00:00:00:00 - 00:00:03:24 So again, Robert Ficcaglia, I’m the Kubernetes policy workgroup co-chair 00:00:03:24 - 00:00:08:10 and also a member of various CNCF in Kubernetes SIGs focusing on security. 00:00:08:13 - 00:00:12:06 And I do have a a day job at CTO Sunstone Secure, where we do 00:00:12:06 - 00:00:15:22 work with CSPs and 3 PAOs and agencies on FedRAMP. 00:00:16:04 - 00:00:20:12 So today, as we've been participating in the OSCAL community, we've seen 00:00:20:12 - 00:00:24:19 a lot of presentations on kind of the CSP perspective or the catalog, 00:00:24:19 - 00:00:28:19 perspective and understanding the controls and how to map those to components. 00:00:28:25 - 00:00:33:15 We hadn't seen a lot of presentation on some from an agency perspective. 00:00:33:15 - 00:00:35:15 So how would we actually use 00:00:35:15 - 00:00:39:08 OSCAL beyond just, getting documentation in a new format. 00:00:39:09 - 00:00:40:22 So that's, I’m addressing today. 00:00:40:22 - 00:00:44:07 in prepping for this, I promised I'd keep it kind of level one to level three. 00:00:44:08 - 00:00:47:25 So if you've never heard of OSCAL, we'll start with a little bit of intro. 00:00:47:29 - 00:00:50:10 And then we'll kind of ramp up the technical detail, 00:00:50:10 - 00:00:51:19 we're going to have a little demo. 00:00:51:19 - 00:00:54:15 everything I am showing is, of course, 00:00:54:15 - 00:00:57:16 our opinions, is not represented by NIST. 00:00:57:16 - 00:01:00:29 It is not endorsed by FedRAMP or any U.S government agency. 00:01:01:02 - 00:01:03:01 we will post all of these materials 00:01:03:01 - 00:01:05:26 and any examples we show, on an open, GitHub repo. 00:01:05:26 - 00:01:09:16 So everybody's welcome to download them, use them represent them. 00:01:09:17 - 00:01:10:12 Any part of this. 00:01:10:12 - 00:01:14:06 I will say that, our experience with agencies and working 00:01:14:08 - 00:01:18:10 through the FedRAMP process, is that it is very document focused. 00:01:18:18 - 00:01:22:04 some of these terms and concepts come directly from the FedRAMP training. 00:01:22:07 - 00:01:24:12 You're looking for inconsistencies. 00:01:24:12 - 00:01:27:05 And in the control narratives, the diagrams 00:01:27:05 - 00:01:31:03 and how those match up to narratives, you know, the system security plan 00:01:31:07 - 00:01:33:04 and the 3PAO test cases. 00:01:33:04 - 00:01:35:27 You know, there's a lot of work that make sure everything's in alignment. 00:01:35:27 - 00:01:38:27 I will highlight that there are these relationships embedded 00:01:38:29 - 00:01:42:13 work activities for an agency, and how they're thinking 00:01:42:13 - 00:01:45:21 through the process of digesting all this documentation. 00:01:45:21 - 00:01:47:13 I would say it's a lot of work for an agency. 00:01:47:13 - 00:01:51:25 I think, you know, lot of us work with CSPs, or maybe they are CSPs, 00:01:52:01 - 00:01:53:27 I think what gets lost in the conversation, 00:01:53:27 - 00:01:56:27 and there's a lot of work on the agency side to either 00:01:56:27 - 00:02:00:22 sponsor a FedRAMP or even reuse an existing FedRAMP package. 00:02:00:27 - 00:02:05:00 They have to understand the impact to their, systems and the interconnections. 00:02:05:00 - 00:02:06:27 They have to understand, you know, the risks 00:02:06:27 - 00:02:09:27 associated with the system and the controls how they're implemented. 00:02:10:04 - 00:02:12:28 You know, they have to try to digest totally new system, 00:02:12:28 - 00:02:16:25 policy and procedures and make sure that those are covering all the statements. 00:02:17:00 - 00:02:17:27 have to assess, you know, whether 00:02:17:27 - 00:02:20:23 those 3PAOs doing their job, well, they're accredited. 00:02:20:23 - 00:02:23:17 they have to take ownership that the tests were correct. 00:02:23:17 - 00:02:25:27 And, of course, they're signing up for a long term responsibility. 00:02:25:27 - 00:02:27:24 If they're the sponsoring agency, 00:02:27:24 - 00:02:31:01 especially that they're going to monitor and review ConMon every month. 00:02:31:04 - 00:02:33:06 Continuous monitoring. So it's a lot of work. 00:02:33:06 - 00:02:36:02 And I think, as a community, we owe it to the agencies 00:02:36:02 - 00:02:39:14 to try to, present a path forward that, reduces their effort. 00:02:39:14 - 00:02:44:01 And in the end, if we can, make this reuse possible with a lot less effort 00:02:44:01 - 00:02:45:01 on the agency part, 00:02:45:01 - 00:02:48:22 we can really accelerate the timeline to getting agencies 00:02:48:22 - 00:02:53:01 to sponsor new FedRAMP packages or reuse existing FedRAMP packages. 00:02:53:03 - 00:02:54:16 And that supports innovation. 00:02:54:16 - 00:02:58:11 those who may not be familiar with FedRAMP just to cover briefly, they have to 00:02:58:11 - 00:03:01:19 understand all the data and the data flows and the sensitivity of that data. 00:03:01:22 - 00:03:03:21 They have to kind of map that up with the NIST's 00:03:03:21 - 00:03:07:05 documentation on digital identity the strength of that identity. 00:03:07:09 - 00:03:10:19 They have to work through this, you know, very cumbersome word document 00:03:10:19 - 00:03:14:05 and Excel spreadsheet process do the analysis and review. 00:03:14:05 - 00:03:17:15 And, and then they have to digest 3PAOs assessment results 00:03:17:17 - 00:03:21:00 and then of course, there are multiple layers to any complex system these days. 00:03:21:00 - 00:03:24:25 So you're usually leveraging somebody else's ATO, a cloud provider, 00:03:24:25 - 00:03:28:22 another app connecting to other FedRAMP enabled, authorized systems. 00:03:28:23 - 00:03:31:12 So it takes a team. agencies we work with. 00:03:31:12 - 00:03:33:14 There's a number of people on each of these calls. 00:03:33:14 - 00:03:35:13 There's a lot of work happening in the background. 00:03:35:13 - 00:03:39:10 So there's probably, half a dozen to a dozen folks actively working 00:03:39:10 - 00:03:40:08 if they're going through the 00:03:40:08 - 00:03:43:16 sponsorship process and then even if they were using an ATO, 00:03:43:16 - 00:03:46:16 there's still a lot that review GRC work that has to be done. 00:03:46:17 - 00:03:51:21 There's not a lot of clear definition of coverage the documentation that we're 00:03:51:21 - 00:03:56:00 reviewing and all of the controls really covering all the system threats. 00:03:56:04 - 00:03:58:25 we'll talk about threats and coverage later in the presentation. 00:03:58:25 - 00:04:00:05 So again, just to summarize, 00:04:00:05 - 00:04:03:10 a lot of manual operations, kind of ad hoc mapping between, 00:04:03:10 - 00:04:06:15 the CSP's interpretation of the controls and the underlying system. 00:04:06:18 - 00:04:08:12 deviations that need to be discussed. 00:04:08:12 - 00:04:11:15 There's going to be inheritance, from different systems. 00:04:11:15 - 00:04:14:15 Again, the 3PAO is using some sampling methodology, but 00:04:14:15 - 00:04:17:15 even for a specific control or even a control part, 00:04:17:17 - 00:04:20:28 they're not covering the intent of that control relative to the system. 00:04:20:28 - 00:04:23:28 You need a lot of subject matter experts, to assess these risks. 00:04:24:00 - 00:04:25:29 And then you've got to worry about ongoing things 00:04:25:29 - 00:04:29:02 like incident response preparation, disaster recovery POAMs 00:04:29:02 - 00:04:32:28 And then every year happens again, annual, requirements for FedRAMP 00:04:32:28 - 00:04:34:10 and significant changes. 00:04:34:10 - 00:04:37:18 some of the feedback we've heard directly from agencies on why they either 00:04:37:18 - 00:04:43:12 hesitated to sponsor, an ATO, FedRAMP package or why even to reuse, etc.. 00:04:43:15 - 00:04:46:24 Package adds burden and typically it's around the staffing, 00:04:46:27 - 00:04:48:02 and the time it takes. 00:04:48:02 - 00:04:50:27 as I know, you know, adversaries love the status quo. 00:04:50:27 - 00:04:51:12 Okay. 00:04:51:12 - 00:04:54:04 Oh, and one of my favorite pet peeves is that there's those of you 00:04:54:04 - 00:04:57:15 who work through kind of the ConMon process, you know, everything kind of maps to RA-5 00:04:57:16 - 00:04:59:06 from vulnerabilities that are detected. 00:04:59:06 - 00:05:01:07 So, we'll talk about this, later. 00:05:01:07 - 00:05:04:10 But I think I want to, think the agency's perspective of 00:05:04:10 - 00:05:07:12 what we're really trying to do is understand the threats to the system 00:05:07:12 - 00:05:10:28 and, vulnerabilities and controls and how those in real interrelate. 00:05:11:00 - 00:05:15:15 we are not alone in presenting a vision for accelerating and reducing the work. 00:05:15:15 - 00:05:18:05 from a, presentation in February 2021. 00:05:18:05 - 00:05:21:19 There's an explicit goal to really condense the timeline or reduce 00:05:21:19 - 00:05:25:15 the work really focus on risk management and less on, checking boxes. 00:05:25:15 - 00:05:27:18 So PMO and certainly the folks 00:05:27:18 - 00:05:30:18 that NIST have declared clearly that, this is a goal. 00:05:31:11 - 00:05:34:17 So together, let's talk about how OSCAL helps, roll up our sleeves 00:05:34:17 - 00:05:38:09 and get the work done faster and with more threat and risk in mind. 00:05:38:12 - 00:05:39:00 So clarity. 00:05:39:00 - 00:05:40:00 writing things in code 00:05:40:00 - 00:05:44:03 with OSCAL defined set of schemas based on very clear models. 00:05:44:08 - 00:05:44:24 we're not, 00:05:44:24 - 00:05:48:18 you know, looking at things we're not trying to, you know, make things clear. 00:05:48:18 - 00:05:52:12 We're literally writing code that reads data and producing results. 00:05:52:14 - 00:05:56:22 go from kind of manual checklists and Excel, templates to PRs. 00:05:56:22 - 00:05:59:22 If you're familiar with Git, we'll talk a little bit more about Git and Git ops. 00:05:59:25 - 00:06:03:04 Everything is a automatable process in, 00:06:03:04 - 00:06:06:08 repository that has automated workflows. 00:06:06:08 - 00:06:11:09 It is a team sport, and everybody needs a different view of the problem, right? 00:06:11:10 - 00:06:13:25 Some will need all the details and all the interconnections. 00:06:13:25 - 00:06:15:08 Some will just need a summary of you 00:06:15:08 - 00:06:18:10 and they'll want that word document or they'll want a PowerPoint presentation. 00:06:18:13 - 00:06:22:05 OSCAL allows code to slice off bits that it needs 00:06:22:14 - 00:06:26:13 and present only the information at the right level of detail for that 00:06:26:13 - 00:06:28:28 audience. And consistency is probably the most, 00:06:28:28 - 00:06:30:26 those of us who actually worked with Pascal. 00:06:30:26 - 00:06:34:08 And the schema is, you know, everything is uniquely identified. 00:06:34:09 - 00:06:36:00 Everything is linked together. 00:06:36:00 - 00:06:40:20 try to remove all of the inconsistencies and, all the ambiguity and making 00:06:40:20 - 00:06:42:24 sure that everything is always lined up if things change. 00:06:42:24 - 00:06:44:26 I think one thing that is underappreciated, 00:06:44:26 - 00:06:48:24 perhaps, is that current process is very linear, OSCAL by itself doesn't 00:06:48:24 - 00:06:52:11 necessarily change that, it enables a more parallel process 00:06:52:20 - 00:06:57:28 where you can now have multiple teams working on a shared set of artifacts in 00:06:57:28 - 00:07:02:16 a git repository that is version control and are both controlled and auditable. 00:07:02:20 - 00:07:06:12 now you can have parallel branches automated, GitHub actions 00:07:06:12 - 00:07:07:13 if you're familiar with that. 00:07:07:13 - 00:07:08:21 and they're very usable. 00:07:08:21 - 00:07:11:24 you can very quickly clone across groups. 00:07:11:28 - 00:07:14:04 individuals come on and come off project. 00:07:14:04 - 00:07:15:18 And so you got a lot of parallel processing 00:07:15:18 - 00:07:17:12 that all converges where it needs to. 00:07:17:12 - 00:07:19:21 And I have another graphic that tries to convey 00:07:19:21 - 00:07:21:18 a bit more of that Budget always important. 00:07:21:18 - 00:07:23:21 So directly related to staff time. 00:07:23:21 - 00:07:26:26 So everybody's, 25 folks on a call to review, 00:07:26:29 - 00:07:29:20 they may be subject matter experts on a particular slice of it 00:07:29:20 - 00:07:31:17 it's a lot of resources for each of those meetings. 00:07:31:17 - 00:07:35:09 Whereas if we can make this more asynchronous have subject matter experts 00:07:35:09 - 00:07:38:18 focus on distinct parts and capture that in code 00:07:38:18 - 00:07:41:02 then you really can reduce that timeline and budget. 00:07:41:02 - 00:07:44:11 And I think a challenge I was part of agency discussion 00:07:44:12 - 00:07:46:26 last year about biggest challenge is staffing. 00:07:46:26 - 00:07:49:15 folks are leaving, folks are not trained. 00:07:49:15 - 00:07:52:18 So this is really what keeps a lot of agency, and mission 00:07:52:18 - 00:07:57:04 leaders up at So if you can start to embrace OSCAL automation, 00:07:57:04 - 00:08:01:05 and now reinforcing new skills and a new culture that really excites, 00:08:01:08 - 00:08:04:29 the younger, workforce that's what they're exposed to in their education 00:08:04:29 - 00:08:07:00 and that's what they're looking for in their career path. 00:08:07:00 - 00:08:08:19 And so you're building these skills 00:08:08:19 - 00:08:11:00 that will help you recruit that talent, retain that talent. 00:08:11:00 - 00:08:14:14 the asterisk, of course, is really do need leadership, sponsorship 00:08:14:14 - 00:08:18:18 So OSCAL helps again with the consistency verification. 00:08:18:18 - 00:08:23:27 So have, the ability to write validations But we want to kind of understand how 00:08:23:27 - 00:08:29:11 we can map a security capability in code and OSCAL to a control implementation. 00:08:29:11 - 00:08:31:03 So I'll show that in the demo. 00:08:31:03 - 00:08:33:02 And then we want to have that full 00:08:33:02 - 00:08:36:28 end to end mapping from a component controls or capability threat. 00:08:37:02 - 00:08:40:24 And then this really enables reinforces that, risk management mentality. 00:08:40:24 - 00:08:45:01 And as I'll show you, it also helps you define coverage metrics at all levels. 00:08:45:06 - 00:08:47:22 this is going to require a bit of dual perspective. 00:08:47:22 - 00:08:50:29 on one side of OSCAL is what I'll call abstract classes. 00:08:50:29 - 00:08:51:06 Right. 00:08:51:06 - 00:08:54:06 So you've got catalogs, you've got component definitions, right. 00:08:54:06 - 00:08:57:17 And those of us who might come from, object oriented programing, 00:08:57:17 - 00:09:00:19 will understand this notion of an abstract class, maybe interface 00:09:00:20 - 00:09:02:23 if you come from a Java back on and then on the other side, 00:09:02:23 - 00:09:06:20 you've got objects, object instances, implements and methods. 00:09:06:20 - 00:09:11:02 So you've got this notion of a real thing, that can be compiled or deployed. 00:09:11:02 - 00:09:12:27 in a writing system, you've got an inventory 00:09:12:27 - 00:09:16:10 and you've got the actual stuff that you're trying to, use and assess. 00:09:16:16 - 00:09:21:23 So you want to understand what is my risk not only and at the abstract level. 00:09:21:28 - 00:09:22:28 how do I define 00:09:22:28 - 00:09:27:01 all the controls that I need to define for a particular baseline profile, 00:09:27:01 - 00:09:30:13 and how do those are mapped together but also at the, implementation level. 00:09:30:13 - 00:09:34:17 So if I build the system according to that schema, to that abstract 00:09:34:17 - 00:09:37:11 class and implement those things that I need to implement, 00:09:37:11 - 00:09:40:20 have I covered all the rest and then the running system, of course, 00:09:40:20 - 00:09:44:29 which I think a lot of us, IT security background, we focus on day to day. 00:09:44:29 - 00:09:46:08 We're, you That's the runtime. 00:09:46:08 - 00:09:48:21 And coverage at that level is a little bit easier. 00:09:48:21 - 00:09:49:21 risk assessment. 00:09:49:21 - 00:09:54:05 So the benefits of OSCAL validations schema training rules to check. 00:09:54:05 - 00:09:57:21 Hey is my OSCAL complete and have all the fields I need. 00:09:57:28 - 00:09:59:05 is it all the links correct. 00:09:59:05 - 00:10:03:28 That's going to eliminate your SSP inconsistencies. Component and controls as code 00:10:03:28 - 00:10:07:00 strong opinion is that we can deprecate the diagrams. 00:10:07:00 - 00:10:10:15 And in every text, they can be useful as humans 00:10:10:15 - 00:10:13:15 consume results of the assessments. 00:10:13:21 - 00:10:14:10 And they can 00:10:14:10 - 00:10:18:11 certainly provide contextual information for giving you situational awareness. 00:10:18:11 - 00:10:22:13 But hopefully we can, in the not too distant future, stop relying on them 00:10:22:13 - 00:10:25:21 as the definition of completeness or coverage 00:10:25:21 - 00:10:28:21 rules, not yet an official OSCAL schema. 00:10:28:21 - 00:10:29:23 know there's a lot of work going on. 00:10:29:23 - 00:10:33:25 I think I put GitHub issue, later on, really more about 00:10:33:25 - 00:10:38:01 the tests of the control, less about the consistency and the validation. 00:10:38:01 - 00:10:42:13 So actually, how are we going to test this in code to make sure that the control 00:10:42:16 - 00:10:44:11 actually match the intent. 00:10:44:11 - 00:10:45:20 How can I demonstrate that. 00:10:45:20 - 00:10:48:18 all of this, to bring it back to that risk management is about, 00:10:48:18 - 00:10:51:22 you know, TTPs if you're familiar with the mighter attack model. 00:10:51:27 - 00:10:55:15 all of that helps us model these, risks and the relationships between 00:10:55:19 - 00:10:56:15 how do we do this? 00:10:56:15 - 00:10:59:00 So how are we going to actually implement this as an agency? 00:10:59:00 - 00:11:02:20 First and foremost is, again, that culture and mentality shift. 00:11:02:20 - 00:11:04:11 we should expect OSCAL. 00:11:04:11 - 00:11:06:07 We should embrace OSCAL. We should use it. 00:11:06:07 - 00:11:09:19 We shouldn't see it as kind of an appendix And to support that, 00:11:09:19 - 00:11:13:11 several of the CNCF participants are Kubernetes policy work group, 00:11:13:14 - 00:11:17:23 all providing open source tools, help and support, community support. 00:11:17:23 - 00:11:21:19 that reskilling, so changing who's involved in the skill set. 00:11:21:19 - 00:11:26:02 So may still have the authorizing official or But instead of the subject matter 00:11:26:02 - 00:11:30:12 experts being, narrative oriented, now you're looking at code pipelines 00:11:30:12 - 00:11:31:22 and code artifacts, right? 00:11:31:22 - 00:11:36:00 And so you're going to have all the OSCAL for your SSP, your SAP, 00:11:36:00 - 00:11:37:20 your ConMon validations, 00:11:37:20 - 00:11:41:22 your controls, in some code repo, let's just call it Git. On the other side. 00:11:41:22 - 00:11:44:00 You're going to have your subject matter experts writing rules, 00:11:44:00 - 00:11:47:23 then hammering on the documentation issue, using algorithms. 00:11:47:23 - 00:11:49:08 And so is already happening. 00:11:49:08 - 00:11:53:08 So a lot of, commercial implementations of compliance and security 00:11:53:08 - 00:11:54:14 no longer relying on, you 00:11:54:14 - 00:11:59:00 documentation, checklists or, documented narratives on how compliance works. 00:11:59:00 - 00:12:02:14 They're using algorithms to define, how things are interconnected. 00:12:02:16 - 00:12:04:14 looking at the strength of those connections. 00:12:04:14 - 00:12:06:04 They're tagging things with data. 00:12:06:04 - 00:12:09:16 And using algorithms to measure and to calculate. 00:12:09:16 - 00:12:11:17 Are we covering all the controls? 00:12:11:17 - 00:12:13:01 What is the strength and intensity? 00:12:13:01 - 00:12:15:07 are the rules associated that need to pass, 00:12:15:07 - 00:12:18:10 And then again embrace this notion of automating everything. 00:12:18:12 - 00:12:20:18 Don't see automation as a nice to have. 00:12:20:18 - 00:12:24:24 If this is going to work, you really need to automate as much as possible. 00:12:24:24 - 00:12:27:00 So think of it again as compliance as code. 00:12:27:00 - 00:12:28:07 Git Ops or the ability 00:12:28:07 - 00:12:32:04 to make a change in a repo that's very controlled with usable, auditable. 00:12:32:04 - 00:12:35:13 And when you commit goes through a pipeline code process 00:12:35:13 - 00:12:38:16 and makes changes available to others that need to participate 00:12:38:16 - 00:12:42:13 or use those artifacts, even down to the final step, 00:12:42:13 - 00:12:46:23 where you can imagine having a final authority to operate PR 00:12:46:24 - 00:12:51:12 that authorizing official approves, and that can trigger downstream workflows 00:12:51:12 - 00:12:55:09 that the system itself can use as a signal for turning on different features. 00:12:55:09 - 00:12:57:13 If you're familiar with the notion of like feature flags, 00:12:57:13 - 00:13:00:16 you can imagine having an auto trigger, a feature flag that says, now 00:13:00:16 - 00:13:04:19 these systems and services are available, with the requirements, all satisfied. 00:13:04:24 - 00:13:07:01 And then again, I mentioned earlier this notion of parallel 00:13:07:01 - 00:13:10:15 workflows, those who work in software, I know the get slow process 00:13:10:17 - 00:13:11:21 is going to be very familiar. 00:13:11:21 - 00:13:12:26 instead of everybody 00:13:12:26 - 00:13:16:20 kind of being involved at every point, know, looking at the components, 00:13:16:27 - 00:13:19:27 evaluating the security capabilities, how do we test it? 00:13:19:28 - 00:13:20:26 Do we pull on the right? 00:13:21:28 - 00:13:23:08 Are the controls mapped correctly. 00:13:23:08 - 00:13:26:02 I've been having everybody on those calls and on those emails 00:13:26:02 - 00:13:29:26 so that you really can break this out I'm the subject matter in my PR, I'm 00:13:29:26 - 00:13:33:21 going to participate where I need to codify that and get merge 00:13:33:24 - 00:13:37:28 it into the feature branches, if you will, and then let my team take it from there. 00:13:38:00 - 00:13:39:10 And of course, I can monitor it. 00:13:39:10 - 00:13:41:15 I get notifications in the repo. 00:13:41:15 - 00:13:45:18 So it all becomes very codified, it all becomes pipeline, the very end, 00:13:45:24 - 00:13:47:28 bring in just the right people at just the right time. 00:13:47:28 - 00:13:50:14 So a big component of how I view this problem 00:13:50:14 - 00:13:53:14 derives from NISTIR which is a great publication. 00:13:53:20 - 00:13:55:10 If you haven't read it, you should 00:13:55:10 - 00:13:59:10 but it really talks about, a desired state and actual state view of the world. 00:13:59:11 - 00:14:03:09 I've inserted new concept, which is what I called declared state. 00:14:03:11 - 00:14:07:23 As we move into a, code, systems thinking view of the world, going to split out. 00:14:07:25 - 00:14:09:04 here's my desired state. 00:14:09:04 - 00:14:13:05 may have defined OSCAL, a control catalog, a profile, a baseline. 00:14:13:08 - 00:14:17:13 I'm now going to translate or complement that with declared rules. 00:14:17:13 - 00:14:21:06 those rules from the subject matters experts are going to support 00:14:21:08 - 00:14:24:08 in some cases even determine the implementation of those controls. 00:14:24:08 - 00:14:25:16 And so the prereqs 00:14:25:16 - 00:14:30:04 for looking at the world in this way, you have to have policy rules. 00:14:30:04 - 00:14:33:07 So I'll show you, demo of Rego, 00:14:33:07 - 00:14:36:14 which is, open source implementation of a rules engine. 00:14:36:17 - 00:14:39:17 Rego is the language, open policy agent is the enforcement engine. 00:14:39:20 - 00:14:43:05 need to have a model for risks and threats. 00:14:43:05 - 00:14:45:26 So threats, minor attack, minor descend. 00:14:45:26 - 00:14:47:20 the instance that I will rely on. 00:14:47:20 - 00:14:48:15 There are others, 00:14:48:15 - 00:14:52:15 but you really do have to have a working definition of the threats to your system. 00:14:52:15 - 00:14:57:04 And then you have to have test and query rules so that you can, map 00:14:57:08 - 00:15:01:05 your content to tests that can run against the actual inventory of things. 00:15:01:17 - 00:15:04:29 And as I mentioned, my, my view in the future is that, ATO as code 00:15:04:29 - 00:15:08:21 that actually can be PR trigger things downstream in the running system. 00:15:08:25 - 00:15:10:09 So what is policy as code? 00:15:10:09 - 00:15:14:26 for those of you who haven't seen this and Kubernetes or other systems, it's 00:15:14:26 - 00:15:19:17 essentially declarative rules that, state the intent of a particular, 00:15:19:17 - 00:15:23:15 authorization, say like Rbac, what permissions I have, and it has very 00:15:23:15 - 00:15:27:19 lightweight, enforcement engine that can evaluate all the different rules 00:15:27:19 - 00:15:31:24 logically, potentially Boolean operations, and make a determination. 00:15:32:01 - 00:15:32:27 However, one. 00:15:32:27 - 00:15:34:23 One thing that isn't obvious from these policies 00:15:34:23 - 00:15:37:06 code engines is it can actually generate code. 00:15:37:06 - 00:15:39:14 So there has been threat guidance. 00:15:39:14 - 00:15:44:29 Just on how to look at controls, for an agency lens mapping that to a risk model. 00:15:44:29 - 00:15:47:25 you want to look at, you know, what is the protection. 00:15:47:25 - 00:15:52:10 They have a scoring rubric to how, control protections against these risks. 00:15:52:10 - 00:15:55:09 And of course the coverage metric about how well it's implemented. 00:15:55:09 - 00:15:57:16 And that allows you to prioritize the controls. 00:15:57:16 - 00:16:00:17 You're going to assess, so that it matches your, your risk profile. 00:16:00:17 - 00:16:02:03 now we have our desired state. 00:16:02:03 - 00:16:06:23 plan that talks about OSCAL our actual tasks for that desired state. 00:16:06:26 - 00:16:09:16 And we can map threats to security cameras. 00:16:09:16 - 00:16:11:27 I do highlight open policy. 00:16:11:27 - 00:16:15:07 That's what, use, but there are other policy enforcement engines. 00:16:15:07 - 00:16:18:28 Another way to implement this, commercially, we use this methodology 00:16:18:28 - 00:16:22:20 is we do use a graph database and run graph queries. 00:16:22:22 - 00:16:26:02 so that can actually make decisions based on, the relationships 00:16:26:02 - 00:16:28:17 and the properties of each entity in a, in a graph. 00:16:28:17 - 00:16:29:18 if you're really bored, 00:16:29:18 - 00:16:34:04 you know, but you can use things like formal verification and, SMP 00:16:34:08 - 00:16:37:19 So for understanding how the threats are being 00:16:37:19 - 00:16:40:20 addressed, do need to have a query on the actual system. 00:16:40:20 - 00:16:42:08 there been a few different approaches to this. 00:16:42:08 - 00:16:46:09 We've used most of them and there are others that are out there 00:16:46:09 - 00:16:48:01 in the research and open source. 00:16:48:01 - 00:16:52:07 So you can use the natural language and the narratives 00:16:52:07 - 00:16:55:00 and the control definitions and the supplemental guidance 00:16:55:00 - 00:16:58:23 And then you can use semantic matching, NLP entity extraction. 00:16:58:29 - 00:17:01:29 And you know, if you will, keyword matching to try to 00:17:01:29 - 00:17:03:12 to automate that mapping. 00:17:03:12 - 00:17:07:17 You can build statistical models and you can measure properties of the 00:17:07:17 - 00:17:11:19 threat in terms of, where they operate, what entities, mentioned graph. 00:17:11:20 - 00:17:12:26 model the system as a graph. 00:17:12:26 - 00:17:15:22 You can model the attacks as pathways to the graph. 00:17:15:22 - 00:17:18:09 And that gives you a rich set of algorithms And I think, 00:17:18:09 - 00:17:22:17 emerging, future approach is to use AI with a combination of all of those 00:17:22:25 - 00:17:26:16 It has its own considerations around, risks and bias and, training 00:17:26:16 - 00:17:28:19 and all these things. But I think it will be important. 00:17:28:19 - 00:17:30:24 then again, back to that GitOps model. 00:17:30:24 - 00:17:35:21 really need to embrace this notion that we're not approving by, consensus 00:17:35:21 - 00:17:38:26 documentation or really, enforcing the process 00:17:38:26 - 00:17:43:00 through some artifact and some, you know, PR and pull request. 00:17:43:00 - 00:17:44:07 If you're familiar with git 00:17:44:07 - 00:17:46:27 And then CSPs and three paths play an important part in this. 00:17:46:27 - 00:17:48:25 they'll have to maintain the also 00:17:48:25 - 00:17:52:19 for the components and the control implementation details, the tests. 00:17:52:21 - 00:17:54:13 And you want to be able to have kind of a dry run. 00:17:54:13 - 00:17:57:13 This is one thing that you can do and say a system like Kubernetes, 00:17:57:13 - 00:17:59:27 we have policy code and checking configurations. 00:17:59:27 - 00:18:00:24 And then you can do a dry 00:18:00:24 - 00:18:04:29 run and say, everything, satisfy the rules And there you need to detect drift. 00:18:04:29 - 00:18:07:24 So if I say I'm declaring a particular configuration, deploy 00:18:07:24 - 00:18:10:11 that I need to have some, some mechanism to say, 00:18:10:11 - 00:18:13:13 has it been tampered with all of this allows for coverage metrics. 00:18:13:13 - 00:18:14:20 And you know, from a code 00:18:14:20 - 00:18:18:27 perspective much code am I, introducing each step the test matching up. 00:18:18:27 - 00:18:21:02 So let's talk about this rules engine. 00:18:21:02 - 00:18:22:22 again we've talked about having desired state. 00:18:22:22 - 00:18:27:00 We're going to have rules about use and reason over the catalogs and controls 00:18:27:00 - 00:18:27:20 the profiles. 00:18:27:20 - 00:18:28:27 We're going to have what I call 00:18:28:27 - 00:18:32:28 declared state We're going to have some understanding of threats and all of this 00:18:32:28 - 00:18:36:07 so that we can reinforce those control implementations with threat data. 00:18:36:09 - 00:18:40:14 code test rules that test things, And then that's going to generate 00:18:40:14 - 00:18:41:23 from the inventory of the SAR, 00:18:41:23 - 00:18:45:16 that helps reinforce this kind of lifecycle, continuous updates. 00:18:45:16 - 00:18:49:12 So controls updated by a catalog going to have the component types 00:18:49:12 - 00:18:50:13 needing to be updated. 00:18:50:13 - 00:18:54:04 going to have this kind of threat based model of the system. 00:18:54:04 - 00:18:55:16 that's going to inform our testing. 00:18:55:16 - 00:18:59:04 And as I mentioned, is some AI work being done in the open source community. 00:18:59:04 - 00:19:01:08 So you should definitely check out these projects. 00:19:01:08 - 00:19:03:05 decision gates for those pieces. 00:19:03:05 - 00:19:04:01 We talked about that. 00:19:04:01 - 00:19:07:12 We're working on some research around kind of building a time machine of diffs 00:19:07:12 - 00:19:08:15 for the entire system. 00:19:08:15 - 00:19:12:14 remediation, there's a lot of commercial and open source work about automating 00:19:12:14 - 00:19:17:05 the remediations and generating, actual changes based on, findings and volumes. 00:19:17:05 - 00:19:21:06 So, those who have done FedRAMP, you know, that you need to do ConMon 00:19:21:06 - 00:19:24:00 you know that you need to report where things are on a monthly basis, 00:19:24:00 - 00:19:27:17 you're really kind of trying to move towards continuous DevSecOps model. 00:19:27:17 - 00:19:30:13 So really want to make sure that all of these things are being updated 00:19:30:13 - 00:19:34:07 So I think I'll jump into the demo before we talk about the, graphy stuff. 00:19:34:07 - 00:19:37:28 So to do that, I'm going to jump over to my Rego playground. 00:19:37:29 - 00:19:41:21 as I mentioned, Rego is, a language for declaring rules 00:19:41:21 - 00:19:44:17 and then validating those rules very effectively and very efficiently. 00:19:44:17 - 00:19:47:09 before you can do any validation, you have to have some data. 00:19:47:09 - 00:19:49:08 So this is a very simplified version 00:19:49:08 - 00:19:51:14 of, you know, inputs you might get from a catalog. 00:19:51:14 - 00:19:53:06 So you're going to define your controls. 00:19:53:06 - 00:19:55:06 going to have statements. You have properties. 00:19:55:06 - 00:19:58:21 And those who have worked with OSCAL know at the level 2 or 3, looking at, 00:19:58:21 - 00:19:59:26 what controls for 00:19:59:26 - 00:20:03:17 the system needs to implement, on top of kind of the control data, 00:20:03:19 - 00:20:07:20 the system will have some security capabilities to, protect, detect 00:20:07:23 - 00:20:09:25 or respond, here we've got some input. 00:20:09:25 - 00:20:13:14 And so here's the, CSP's capabilities for a particular component, 00:20:13:14 - 00:20:17:20 and allows us to reason over, different, types of protection that might provide 00:20:17:20 - 00:20:19:04 and, what it implements. 00:20:19:04 - 00:20:23:21 for noting that there is discussion around creating a rules or test schema. 00:20:23:21 - 00:20:25:14 in OSCAL it's not official yet. 00:20:25:14 - 00:20:27:05 So some of this is prototype. 00:20:27:05 - 00:20:30:15 And but I'm fairly confident that the folks on this call, participating 00:20:30:15 - 00:20:33:15 in that we will get to, some implementation of rules 00:20:33:15 - 00:20:34:21 in the not too distant future. 00:20:34:21 - 00:20:37:29 as a CSP, you're typically providing components, 00:20:38:03 - 00:20:41:09 your component abstract class will have to be implemented. 00:20:41:09 - 00:20:44:13 we'll have to provide evidence of these security capabilities. 00:20:44:16 - 00:20:46:18 we get to the point we're actually playing with policy. 00:20:46:18 - 00:20:49:01 So in the Rego language, you know, the syntax. 00:20:49:01 - 00:20:52:15 If you've ever worked with Datalog, it's it's very similar to Datalog. 00:20:52:19 - 00:20:55:19 these are essentially, you know, tuples that engine will interpret 00:20:55:19 - 00:20:59:21 and tell you is everything in these, rule sets are true. 00:20:59:23 - 00:21:03:09 It's basically saying is every single thing I'm asserting here true. 00:21:03:09 - 00:21:06:05 And if it is then output of that should reflect that. 00:21:06:05 - 00:21:08:12 And as I mentioned today and so like a Kubernetes 00:21:08:12 - 00:21:12:08 system, open policy agent is used really to make very binary decisions. 00:21:12:08 - 00:21:14:08 you're familiar with communities, you can use it for admission 00:21:14:08 - 00:21:17:28 control and say, should I put the thing new things into the system or not? 00:21:17:28 - 00:21:22:07 a side effect of you go and open policy agent is you can actually generate code. 00:21:22:17 - 00:21:25:17 So here we've, mentioned, there were basing things on, threats. 00:21:25:17 - 00:21:26:11 So we've got, 00:21:26:11 - 00:21:30:09 identified in our capabilities, you know, the threats that we're going to, 00:21:30:09 - 00:21:32:28 protect against and we've defined some mitigation, 00:21:32:28 - 00:21:35:04 execution of, say, a, unauthorized container. 00:21:35:04 - 00:21:36:21 And now we're going to evaluate, 00:21:36:21 - 00:21:39:21 so it's showing you that it's, you know, everything in green is true, 00:21:39:21 - 00:21:42:12 but as a side effect, it's actually generating the output. 00:21:42:12 - 00:21:45:03 here's a score based on weightings that we've provided. 00:21:45:03 - 00:21:49:14 you know, you might have in the gov car methodology, heatmaps value based on that, 00:21:49:16 - 00:21:51:25 that might air attack or other threat model 00:21:51:25 - 00:21:54:20 and how the controls intersect with those threats. 00:21:54:20 - 00:21:57:10 can see that it's loaded up different, weights. 00:21:57:10 - 00:22:00:15 And so here can see that in addition to saying that everything 00:22:00:15 - 00:22:04:13 that I've declared in my rules is true, that I am interested as a subject matter 00:22:04:13 - 00:22:08:00 expert in this particular threat, it's also calculating the score, 00:22:08:00 - 00:22:11:23 of how this particular example is, covering and protecting. 00:22:11:23 - 00:22:14:16 So you get that protection value score and you get that coverage score. 00:22:14:16 - 00:22:17:25 beyond just saying now has my, component definition, 00:22:17:25 - 00:22:21:08 my abstract class, my security capability from the CSP. 00:22:21:08 - 00:22:24:12 Again, my abstract definition of what I plan to provide. 00:22:24:14 - 00:22:26:14 Is that really doing what I needed to do? 00:22:26:14 - 00:22:29:14 You're going to you're going to subject matter expert is going to define some 00:22:29:15 - 00:22:32:08 So we're going to say that, you know, I'm interested in containers. 00:22:32:08 - 00:22:35:00 I needed to have a signature capability. 00:22:35:00 - 00:22:39:00 I need to be able to sign digitally sign any container that's going to be allowed 00:22:39:00 - 00:22:39:24 into the system. 00:22:39:24 - 00:22:43:19 in doing that, I'm going to want to evaluate that with some methodology. 00:22:43:19 - 00:22:46:22 this is using a particular query syntax, but could be, you know, 00:22:46:23 - 00:22:48:26 any any of evaluation syntax. 00:22:48:26 - 00:22:49:25 You're interested in. 00:22:49:25 - 00:22:52:26 I want to find containers with signatures that undefined, 00:22:52:26 - 00:22:54:16 and that means that it would fail. Right. 00:22:54:16 - 00:22:57:15 if a concern is that unauthorized containers are going to be allowed 00:22:57:15 - 00:23:00:21 into my system, my security capability is to prevent that. 00:23:00:21 - 00:23:03:17 My test says that, inventory level, am I going to be able 00:23:03:17 - 00:23:06:07 do detect, that container without a signature? 00:23:06:07 - 00:23:07:13 again, as a side effect, 00:23:07:13 - 00:23:11:08 you'll see here that, actually generate specific rule implementations. 00:23:11:08 - 00:23:14:12 So we still haven't gotten yet to running system, but we're saying 00:23:14:12 - 00:23:18:06 that in my analysis and in my SAP planning, I 00:23:18:06 - 00:23:21:15 now I'm tying this down to a particular implementation. 00:23:21:15 - 00:23:24:15 I'm going to be looking for containers with signature value undefined. 00:23:24:16 - 00:23:25:22 And again, it's covering, 00:23:25:22 - 00:23:28:07 you know, it's mapped to all the threats I'm interested in. 00:23:28:07 - 00:23:30:16 And then what are we going to do with those rule implementations? 00:23:30:16 - 00:23:32:28 We're going to tie those two control implementations. 00:23:32:28 - 00:23:37:09 So think the fundamental shift in mentality here is you're letting the rules 00:23:37:09 - 00:23:41:21 engine match things up and define if the implementation is correct, 00:23:42:04 - 00:23:46:03 And so when we evaluate the control implementation scoring, 00:23:46:07 - 00:23:48:13 got to have a particular protection threshold. 00:23:48:13 - 00:23:50:22 I've got to have a particular coverage threshold. 00:23:50:22 - 00:23:51:14 know, I'm interested 00:23:51:14 - 00:23:54:17 and I want to make sure that those rules are associated with it. 00:23:54:26 - 00:23:59:14 What's getting generated is the OSCAL for, you know, pseudo OSCAL 00:23:59:14 - 00:24:03:09 in this demo for control implementation for a component, definition. 00:24:03:13 - 00:24:04:20 here it's tying it all together. 00:24:04:20 - 00:24:08:20 It's generated the implemented requirements based on the control. 00:24:08:20 - 00:24:10:16 IDs reference from the catalog. 00:24:10:16 - 00:24:11:21 It's then connected 00:24:11:21 - 00:24:15:17 those to the conditions and rules for gathering evidence for that. 00:24:15:17 - 00:24:19:12 And again, it's, you know, adhering to the, the ID semantics 00:24:19:12 - 00:24:20:29 and linkages in OSCAL. 00:24:20:29 - 00:24:24:13 in terms of, testing all this and now collaborating 00:24:24:13 - 00:24:28:05 with both the CSP and 3PAO you're on, generate an assessment plan. 00:24:28:05 - 00:24:30:15 And so that's really just binding those rules 00:24:30:15 - 00:24:34:14 that are kind of abstract to actual inventory tasks. 00:24:34:24 - 00:24:39:19 so in doing that now you get an assessment plan that is connected to the SSP. 00:24:39:21 - 00:24:42:11 you can see, you know, very specific set of tests. 00:24:42:11 - 00:24:43:07 in severe SAP. 00:24:43:07 - 00:24:44:26 then once you have a running system, 00:24:44:26 - 00:24:47:17 you can use those queries You know, they're fully traceable 00:24:47:17 - 00:24:49:28 and connected to all the controls which all implementations. 00:24:49:28 - 00:24:51:16 When you gather that evidence, 00:24:51:16 - 00:24:53:20 have confidence that, system is implemented correctly. 00:24:55:05 - 00:24:56:29 talked about all those relationships earlier. 00:24:56:29 - 00:24:59:19 I think in graphs, I think there was a Microsoft, quote, 00:24:59:19 - 00:25:02:27 you attacker's thinking graphs and defender's thinking lists, and that's bad. 00:25:02:27 - 00:25:05:28 you think about what what is an SSP, it's kind of a view of the system. 00:25:05:28 - 00:25:09:06 But it's a graph of the controls and the components 00:25:09:06 - 00:25:12:24 and how they're implemented work together at the runtime inventory level. 00:25:12:25 - 00:25:16:18 You can, code threats score those relationships by threat. 00:25:16:18 - 00:25:19:16 then run queries, over those graphs, models. 00:25:19:16 - 00:25:22:16 you can find attack paths that you can inform your rules. 00:25:22:16 - 00:25:24:21 Building, here's an example of a real system, 00:25:24:21 - 00:25:29:24 So this is just a graph view of a system where, we're encoding and enriching 00:25:29:24 - 00:25:34:13 these relationships with specific identifiers and metrics 00:25:34:13 - 00:25:35:03 so that you really 00:25:35:03 - 00:25:39:21 then can start to reason over attack pathways and security capabilities, 00:25:39:26 - 00:25:43:01 both as an agency and as a three file, mentioned that, 00:25:43:02 - 00:25:46:16 you know, entity extraction, semantic search is ML is being used today 00:25:46:16 - 00:25:50:03 as different models being used, But again, if you're familiar with systems 00:25:50:03 - 00:25:53:03 like neo for J, which again, is open source and commercial, 00:25:53:08 - 00:25:56:28 neo for J comes with a lot of rich, graph ML capabilities. 00:25:56:28 - 00:26:00:02 So you construct, a lot of these models, those libraries. 00:26:00:02 - 00:26:01:21 You don't have to invent these yourselves. 00:26:01:21 - 00:26:02:29 then you can start to reason about, 00:26:02:29 - 00:26:06:01 you know, is my SSP covering everything I need to cover 00:26:06:05 - 00:26:07:25 And then what is my overall threat exposure, 00:26:07:25 - 00:26:10:10 which we're constantly learning and we're tying down 00:26:10:10 - 00:26:13:01 all these threat models to specific queries. 00:26:13:01 - 00:26:17:21 And that's informing we we run in in both environments and commercial environments. 00:26:18:02 - 00:26:21:13 We run all of our scenario planning for incident response, 00:26:21:16 - 00:26:24:24 through that that graph of you I showed So to sum up, 00:26:24:26 - 00:26:29:23 know, we look at the world, from an agency perspective as OSCAL, enabling compliance 00:26:29:23 - 00:26:33:21 as code generating artifacts that are reusable, that are verifiable, 00:26:33:21 - 00:26:37:21 they come in, that are testable, we want to enable that continuous 00:26:37:21 - 00:26:41:11 DevSecOps, continuous ATO model so that you can detect 00:26:41:11 - 00:26:45:11 drift those alerts, and then really report on precise coverage metrics. 00:26:45:13 - 00:26:49:06 And then ideally we would like to see that kind PR ATO. 00:26:49:06 - 00:26:49:15 Right. 00:26:49:15 - 00:26:52:18 So we have approval gates in code in pipelines. 00:26:52:18 - 00:26:55:15 so that we start to think of the system as developers do. 00:26:55:15 - 00:26:59:07 there's no sacred cows, there's no there's no cattle in what you're building 00:26:59:07 - 00:27:02:23 that it's all reconstructed from code and rules, 00:27:02:28 - 00:27:04:08 Oh, I'll just cover these very quickly. 00:27:04:08 - 00:27:05:27 You know, need more support for automation. 00:27:05:27 - 00:27:08:16 So, those of us in CNCF are trying to help. 00:27:08:16 - 00:27:10:26 We need more API driven, interaction. 00:27:10:26 - 00:27:11:15 And eventually 00:27:11:15 - 00:27:15:11 we'll need ML models that are, you know, well scrutinized, open, transparent. 00:27:15:13 - 00:27:20:18 artifacts, contributed catalogs, We need, you know, GRC folks, if you're on a call, 00:27:20:18 - 00:27:24:21 please, please help us put an end to Word and Excel, copy paste. 00:27:24:28 - 00:27:27:23 tools need to support OSCAL, 3PAOs, please. 00:27:27:23 - 00:27:31:27 know you have accreditation requirements, but we want to help you use OSCAL. 00:27:31:29 - 00:27:36:27 so the system is self-documenting self testing And again, CSPs need to support 00:27:36:27 - 00:27:40:09 those efforts at every stop, agency leadership they need to embrace it. 00:27:40:09 - 00:27:41:08 And I think we've talked 00:27:41:08 - 00:27:44:08 about some of the benefits to their hiring and retention if they do. 00:27:44:09 - 00:27:44:17 Yeah. 00:27:44:17 - 00:27:48:01 So there are the open repo, anyone who's interested in that, 00:27:48:08 - 00:27:49:27 we're happy to support the community. 00:27:49:27 - 00:27:51:15 reach out, schedule a call with us. 00:27:51:15 - 00:27:53:18 We're happy to spend time with agencies. 00:27:53:18 - 00:27:56:18 with that, I hopefully I've got enough time for questions, but 00:27:56:20 - 00:27:58:00 I'll go ahead and stop there.