-
Notifications
You must be signed in to change notification settings - Fork 183
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Created Profile model prototype. Created Catalog and Profile model documentation. Imported initial FedRAMP profile,data. Updated SP800-53r4, ISO 276001/2, and COBIT 5 catalog data. Created a bunch of OSCAL examples.
- Loading branch information
1 parent
d027e00
commit cfed1cb
Showing
228 changed files
with
932,192 additions
and
51,726 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,36 +1,12 @@ | ||
# Open Security Controls Assessment Language (OSCAL) | ||
|
||
NIST is proposing the development of the Open Security Controls Assessment Language, or OSCAL, a hierarchical, formatted, XML-based (and JSON translation) schema that provides a standard for representing different categories of information pertaining to the publication, implementation, and assessment of security controls. | ||
|
||
OSCAL aims to: | ||
1. Standardize control, implementation, and assessment information using open, machine-readable formats. | ||
1. Normalize the semantics of controls and profiles/baselines/overlays across multiple control catalogs (e.g., NIST SP 800-53, ISO/IEC 27001/2, COBIT 5). | ||
1. Provide interoperable formats to ensure that OSCAL information is used by tools in consistent ways. | ||
1. Promote adoption of OSCAL by tool developers by ensuring that OSCAL information is easy to create, use, and customize. | ||
|
||
OSCAL consists of a number of layers: | ||
|
||
![OSCAL layers](docs/graphics/oscal-layers.png "OSCAL Layer Diagram") | ||
|
||
Starting from the bottom on the left, the OSCAL layers are: | ||
* __Catalog__: Defines a set of security controls (e.g., NIST SP 800-53 Appendix F); may also define objectives and methods for assessing the controls (e.g., NIST SP 800-53A). | ||
* __Profile__: Defines a set of security requirements, where meeting each requirement necessitates implementing one or more security controls; also called a _baseline_ or _overlay_. | ||
* __Implementation__: Defines how each profile item is implemented for a given system component (System Security Plan). | ||
* __Assessment__: Describes how the system assessment is to be performed. | ||
* __Assessment Results__: Records the findings of the assessment. | ||
|
||
OSCAL will also integrate with: | ||
* __Metrics__: Defines metrics and measurements for understanding the effectiveness of the system’s security. | ||
* __Mechanism__: Describes methods used to monitor the system’s current security state (e.g., Security Content Automation Protocol (SCAP)). | ||
|
||
-------------- | ||
NIST is proposing the development of the Open Security Controls Assessment Language, or OSCAL, a hierarchical, formatted, XML-based (and JSON translation) schema that provides a standard for representing different categories of information pertaining to the publication, implementation, and assessment of security controls. | ||
|
||
This repository consists of the following directories pertaining to the OSCAL project: | ||
* [docs](docs): Documentation graphics, prose, and presentation slides | ||
* [working](working): Development artifacts (e.g., XML, XSLT, CSS, script, Markdown, and sample files, plus supporting files); additional documentation is posted under [working/doc](working/doc): | ||
* [sources](sources): Resources used to produce OSCAL artifacts that are not maintained by the OSCAL project (e.g., a copy of the NIST SP 800-53 control data feed schema) | ||
|
||
## Update August 10th, 2017 | ||
|
||
As the result of a new OSCAL initiative undertaken starting in mid-May, this repository has been updated. With this effort, we are stressing the agile development of a *minimal* format that is both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types. | ||
See [docs/prose/OSCAL-Overview.md](docs/prose/OSCAL-Overview.md) for an introduction to OSCAL and [docs/schema/oscal-tag-library.md](docs/schema/oscal-tag-library.md) for detailed information on the OSCAL data models and XML schema compositions. | ||
|
||
As the result of a new OSCAL initiative undertaken in May 2017, this repository was updated in August 2017. With this effort, we are stressing the agile development of a *minimal* format that is both generic enough to capture the breadth of data in scope (controls specifications), while also capable of ad-hoc tuning and extension to support peculiarities of both (industry or sector) standard and new control types. |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# OSCAL Documentation Materials | ||
|
||
This part of the repository contains OSCAL documentation and related supporting files. | ||
|
||
The 'docs' subdirectory contains the following: | ||
|
||
* '[graphics](graphics)' - graphics files for reference by OSCAL documentation, and source files for generating particular graphics | ||
* '[presentations](presentations)' - Microsoft Powerpoint slides for OSCAL presentations, some with notes | ||
* '[prose](prose)' - Prose files (e.g., Markdown format) with narrative on OSCAL (OSCAL overview, how-to steps, etc.) | ||
* '[schema](schema)' - OSCAL schema documentation, as further detailed in [schema/readme.md](schema/readme.md) | ||
|
Binary file modified
BIN
+57.8 KB
(110%)
docs/presentations/OSCAL Overview 20170810 with draft notes.pptx
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# The relationship between the OSCAL catalog and profile models | ||
|
||
To understand the relationship between the OSCAL catalog and profile models, consider the trivial conceptual example in the figure below. This example represents the NIST SP 800-53 low baseline. The catalog defines the possible security controls within the scope of NIST SP 800-53. The profile indicates which security controls from the catalog are required to be compliant with the low baseline. Using OSCAL formats for the catalog and profile makes the mappings between the catalog and the profile explicit and machine readable. | ||
|
||
![trivial_example](/docs/graphics/profile-catalog-mapping-trivial-example.png "Trivial Example of Profile and Catalog Mapping") | ||
|
||
OSCAL provides a standarized, machine-readable profile with clear semantics. OSCAL allows profiles to be generated using the same interoperable format regardless of the underlying catalogs that are being used, like ISO 27001/2 and COBIT 5. |
Oops, something went wrong.