iMichaela
commented
4 years ago Propose using the image below on the website and add to it the relation to SCAP. @david-waltermire-nist - do you have an SCAP graphical overview?
Open wendellpiez opened 4 years ago
iMichaela
commented
4 years ago Propose using the image below on the website and add to it the relation to SCAP. @david-waltermire-nist - do you have an SCAP graphical overview?
yynlee
commented
4 years ago Propose using the image below on the website and add to it the relation to SCAP. @david-waltermire-nist - do you have an SCAP graphical overview?
yynlee
commented
4 years ago Is this being worked on?
ob1knblaris
commented
4 years ago SCAP support is generally used at the software and technology-specific security assessment level (i.e., vulnerability detection like unpatched software, and static operating system configuration settings that vary from a secure baseline). See https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/faqs
So RMF Step "ASSESS - System Assessment Plans", is where assessment options available are considered, including automated tools (open source and proprietary) which incorporate SCAP into assessment and reporting.
See also https://csrc.nist.gov/projects/scap
"NIST's security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines. NIST is also working on this expansion plan, so please communicate with the SCAP Team early and often to ensure proper coordination of efforts."
david-waltermire
commented
4 years ago @ob1knblaris and @yynlee We do plan to integrate SCAP into the OSCAL assessment layer. We will not be starting on the OSCAL assessment layer until the OSCAL 2.0.0 milestone.
As the technical lead for both OSCAL and SCAP, I am very interested in bringing these efforts together.
@ob1knblaris Thanks for the references. I'll use these in the eventual write up that this issue is intended to address.
rficcaglia
commented
4 years ago Could this issue be expanded to relate OSCAL also to DODCAR/govCAR? seems like similar goals, but from 3 different (and IMHO complimentary) perspectives - namely, for SCAP: evaluating "technical control compliance activities" [1] from the configuration/implementation (assessment) perspective; for govCAR evaluating "threat-based assessment of cyber capabilities" [2] from the threat/attack (a form of assessment, arguably the most decisive form there is) perspective; and OSCAL "assessment of security controls" [3] from the documentation (assessment) perspective?
[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-126r3.pdf
iMichaela
commented
4 years ago @rficcaglia Supporting DoDCAR/govCAR/StarCAR process to automate it with OSCAL or OSCAL-like is work that currently sits at the horizon of our agenda, but to do it right it takes a lot of work and expert resources, so it is not in the immediate scope. Threat information can currently be captured in an SSP, but to provide full automation support to DoDCAR, I anticipate new models will be necessary to create the threat overlay and to score the capabilities to determine the effectiveness. Integration with SCAP is currently planned for the OSCAL v.2
aj-stein-nist
commented
11 months ago This appears to be a duplicate of https://github.com/usnistgov/OSCAL/issues/85 in regards to my analysis in https://github.com/usnistgov/OSCAL/issues/85#issuecomment-1736487808. Should we prefer the older issue over this overlapping/duplicate issue?
OSCAL is meant to address a gap in the present technical infrastructure with respect to controls-based (RMF) security activities, and so to be complementary to existing standards in the security domain such as SCAP. But in a domain as large and complex as this one, some stakeholders may be under the impression that OSCAL is intended to replace or supersede SCAP, which is not the case.
Let's add some language to the web site to describe OSCAL's positioning vis-a-vis SCAP and perhaps other standards in the security domain (especially supporting data interchange). Ideally it would say something about -- or illustrate -- how both will play a role or how they might be used together.