Category: Random

OSCAL

…OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. (OSCAL – Open Security Controls Assessment Language)

• Easily access control information from security and privacy control catalogs
• Establish and share machine-readable control baselines
• Maintain and share actionable, up-to-date information about how controls are implemented in your systems
• Automate the monitoring and assessment of your system control implementation effectiveness

Problem(s) Definition

• InfoSec / Compliance / Risk Management is not integrated with IT operations and monitoring
• More Organizations are required to comply with more standards
  • ISO 27001, ACSC Essential Eight / ASD ISM, PSPF, PCI DSS, Cyber Assessment Framework, ISO 22301, GDPR, Common Cloud Controls, Cyber insurance – Wikipedia (e.g.: Chubb, HSB), NIST 800-53: Security and Privacy Controls for Information Systems and Organizations, 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, 800-53A Revision 5: Assessing Security and Privacy Controls in Information Systems and Organizations, CSA – Cloud Controls Matrix (CCM), CIS Controls 8.1
• Emerging IT patterns/paradigms mean that Point-In-Time auditing and documenting is more difficult, more costly, less useful as validity is harder to maintain and potentially counter-productive (erroneous documentation / reported state can lead to poor decision making, particularly in incident response)
  • Emerging patterns include: Infrastructure/Configuration as Code, Immutable Infrastructure, Containerization, Cloud, Event-Driven Architecture, DevOps, DevSecOps, Continuous Integration and Continuous Delivery/Deployment Function as a Service

Static documentation and point-in-time auditing is not scalable or maintainable.

So – we need to move to:

• Security as Code
• Docs as Code / Policy as code
• Compliance as code
• Audit as Code
• Risk as Code

Solution… OSCAL?

Integration of InfoSec and Operations

• Unified Security Framework: OSCAL provides a structured, standardized format for representing security controls, assessments, and system configurations. This allows InfoSec, compliance, and risk data to be integrated directly into IT operations and monitoring tools.
• Automated Compliance Monitoring: OSCAL is machine-readable, which enables automated monitoring of compliance status across various standards (ISO 27001, PCI DSS, NIST 800-53, etc.). It can help keep compliance and InfoSec teams in sync with real-time IT operations.
• Alignment with Continuous Monitoring: OSCAL facilitates a continuous approach to compliance by embedding compliance checks within the CI/CD pipeline, helping teams maintain compliance as part of routine IT operations.

De-duplicate Compliance

• Standardized, Interoperable Format: OSCAL provides a common language for multiple security and compliance standards, enabling organizations to map controls across frameworks (e.g., ISO 27001, NIST 800-53, GDPR, Essential Eight) without duplicating work.
• Control Mapping: OSCAL enables the mapping of controls between different frameworks, allowing organizations to efficiently demonstrate compliance with multiple standards simultaneously.
• Reuse of Control Implementations: By using OSCAL, organizations can document controls once and reuse them across multiple standards, reducing the effort needed to comply with additional frameworks.

Handle emerging IT Patterns

• Dynamic and Automated Documentation: OSCAL supports a “docs as code” approach, where documentation is maintained as machine-readable code. This helps keep security and compliance documentation up to date automatically, even as infrastructure and configurations change frequently.
• Alignment with IaC and CaC: OSCAL is designed to work alongside Infrastructure as Code (IaC) and Configuration as Code (CaC), enabling real-time validation of compliance as infrastructure changes are deployed.
• Support for Continuous Compliance: Since OSCAL models are machine-readable, compliance checks can be integrated into CI/CD pipelines, providing continuous compliance validation instead of relying on point-in-time audits.

Dynamic documentation and reporting

• Machine-Readable, Version-Controlled Documentation: With OSCAL, compliance documentation can be version-controlled, traceable, and maintainable. This is essential for adapting to changes in dynamic environments like cloud and DevOps.
• Audit as Code: OSCAL enables automated auditing by allowing assessments to be defined as code. This helps maintain an accurate picture of compliance posture and enables on-demand, real-time audits.
• Reduction of Documentation Errors: By automating compliance and risk management, OSCAL reduces the risk of human error in documentation, helping ensure that reports and records are up to date and accurate.

Security, Compliance, Policy as Code

• Compliance as Code: OSCAL enables organizations to define compliance requirements as code, automating adherence to various regulatory standards. This helps reduce time and effort in maintaining compliance across multiple standards.
• Policy as Code: OSCAL can work with policy engines (like OPA) to enforce policies directly within cloud and containerized environments, making policies enforceable and traceable.
• Security as Code and Risk as Code: With OSCAL, security and risk management activities can be managed as code, automating assessments, updating control implementations, and maintaining an accurate view of risk at any given time.

Improve accuracy and efficiency

• Scalable Compliance Management: OSCAL provides a modular and extensible approach to compliance, which can scale with organizational growth. Its support for automated assessments and control documentation reduces the need for manual updates.
• Improved Incident Response and Decision-Making: By providing an accurate, up-to-date picture of the security posture, OSCAL improves decision-making, especially during incident response. Real-time insights into compliance reduce the chances of errors due to outdated information.
• Consistency Across Environments: OSCAL’s machine-readable formats ensure consistent compliance documentation and processes across all environments—whether cloud, on-premises, or hybrid—reducing the potential for configuration drift or misalignment between standards.

Key Concepts / Terms

• https://pages.nist.gov/OSCAL/resources/concepts/terminology

1. Control

• A requirement or guideline that, when implemented, mitigates risks associated with information systems. Controls are central to frameworks and standards for security and privacy.
• Control Objective
  • Describes the intended outcome of a control, specifying what it aims to achieve in terms of security and compliance.
• Control Enhancement
  • Additional, optional requirements that extend a control’s effectiveness or specificity. Enhancements offer extra layers of security or risk reduction.
• Statement
  • A specific requirement within a control, providing a unit of meaning that can be evaluated for compliance.
• Control Parameter
  • Variable aspects within a control that allow customization (e.g., password length). Parameters help tailor controls to organizational needs.
• Control Parameter Value
  • The specific value assigned to a control parameter, used to set details like minimum password length in a control implementation.

2. Catalog

• An organized collection of controls within a framework. Catalogs allow for grouping controls and, when needed, include subordinate control requirements, control objectives, assessment methods, references, and other content.
• Control (as defined above)
• Control Implementation
  • Describes how each control in the catalog is implemented by an organization, including the settings, roles, and configurations specific to that organization.
• Implemented Requirements
  • The documented controls that an organization has put in place, aligned with the overall compliance program.

3. Profile

• A tailored selection or view of controls within a catalog, allowing customization based on specific standards, regulations, or internal policies.
• Parameter (within a Profile context)
  • A variable within the profile that allows control customization, often by setting specific values for requirements based on the organization’s needs.

4. Assessment Plan

• A document describing the scope, objectives, and methodology of a security assessment, which outlines the controls to be tested and assessment methods to be used.
• Assessment Objective
  • Specifies what will be evaluated during the assessment to verify compliance with control requirements.

5. Assessment Results

• A record of findings from an assessment, noting compliance or non-compliance with controls and including remediation recommendations.

6. Component Definition

• A modular structure that defines a specific component or group of related components (e.g., software, hardware), including configuration details and associated controls.

7. Party

• An entity, such as a person, organization, or role, associated with a control, component, or assessment process. Parties clarify responsibilities and ownership.

8. Metadata

• Descriptive information about an OSCAL document, such as author, date, version, and associated standards. Metadata aids in tracking and managing documents.

9. Back Matter

• The section of an OSCAL document that includes appendices, references, and external documents, providing additional context or support for controls and implementation

What OSCAL is / ins’t

Example User Stories

Further Reading

Authoritative source:

• usnistgov/OSCAL: Open Security Controls Assessment Language (OSCAL)
• OSCAL – Open Security Controls Assessment Language

Other:

• OSCAL.io
  • OSCAL Content Registry

Tools and Content

Helpful aggregation list: awesome-oscal: A list of tools, blog posts, and other resources that further the use and adoption of OSCAL standards.

• defenseunicorns/go-oscal: Repository for the generation of OSCAL data types
  • Go CLI + libs
• GoComply/oscalkit: NIST OSCAL SDK and CLI
  • Barebones Go SDK for OSCAL, A CLI tool is also included for processing OSCAL documents, converting between OSCAL-formatted XML, JSON and YAML
• GoComply/fedramp: Open source tool for processing OSCAL based FedRAMP SSPs
  • take FedRAMP/OSCAL formatted System Security Plan and outputs FedRAMP document
  • take open control repository and produce FedRAMP/OSCAL formatted System Security Plans
• RedHatProductSecurity/trestle-bot: A workflow automation tool for `compliance-trestle`
  • everaging Compliance-Trestle in CI/CD workflows for OSCAL formatted compliance content management.
• EasyDynamics/oscal-editor-deployment: Various deployments of the OSCAL editor
• mocolicious/OSCAL-Examples: Examples of OSCAL formats
  • multiple sample development environments to demonstrate the usage of the OSCAL formats.
• oscal-club/oscal-cli-action: A GitHub Action to process, convert, and validate OSCAL content with the NIST oscal-cli tool.
  • A GitHub Action to process, convert, and validate OSCAL content with the NIST oscal-cli tool.
• oscal-deep-diff: Open Security Controls Assessment Language (OSCAL) Deep Differencing Tool
  • A Typescript-based CLI application and library that produces machine readable and human-consumable comparisons of JSON OSCAL artifacts.

GRC Products using OSCAL:

• GovReady/govready-q: An open source, self-service GRC tool to automate security assessments and compliance.
  • The GovReady-Q Compliance Server is an open source GRC platform for highly automated, user-friendly, self-service compliance assessments and documentation. It’s perfect for DevSecOps.
• RegScale | Automated Governance, Risk & Compliance Software – RegScale repositories
  • RegScale Community Edition is a free to use, real-time Governance, Risk and Compliance (GRC) platform that deploys in any environment, integrating with security and compliance tools via API to keep compliance documentation continuously up to date

Tools from NIST:

• liboscal-java: A Java library to support processing OSCAL content
• oscal-cli: A simple open source command line tool to support common operations over OSCAL content.
• oscal-xslt: Open source XSLT for OSCAL display and processing – assumes xml, supports yaml, no json.

Other tools I looked at:

• RS-Credentive/oscal-pydantic at oscal-pydantic-v2 – Several Python projects include data models, but importing a large project just to get access to the datamodel represents a significant overhead. This module simply provides the models.
• OSCAL-GUI: Joint NIST/FedRAMP tool to interact with OSCAL files via a browser-based GUI – PHP, XSLT
• CivicActions/ssp-toolkit: Automate the creation of a System Security Plan (SSP) – Python + Jinja, tool for generating FedRAMP SSP doc
• SHRgroup Compliance As Code · GitLab
  • SHRgroup / Public / Compliance As Code / IAC 2 OSCAL · GitLab
  • SHRgroup / Public / Compliance As Code / oscal-cli · GitLab
  • SHRgroup / Public / python / pyOSCAL · GitLab
  • SHRgroup / Public / Compliance As Code / workflow-example · GitLab
  • SHRgroup / Public / Compliance As Code / Example Diagrams · GitLab
• GSA/oscal-js
  • npm package with command-line interface tool and wrapper for working with OSCAL – provides an easy way to install, update, and use the Java-based OSCAL CLI and OSCAL Server tools.
• gborough/roscal: Open Security Controls Assessment Language Toolbox
  • collection of tools and libraries for OSCAL in Rust
• JJediny/oscal-static-site-playground
  • providing developers a starter kit and reference implementation for Federalist websites

• finos/common-cloud-controls: FINOS Common Cloud Controls

Reading is too hard

PDF: NIST_OSCAL-What_is_and_Who_needs_it

Context

PowerShell was… initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on August 18, 2016, with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET (previously .NET Core). PowerShell – Wikipedia

• Differences between Windows PowerShell 5.1 and PowerShell 7.x – PowerShell | Microsoft Learn
  • What is PowerShell? – PowerShell | Microsoft Learn
    • PowerShell Support Lifecycle – PowerShell | Microsoft Learn
  • What is Windows PowerShell? – PowerShell | Microsoft Learn
    • The latest version is Windows PowerShell 5.1. Microsoft is no longer updating Windows PowerShell with new features. Support for Windows PowerShell is tied to the version of Windows you are using.

As Microsoft is no longer updating Windows PowerShell with new features it makes sense to use the procedure for ‘Developing modern modules‘ which are (hopefully) portable to any OS running PowerShell.

If creating a new module, the recommendation is to use the .NET CLI.

Create module from ‘Standard Template’

• Testing and gaining familiarity with PowerShell!

We utilise the open GRC source tool, Eramba; some instances of which are the community edition which does not have an API interface. In some scenarios it is desirable make bulk updates/completions of reviews (and potentially update status of audits).

Doing this is slightly less trivial than expected… steps are:

• Generate a list of review ids and foreign keys (maps review objects to model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk]
• Update the relevant review objects with completion date, comments, completed status
• Create new reviews entries for next cycle
• Update the model object [Asset, SecurityPolicy, ThirdPartyRisk, Risk] to reference the new, next review date
• Update the object status mapping for the updated reviews (expired and current statuses in this case)
• Validate your updated via the web interface
  • No clearing of cache of waiting for jobs is required

-- Generate a list of review ids and foreign keys (in this case the foreign keys are for the associated Assets being reviewed):

SELECT CONCAT_WS(',',Model,id,foreign_key) from reviews where planned_date = '2022-04-19' and model = 'Asset';

-- Update the relevant review objects as desired:

update reviews set actual_date = '2022-04-20',user_id = 2, description = 'No changes to store [components, customer, deployment etc, all same] added to ISMF Agenda ', completed = 1, modified = now(), edited = now()  where id in (select id from reviews where planned_date = '2022-04-19' and model = 'Asset');

-- Create new reviews (this is usually done by the app when completing the review via the web interface, review objects need a Model [Asset, SecurityPolicy, ThirdPartyRisk, Risk] (other models have audits):

INSERT INTO 
	reviews(model, foreign_key, planned_date, completed, created, modified, deleted)
VALUES
('Asset',115,'2023-04-19',0,now(),now(),0),
('Asset',116,'2023-04-19',0,now(),now(),0),
...;

-- Update the Asset object to reference the new, next review date (get asset ID from query used to get review id + foreign_key)
update asset set review = '2023-04-19', expired_reviews = 0 where id in (select foreign_key from reviews where planned_date = '2022-04-19' and model =  'Asset');

-- Eramba has object statuses, the list of available statuses is defined in the object_status_statuses table; the mapping of objects to statuses is in the table: object_status_object_statuses
-- Note there will be better, safer queries to do this..:

-- Check the results select query so we know what we are updating
select * from object_status_object_statuses where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired';

-- Update the object status mappings for relevant items, in this case there are two statuses that need to be updated, the expired status (now should be 0_ and the current status (now should be 1)

update object_status_object_statuses set status = 0 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'expired');

update object_status_object_statuses set status = 1 where id in (select id from object_status_object_statuses 
where foreign_key in (select id from reviews where planned_date = '2022-04-19' and model =  'Asset') and model = 'AssetReview' and name = 'current_review');

I regularly like to make rough diagrams/plans by drawing on paper. As I have an iPad Pro with a stylus sitting next to me I have often thought there would be some benefits to being able to use a sketching diagram to:

• Stop losing/damaging paper sketches
• Easily undo mistakes
• Leverage things like copy and paste
• Infinite canvas
• Ability to zoom in and out

To this end I am trying: Concepts App • Infinite, Flexible Sketching

Starting with a SkillShare course Draw with Concepts app: Basic Digital Illustration for Beginners

SkillShare – Course

• Vector based app (infinite canvas + no pixilation)
• User interface
  • Supports pressure sensitive stylus + palm rejection
  • Projects -> Files
  • Top right tools, customizable change tools
    • Line thickness, Opacity, Smoothness (0 for pen tip)
    • Color palette (make your own palette)
    • Layers pallet (automatic will separate layers by tool, recommended)
      1. Coloring with pencil, drawing with pen easy with auto layers
      2. Duplicate layers, transparency, visibility etc.
    • Tools + Brushes
      • Can buy new via pro
    • Precision palette
      • Grid, Snap, Measure, Guide
    • Gestures
      • 2 finger tap – undo
• Workflow
  • Ran through a demo, drawing an images from a picture
    • Changing tools/brushes
    • Hold push + item select/select all layers

Other resources

• Concept app tutorials
  • 3 ways to draw a straight line
  • Create a floor plan
  • All tutorials