsibility. | Variable prose, may contain paragraphs |
| Inheritable | Indicates whether the control is inheritable. | Yes, No, Partial |
| Baseline | Indicates the level of baseline that a control can address. (e.g., FedRAMP) | Low, Moderate, High |
| Baseline Entity/Framework | While the "Baseline" most relates to FedRAMP, this could relate to other regulatory frameworks | FedRAMP |
Impressions:
- Most of the fields above are supported by existing attributes in the models.
InheritableandBaselinesare likely not necessary. These seems addressable through profiles as a part of the OSCAL workflow.Implementation Model/EntityandImplementation Requirementare likely not fully addressed within the current model attributes in the context of communicating to one of more inheriting entities when implementation actions must be performed to fully satisfy a security control.- In many cases, narrative fields such as implementation requirement repeat the same content for multiple controls in a category, for example, "The customer is responsible for appropriately terminating customer personnel."
Potential Use Case Examples
Direct
In the first case, consider a responsibility that is passed directly from the provider to customer.
The data could be similar to:
| Field | Value |
|---|---|
| Control ID | PE-11 |
| Control Name | Emergency Power |
| Control Description | Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss. |
| Control Origination (Ownership/Responsibility) | Provider |
| Implementation Model/Entity | IaaS |
| Implementation Details | The infrastructure is supported by multiple uninterruptible power supplies, and a redundant backup generator system capable of continuous operation for an extended period of time. |
| Implementation Status | Implemented |
| Implementation Requirement (Responsibility) | Customers do not have physical access to any system resources in Provider datacenters. Customer fully inherits this control from the Cloud Service Provider (CSP). |
| Inheritable | Yes |
| Baseline | Moderate |
| Baseline Entity/Framework | FedRAMP |
Shared
In the second case, consider a responsibility that is passed from a cloud service provider to a managed service provider, and finally to the customer.
The goal of this example is to show information that may need to be documented through some level of shared responsibility. This scenario presents a situation where an organization operates cloud-based systems for customers who focus solely on developing and maintaining applications. This also demonstrates how a customer could understand how responsibilities are addressed for a control, and provides a mechanism to further delegate responsibility to subordinates.
| Field | Value |
|---|---|
| Control ID | SI-4(d) (Statement) |
| Control Name | System Monitoring |
| Control Description | Analyze detected events and anomalies |
| Control Origination (Ownership/Responsibility) | Shared |
| Inheritable | Partial |
| Baseline | Low |
| Baseline Entity/Framework | FedRAMP |
Cloud Service Provider (IaaS)
The Cloud Service Provider states the baseline implementation and the overall responsibilities that must be met to fully address the control. In this case, a distinction is not made for entities that will inherit the control, or what portion of responsibility is assigned to each inheriting entity.
| Field | Value |
|---|---|
| Implementation Model/Entity | IaaS |
| Implementation Details | Provider implements portions of this control for IaaS and PaaS customers. Servers upload logs to a log monitoring tool and the audit logging process for aggregation and analysis. Access to tool and the audit logging process is restricted as specified in the AU family of controls, specifically AU-9. Provider Infrastructure devices are configured to upload their logs to a central repository managed by the Provider Security team. Access to manage the security incident and event management tool used with the Infrastructure is limited to authorized personnel. These personnel are members of a security incident management team. |
| Implementation Status | Implemented |
| Implementation Requirement (Delegated Responsibility) | The customer is responsible for monitoring customer-deployed resources. The customer control implementation statement should address the protection of intrusion-monitoring tool information from unauthorized access, modification, and deletion. |
Managed Service Provider (PaaS)
In this scenario, the Managed Service Provider is presumed to operate services on behalf of the customer. The MSP provides monitoring services for the platform, but not for customer developed applications. The MSP assumes a portion of the Implementation Requirement from the IaaS, and delegates responsibility for application monitoring.
| Field | Value |
|---|---|
| Implementation Model/Entity | PaaS |
| Implementation Details | Monitors customer-deployed resources for events. Access to events are limited to authorized personnel. The platform management team reviews alerts and logs as events are reported to the customer, and conducts daily analysis. |
| Implementation Status | Implemented |
| Implementation Requirement (Delegated Responsibility) | Application owners are responsible for monitoring their application logs for signs of unauthorized activity according to laws and regulations, and applying heightened scrutiny when there is an indication of increased risk. |
Customer (Application Owner)
The customer addresses the application monitoring requirement, and while it wouldn't be required, it could also document responsibilities within the organization for an internal responsibility matrix utilized by a development team or business unit. This could be useful for developing a Component Definition for a service or application.
| Field | Value |
|---|---|
| Implementation Model/Entity | Application Owner |
| Implementation Details | Application and service monitoring must be provided by the development team, and incidents reported within one hour of discovery to the Information Security Officer. Access to events are limited to authorized personnel. |
| Implementation Status | Planned |
| Implementation Requirement (Delegated Responsibility) | Application logs are reviewed daily by approved members of the development team, and suspicious events are reported to the Information Security Officer. |
Identify a few test data sets, and how they would utilize the proposed CRM model outline from OSCAL/issues/722.
Goals:
Dependencies:
N/A
Related Issues:
Acceptance Criteria