OSCAL Example Control Set

[gregelin]

User Story

As an OSCAL developer and vendor, I would like an example set of OSCAL controls to use for development and common demonstration purposes.

Goals

Create an agreed upon small set of example controls represented in a profile to use for development and demonstration.

References

• OSCAL Example Control Set July 2022.pptx.pdf
• NIST_SP-800-53_rev5_mini.xlsx
• Related oscal-content issue #120 to update example content repository

Initial Proposed Example List

Control Identifier	Control (or Control Enhancement) Name	Control Text
AC-7	Unsuccessful Logon Attempts	a. Enforce a limit of [organization-defined number] consecutive invalid logon attempts by a user during a [organization-defined time-period]; and b. Automatically [ac-7_prm_3] when the maximum number of unsuccessful attempts is exceeded.
CP-1	Policy and Procedures	a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
CP-6	Alternate Storage Site	a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.
IA-2	Identification and Authentication (organizational Users)	Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
PE-8	Visitor Access Records	a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time period]; b. Review visitor access records [Assignment: organization-defined frequency]; and c. Report anomalies in visitor access records to [Assignment: organization-defined personnel].
SC-28	Protection of Information at Rest	Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].
SI-8	Spam Protection	a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

Dependencies

No response

Acceptance Criteria

• Set of example controls representing common types and characteristics of controls is agreed upon
• It's easy to find this example set of controls in NIST documentation
• A profile exists for the set of controls
• The example controls are regularly used in NIST documentation to explain concepts
• All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
• A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[GaryGapinski]

Consider adding a control like AC-7 as a challenge (for developers). The ODP structure is rather complex.

Any of //control[param//insert] (applied to an oscal-content catalog) have non-trivial ODP structure, so any of those that are of additional interest are candidates (having complex ODP structure).

[aj-stein-nist]

Re conversation and discussion points I was personally focused on from your presentation, @gregelin:

• Are there good exemplary 800-53 Revision 5 controls that necessarily focus on system interconnections and focus on that use case?
  • CA-3
• Are there controls of interest to FedRAMP, potentially those that evolved and shifted from existing 800-53 Revision 4 controls in their baseline as they get ported to it's inevitable Revision 5 release?
  • I'd argue anything in the new 800-53 Revision 5 Supply Chain (SR) family, which has a few shifts from previously existing control families perhaps as evidenced by a community tool with such analysis of 800-53 Rev 4 and Rev 5, which might meet both use cases. All examples below were withdrawn from Revision 4 and moved into SR family in Revision 5 per @GaryGapinski's anaylsis with said tool, and are hot hot hot items in the industry focus on this discipline as of late. :-)
    • SR-3
    • SR-4(1)
    • SR-4(2)
    • SR-5(1)
    • SR-7
• Should we include another framework?
  • The Center for Internet Security released their top 20 controls and a WIP mapping to 800-53 Revision 5 controls back to their own, maybe one or two mapped to the subset decided upon from 800-53 Revision 5?

[iMichaela]

@gregelin - You asked during the meeting for some suggestions for other controls. I good hybrid control is SC-8 and SC-8(1) if you think of the TLS example we discuss and probably SA-4(9) for interconnection-related controls.

[GaryGapinski]

Should this be PRs to https://github.com/usnistgov/oscal-content?

[aj-stein-nist]

Should this be PRs to https://github.com/usnistgov/oscal-content?

When I asked about tangible next steps, this kind of next steps I wanted to know re "how can we help?"

Additionally, if you want profiles built, even with the current controls, that can be done very quickly with yours truly if you need help. Let us know! :-)

[gregelin]

@aj-stein-nist It would be helpful to identify places in existing NIST documentation that would benefit from having examples. That way we could update that documentation with the examples and see if the examples proof useful.

[aj-stein-nist]

@aj-stein-nist It would be helpful to identify places in existing NIST documentation that would benefit from having examples. That way we could update that documentation with the examples and see if the examples proof useful.

Well stay tuned for #1066. Not sure how we work on identifying such things for one another and others interested. How can we make that happen?

We have multiple locations in the documentation for example content, I will casually advertise the categorization as "inline" (we do have <example/>s in the Metaschema source, we just have not emitted them (and emitting them into docs, a la Python helpdoc strings as you might be familiar with is only really good for very short, incomplete snippet examples with OSCAL, a mixed bag) or the "external": out of band ones in oscal-content in its examples directory, which is what Gary hinted at in #1383 (comment).

So there is background. But back on point @gregelin, how do we find these insertion points for examples, itemize them, and document them to keep this ball rolling?

[GaryGapinski]

@danielnaab added a capability to show samples (XSpec contexts) from the FedRAMP automation unit tests. Example can be seen here. Try the POA&M sample then drill down on any validation results.

[danielnaab]

Something else we just started experimenting with is referencing source code lines on Github. See the "View Schematron" links here. Edit: this branch, with links like this.

Perhaps the extra context awareness on where the code resides could be helpful in some scenarios. I'm thinking primarily of those who are collaborating on improving the underlying material.

[gregelin]

I've updated the description to list the original proposed controls and have created an issue in https://github.com/usnistgov/oscal-content to support @GaryGapinski recommendation.

I'll also collate other recommended controls and add them.

@aj-stein-nist here is my draft profile. I hadn't yet decided on the UUID information and some other details. My plan is to create a fork and PR on oscal-content directory. But feel free to do it before me and clean up the profile.

{
  "profile": {
    "uuid": "c657e7dd-8b8e-4261-891b-caf94e7149dd",
    "metadata": {
      "title": "NIST Special Publication 800-53 Revision 5 MICRO EXAMPLE PROFILE",
      "last-modified": "2022-07-22T13:57:33.97549-04:00",
      "version": "Draft 1",
      "oscal-version": "1.0.0",
      "roles": [
        {
          "id": "creator",
          "title": "Document Creator"
        },
        {
          "id": "contact",
          "title": "Contact"
        }
      ],
      "parties": [
        {
          "uuid": "dc31b097-c02f-4b1d-8b0a-4c728493a5ef",
          "type": "organization",
          "name": "GovReady PBC",
          "email-addresses": [
            "[email protected]"
          ],
          "addresses": [
            {
              "addr-lines": [
                "GovReady PBC"
              ],
              "city": "Chicago",
              "state": "IL",
              "postal-code": ""
            }
          ]
        }
      ],
      "responsible-parties": [
        {
          "role-id": "creator",
          "party-uuids": [
            "dc31b097-c02f-4b1d-8b0a-4c728493a5ef"
          ]
        },
        {
          "role-id": "contact",
          "party-uuids": [
            "984e6c07-b5b6-4ab6-b22b-283609c325e6"
          ]
        }
      ]
    },
    "imports": [
      {
        "href": "NIST_SP-800-53_rev5_catalog.json",
        "include-controls": [
          {
            "with-ids": [
              
              "cp-1",
              "cp-6",
              "ia-2",
              "pe-8",
              "sc-28",
              "si-8"

            ]
          }
        ]
      }
    ],
    "merge": {
      "as-is": true
    }
  }
}

[aj-stein-nist]

I've updated the description to list the original proposed controls and have created an issue in https://github.com/usnistgov/oscal-content to support @GaryGapinski recommendation.

Cool, I saw that as well.

I'll also collate other recommended controls and add them.

👍 Sounds good.

@aj-stein-nist here is my draft profile. I hadn't yet decided on the UUID information and some other details. My plan is to create a fork and PR on oscal-content directory. But feel free to do it before me and clean up the profile.

Is the intent of the fork you want automated conversion from the the sample profile above to exploded/expanded full resolved catalog (from this profile) to reference component definitions and (potentially subsequently after that) cross-referenced SSPs?

I can definitely help out with that.

[gregelin]

@aj-stein-nist I had the initial modest goal with the new branch of representing the control set in OSCAL so others could use. My first thought was to create a catalog (800-53 rev5 micro), then @david-waltermire-nist suggested creating a profile and switched to that. It makes sense, as an example to show what could be done with different OSCAL models based on the example control set.

So...where do we start? I think it is a good to document the steps in a HackMD or Jupyter Notebook of starting with a set of control and blossoming out to various examples of OSCAL content derived from the initial list. Or maybe as a nice Medium post.

[aj-stein-nist]

@david-waltermire-nist, since we are already discussing and planning work with active developers in the community, I will assign this to further discussion needed as that planning we'll call the discussion phase. Not sure how you want to see this as part of the triage process that covers itemized development work of the NIST OSCAL Team on our internal sprint projects. Lemme know!

[aj-stein-nist]

So...where do we start? I think it is a good to document the steps in a HackMD or Jupyter Notebook of starting with a set of control and blossoming out to various examples of OSCAL content derived from the initial list. Or maybe as a nice Medium post.

So document the approach and then generate examples out of that in a Jupyter or HackMD? I am fine with that. The latter is lower-friction for me. Not sure how you and others feel.

Create the HackMD?

[gregelin]

@aj-stein-nist Minimal HackMD document created. Can you access it? https://hackmd.io/Ktman3R6S3qRkZJ9xM775A

[aj-stein-nist]

@aj-stein-nist Minimal HackMD document created. Can you access it? https://hackmd.io/Ktman3R6S3qRkZJ9xM775A

Yessir, I made a test edit and removed it. I think we are good to go.

[gregelin]

@GaryGapinski I've added in AC-7 into the example controls sets.

@aj-stein-nist I've updated the control profile (c741587)

<?xml version="1.0" encoding="UTF-8"?>
<profile xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="c657e7dd-8b8e-4261-891b-caf94e7149dd">

   <metadata>
      <title>NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE</title>
      <last-modified>2022-09-29T18:34:00.00000-04:00</last-modified>
      <version>Draft 1</version>
      <oscal-version>1.0.4</oscal-version>

      <role id="creator">
         <title>Document Creator</title>
      </role>
      <role id="contact">
         <title>Contact</title>
      </role>

      <party uuid="dc31b097-c02f-4b1d-8b0a-4c728493a5ef" type="organization">
         <name>GovReady PBC</name>
         <email-address>[email protected]</email-address>
         <address>
            <addr-line>GovReady PBC</addr-line>
            <city>Chicago</city>
            <state>IL</state>
            <postal-code>60601</postal-code>
         </address>
      </party>

      <responsible-party role-id="creator">
         <party-uuid>dc31b097-c02f-4b1d-8b0a-4c728493a5ef</party-uuid>
      </responsible-party>
      <responsible-party role-id="contact">
         <party-uuid>dc31b097-c02f-4b1d-8b0a-4c728493a5ef</party-uuid>
      </responsible-party>
   </metadata>

   <import href="NIST_SP-800-53_rev5_catalog.xml">
      <include-controls>
         <with-id>ac-7</with-id>
         <with-id>cp-1</with-id>
         <with-id>cp-6</with-id>
         <with-id>ia-2</with-id>
         <with-id>pe-8</with-id>
         <with-id>sc-28</with-id>
         <with-id>si-8</with-id>
      </include-controls>
   </import>

   <merge>
      <as-is>true</as-is>
   </merge>
</profile>

[aj-stein-nist]

Greg and I met today and will attempt to restart this work after a brief hiatus. More to follow this week and the following weeks.

[Arminta-Jenkins-NIST]

At 11/2 Triage Meeting:
@gregelin are you interested in continuing this work as a community member with community support? Please notify of your intent by 11/9/2023.