Customer Responsibility Matrix (CRM) Transform

[brian-ruf]

User Story:

As an OSCAL SSP Author, I need to extract customer responsibilities from my OSCAL-based SSP and provide an OSCAL file to customers using the component model syntax.

Two common use cases include:

1. Leveraged cloud systems, such as where an authorized IaaS or PaaS is selling services to customers who are establishing a SaaS.
2. Legacy government data centers where an authorized general support system (GSS) is leveraged by several individual systems within the data center - not all of which have the same system owner.

Background

We are considering three possible scenarios for leveraged authorizations:

1. The downstream customer is entitled to have access to the entire SSP of the leveraged system. (Ideal situation - no transform needed)
2. The downstream customer is not entitled to have access to the entire SSP of the leveraged system. (The reason for this issue.)
3. The downstream customer is authoring their SSP using OSCAL, however, the system being leveraged has no OSCAL-based SSP to adopt. (Must be handled another way.)

In other words, this issue assumes:

• both the leveraged system and leveraging system are using OSCAL for SSP content;
• the leveraging customer is not entitled to have access to the leveraged system's complete SSP; and
• a downstream consumer (such as a leveraging agency) is entitled to have access to both the leveraged and leveraging SSPs, thus would benefit from the ability to reconnect the two, such that an individual control can be adjudicated in the context of both the leveraging and leveraged system's implementation.

Goals:

Create a transform to extract customer responsibility statements from an SSP and transform them to component syntax suitable for delivery to customers. This means the resulting file must:

• Use component syntax, such that the leveraged system's content can be imported into the leveraging client's SSP;
• Includes only the information from the leveraged system's SSP that the leveraging system's SSP author needs to know (and is entitled to know);
• Includes linkages to the leveraged system's full SSP such that a downstream consumer can re-connect the two SSPs for holistic adjudication of individual controls.
• Includes sufficient detail about the leveraged system, to ensure it is identified correctly (system name, authorization date, authorizing official(s), system owner, primary system POC,

Dependencies:

This is related to issue #572.

Acceptance Criteria

• [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[brian-ruf]

THIS COMMENT WAS MOVED TO ISSUE #722, WHICH IS A MORE APPROPRIATE LOCATION https://github.com/usnistgov/OSCAL/issues/722#issuecomment-705615973

[pburkholder]

Is there support for generating a CRM via transform for any of these three scenarios: full SSP access, CRM only access, or legacy CRM?

[brian-ruf]

@pburkholder Short answer: It's in-plan.

Longer answer: The plan is to complete the CRM modeling in issue #722. This will become a priority later October and into November.

Once that is complete, NIST intend to create and publish a transform to automatically extract the leveraged authorization content from the SSP and generate the CRM file.

[ohsh6o]

Is there example code of this CRM transform that was drafted for this or #722? We (FedRAMP) and NIST haD begun work in GSA/fedramp-automation on the CIS and CRM tooling and it appears @wendellpiez maintains a WIP copy of this code in his fork of our code. Is this related or a pure NIST-only CIS/CRM effort?

/cc @GaryGapinski

[wendellpiez]

@ohsh6o it looks like work on presenting a POA&M would be in an XSLT here: https://github.com/wendellpiez/fedramp-automation/blob/oscal-presentation/resources/oscal_poam_html.xsl - it appears to accept POA&M input along with an associated SSP?

However, this is only presentation: a "view". Generating an OSCAL POA&M is a different matter.

[ohsh6o]

@wendellpiez Sorry I'm confused, what does the CRM have to do with the POA&M?

[iMichaela]

@wendellpiez and @ohsh6o The Customer Responsibility Matrix (FedRAMP's approach) or the broader System Security Responsibility Matrix concept are different from the question raised in issue #945 over the potential use of POA&M model to document the system's risks during the categorization, selection, and implementation during the implementation phase, pre-assessment. The CRM transformation should 'export' information related to controls that can be inherited and the customers' responsibilities to complete the inherited controls' implementation.

[ohsh6o]

Now that I heard in today's model meeting, I have a better sense of this work and the implications. Like I said in #722 let me know how I can help out, I have an active need for this tooling!