Create OSCAL Implementation Layer and a POC Use Case

[akarmel]

Goals:

• Create POC Implementation Schema using OpenControl YAML as an example

Dependencies:

• OpenControl YAML schema and example(s) - ANDREW WILL ADD ISSUE TAGS

Assessment Criteria:
-Demonstrate POC of how to implement the OSCAL Implementation Schema leveraging XML and JSON in a Docker container runtime (catalog, profile, implementation)

[anweiss]

Ref #72, #69 #68

[anweiss]

Some additional details:

• OpenControl schema files based on the antiquated Kwalify format can be found at https://github.com/opencontrol/schemas/tree/master/kwalify
• The OpenControl component schema which can be closely mapped to the OSCAL implementation layer can be found at https://github.com/opencontrol/schemas/blob/master/kwalify/component/v3.1.0.yaml
  • the satisfies type is what actually connects a component of the system to the corresponding control
  • the parameters type can be mapped to OSCAL profile parameters
  • the implementation_status type denotes one or more states of a particular component of the system in reference to a particular control (i.e. "complete", "partial", "planned" or "none")
  • the control_origins type defines who/what is responsible for satisfying a particular component of a system
  • the covered_by type can be mapped to the OSCAL assessment results and mechanism layers and represents the notion of "behavior-driven" validation prose
    • 18F attempted this a while back in an example here ... where "BDD-like" tests (they used the Python "behave" BDD framework) define how the system should be validated (aka OSCAL mechanism) in order to satisfy the controls and that which are output back to the original components (aka OSCAL assessment results)
• the OpenControl compliance-masonry tooling connects all of the pieces together to generate an SSP (aka OSCAL assessment)

[anweiss]

@david-waltermire-nist @akarmel per our sprint 6 discussion, any idea if it would be possible for us to gain access to the CIS Benchmark sources in XML format so we can proceed with an applicability POC? ... namely in need of the XML sources for the CIS Docker Benchmark v1.1.0 and the CIS Kubernetes Benchmark v1.2.0 ... if not, I could also just extrapolate the pieces I need from the Benchmark PDFs by hand for the purposes of the POC

[gregelin]

@anweiss @david-waltermire-nist I would like to be added to this issue, please.

[gregelin]

OpenControl's satisfies text describes how a component of the IT system provides or contributes to the identified control requirement if the component is correctly configured and operating.

This is best thought of as an 'assertion' or 'attestation' that still needs verification.

[akarmel]

Sprint 6 Progress Notes

• Andrew and Greg compared OSCAL and OpenControl schemas [do not merge] Implementation layer JSON schema and examples #81 and has started mapping activities
• JSON schema gaps documented in JSON schema gaps in "implementation" layer #77

[akarmel]

Sprint 6 Progress Notes

• OpenControl schema has laid the early framework for the implementation. Andrew has done the mapping to OSCAL and generated an example in PR [do not merge] Implementation layer JSON schema and examples #81
• OSCALkit tooling supports OpenControl YAML conversion to OSCAL formatted JSON
• Docker applicability POC: Scaffolding created for a Docker plugin to parse OSCAL formatted JSON (implementation layer)

[akarmel]

Sprint 6 Progress Notes

• Wendell and Andrew created an XML model based on existing, developed OSCAL layers
  • Working on identifying gaps (e.g. ID reconciliation issue) and upgrading the OSCALkit tooling to support the same
• Working plugin created for Docker POC, working on a visual demo showing applicability to the user
  • Dependency: Mapping between catalogs (e.g. cross-catalog mapping across ISO 27000 and NIST 800.53) OSCAL's role in mappings between standards #87
    • MECHANISM: Potentially create a mapping model to map between catalogs, at which layer does it exist and how are mappings created? Rudimentary framework mapping model has been created in OSCAL. EXAMPLE: OCIL - could be used as a way to collect data (assessment results layer)
    • MAPPING RESPONSIBILITY: Need to identify the party creating the mapping and whether or not they an authoritative source to create said mappings
      - Link to a Mapping Framework: https://awarenessandtraining.com/wp-content/uploads/2017/03/mapping.png

[akarmel]

Sprint 6 Acceptance

• Wendell and Andrew have completed their work and will have a conversation to ensure alignment and closure of this issue.
  • ID reconciliation issue is still and issue and will require a Gap Analysis / Process change. Profiles need to be generated that are correct from the start without the need to improvise IDs.

[akarmel]

Sprint 7 Planning

• Wendell and Andrew are happy where this stands. Data was mapped into OSCAL successfully.
• Need to review the mapping with the team, what do we do with the data that doesn't map, and what do we do with the model moving forward?
• ACTION: Create new issue to mature the Implementation model and clean up the data Improve identifer usage and references in FedRamp profiles #89