Cloud Native OSCAL WG - Prototype Example Tasks

[jpower432]

The current goal of the Cloud Native OSCAL WG is to encourage community feedback on two OSCAL prototype metaschema changes. To accomplish this, we need to work on OSCAL content examples to demonstrate usage and impact of the proposed changes.

The issues capturing the changes to the prototypes are below.

usnistgov/OSCAL#2013
usnistgov/OSCAL#2012

Associated Workstreams

Prerequisite Tasks

Tasks

Preview Give feedback

1. Ensure an OSCAL catalog exists for OSPS Baseline.
2. Ensure mappings are identified between this catalog and NIST 800-53r5
3. Create an associated OSCAL Profile, if needed

Control Mapping Example

Targeted Outcome: Demonstrate the mapping model schema using the OSPS Baseline mapping to NIST 800-53 rev 5.

Tasks

Preview Give feedback

1. Create a mapping model examples in XML on a fork of oscal-content
2. Generate XML schema from the branch with the proposed changes
3. Verify all examples are compliant with the associated schema

Shared Responsibility Example

Targeted Outcome: Demonstrate the shared responsibility schema for OSPS Baseline when applied to a GitHub repository context.

Tasks

Preview Give feedback

1. Ensure the scenarios relating to the use case are well understood. Scenarios documented in a diagram here.
2. Create XML examples to capture changes to all models updated in the shared responsibility prototype in a fork of oscal-content
3. Generate XML schema from the branch with the proposed changes
4. Verify all examples are compliant with the associated schema

[thiago4go]

Hi @jpower432 ,

I'm interested in contributing to this effort and providing feedback on the prototype metaschema changes. I've reviewed the prerequisite tasks and wanted to share my initial understanding and ask for clarification to ensure I'm on the right track.

Regarding the Prerequisite Tasks:

• Ensure an OSCAL catalog exists for OSPS Baseline:

I understand that the NIST SP 800-53 rev5 catalog serves as the source of controls.
Is it correct to assume that the "OSPS Baseline" is a tailored baseline derived from NIST SP 800-53, specifically for Open Source Project Security, rather than one of the standard NIST SP 800-53B baselines?

• Ensure mappings are identified between this catalog and NIST 800-53r5:

I was planning to start by comparing the "id" and "title" fields in the OSCAL catalog json file with the "Control ID" and "Control Name" in the NIST SP 800-53 rev5 control catalog xlsx file .
eg.

jq '.catalog.groups[].controls[]? | {id: .id, title: .title}, .controls[]? | {id: .id, title: .title}' NIST_SP-800-53_rev5_catalog.json

Would this be a valid initial approach? Are there specific fields or methods recommended for more accurately establishing these mappings within OSCAL?

• Create an associated OSCAL Profile, if needed:

OSCAL profiles for SP 800-53 baselines already exist in the oscal-content repository.
There are an OSCAL profile file for each of the SP 800-53B baselines, including the PRIVACY baseline, intended to be used in combination with others to add privacy-oriented controls.
Should I create a new OSCAL Profile?

I want to ensure my understanding of these prerequisite tasks is accurate before proceeding further. Any guidance or clarification would be greatly appreciated!

Thank you,

[jpower432]

Hi @thiago4go! Thanks for reaching out about this task.

I will do my best to adds some clarifications below and I think @eddie-knight may be able to fill in some of the gaps.

I also wanted to share the GitHub Issue for the Cloud Native OSCAL Group - #1277. There are communication details for the working group (in the description) if you want to chat on CNCF Slack or attend one of the meetings 😃.

• Ensure an OSCAL catalog exists for OSPS Baseline:

I understand that the NIST SP 800-53 rev5 catalog serves as the source of controls. Is it correct to assume that the "OSPS Baseline" is a tailored baseline derived from NIST SP 800-53, specifically for Open Source Project Security, rather than one of the standard NIST SP 800-53B baselines?

The NIST 800-53 rev5 catalogs is one of the OSCAL catalogs we plan to use to complete the example tasks, but we also need a separate OSCAL catalog to document each security criteria item (control) defined in the OSPS baseline. My understanding is the OSPS controls are not directly derived from the 800-53 catalog, but the controls are mapped to external frameworks. Mapping the controls to 800-53 rev 5 controls would be part of the below task.

• Ensure mappings are identified between this catalog and NIST 800-53r5:

I was planning to start by comparing the "id" and "title" fields in the OSCAL catalog json file with the "Control ID" and "Control Name" in the NIST SP 800-53 rev5 control catalog xlsx file . eg.

jq '.catalog.groups[].controls[]? | {id: .id, title: .title}, .controls[]? | {id: .id, title: .title}' NIST_SP-800-53_rev5_catalog.json
Would this be a valid initial approach? Are there specific fields or methods recommended for more accurately establishing these mappings within OSCAL?

@eddie-knight Would you be able to share more information here on how the mappings are being completed currently and how to contribute?

• Create an associated OSCAL Profile, if needed:

OSCAL profiles for SP 800-53 baselines already exist in the oscal-content repository. There are an OSCAL profile file for each of the SP 800-53B baselines, including the PRIVACY baseline, intended to be used in combination with others to add privacy-oriented controls. Should I create a new OSCAL Profile?

The OSPS baseline has multiple maturity levels which could potentially be created as individual OSCAL profiles for each level with the OSPS OSCAL Catalog being a source catalog import. I believe we would need an OSCAL profile to do the example work with OSCAL SSPs on Shared Responsibility Example.