00:00:00:00 - 00:00:01:16
Thank you for letting us have the opportunity to present

00:00:01:16 - 00:00:03:00
We are just about in the

00:00:03:00 - 00:00:06:13
the end of our, second year,
kind of engaged with OSCAL

00:00:06:15 - 00:00:10:02
It actually came as a project
that our, company Implerus started.

00:00:10:19 - 00:00:12:12
Little did
we know it would take on a life of its own

00:00:12:12 - 00:00:15:13
and probably be the direction of all of us
for a new company.

00:00:16:01 - 00:00:17:29
and so this is kind of exciting.

00:00:17:29 - 00:00:21:08
When we first began this project,
the first thing we were doing is,

00:00:21:09 - 00:00:24:09
you know, our needs analysis was looking
for data sources and trying to figure out

00:00:24:22 - 00:00:27:01
what are the tools we have,
what are the standards, you know,

00:00:27:01 - 00:00:31:16
what can we use and it was by God's grace
we did stumble across- well of course we are

00:00:31:16 - 00:00:36:24
you know, 800-53 and DNS SI-4
so we knew where our targets were.

00:00:37:04 - 00:00:38:17
We didn't know of OSCAL at that time.

00:00:38:17 - 00:00:41:17
And so it was really huge for us,
and we were able to use it

00:00:41:22 - 00:00:44:14
to build a tool set
that was quite different.

00:00:44:14 - 00:00:47:15
We're excited to have
this opportunity and in ten days,

00:00:47:15 - 00:00:50:12
We celebrate our second year
of using it,

00:00:50:12 - 00:00:52:26
learning and realizing how little we know.

00:00:52:26 - 00:00:55:13
So, if you'll bear with us
as we go through our objective

00:00:55:13 - 00:00:59:02
today is just to kind of share
some of the things, how OSCAL

00:00:59:02 - 00:01:03:01
has empowered our efforts,
our development toward solving what

00:01:03:01 - 00:01:06:09
we, you know, what we believe
is such a huge fundamental problem, right?

00:01:06:09 - 00:01:09:00
Which is, 
how do we accelerate ATOs today?

00:01:09:00 - 00:01:11:11
we realize, you know, I'm
going to start off with that statement

00:01:11:11 - 00:01:12:10
because achieve it and maintain

00:01:12:10 - 00:01:16:17
a compliant ATO state requires
a monumental level of effort.

00:01:16:25 - 00:01:18:26
and I think OSCAL goes a long way.

00:01:18:26 - 00:01:21:28
And we do we believe it
and we believe what has been what you guys

00:01:21:28 - 00:01:26:05
are representing the framework
will allow, accelerated ATO posture,

00:01:26:19 - 00:01:29:12
particularly as we start
seeing those windows of assessments

00:01:29:12 - 00:01:33:12
reduced down for continuous
ATO environments where, you know, threat

00:01:33:12 - 00:01:36:21
postures, you do measured faster, it's
going to make a big difference.

00:01:36:27 - 00:01:39:06
So for us we're very excited.

00:01:39:06 - 00:01:42:12
What we'll do is we'll touch on just
a few areas of where we've used OSCAL

00:01:42:12 - 00:01:46:04
and how it has helped us, address
some of the what we think the needs are.

00:01:46:12 - 00:01:49:12
one thing that we might be, we might be
a little different than the typical.

00:01:49:12 - 00:01:51:21
We were called in to solve a problem,
which is,

00:01:51:21 - 00:01:54:01
a common user using word documents
and Excel.

00:01:54:01 - 00:01:54:19
couldn't believe it.

00:01:54:19 - 00:01:58:10
how many 700 to 1000 page documents
do you have that you're pulling in?

00:01:58:10 - 00:01:59:00
And, you know,

00:01:59:00 - 00:02:02:00
when seen as what he was trying to copy
and paste and listening

00:02:02:00 - 00:02:05:29
to problems that one of these large,
prime contractors of the IC mainly

00:02:06:09 - 00:02:07:23
we were surprised at the effort.

00:02:07:23 - 00:02:10:03
And so we were just in between projects.

00:02:10:03 - 00:02:13:12
We thought, well, we just left our rockets
science project where we were doing

00:02:13:21 - 00:02:15:01
sensor fusion and stuff.

00:02:15:03 - 00:02:17:15
So well, let's try some text analytics,
which we had done a lot.

00:02:17:15 - 00:02:22:02
We had done a lot of data
mining text analytics for cyber for NSA.

00:02:22:02 - 00:02:24:14
So it wasn't that far off,
but it was very different.

00:02:24:14 - 00:02:28:11
but our approach has been more
to recognize that we know the tools

00:02:28:14 - 00:02:29:25
in order to get OSCAL

00:02:29:25 - 00:02:32:03
We think the changes
because we want to see

00:02:32:03 - 00:02:35:27
it succeed in order to see it be,
you know, a permanent and continuing

00:02:35:27 - 00:02:38:28
capability and framework
for us, for everybody, for the industry.

00:02:39:01 - 00:02:42:20
We believe that adoption
not just be on tools that can be adopted,

00:02:42:20 - 00:02:45:08
but it needs to start at the center,
the kind of where

00:02:45:08 - 00:02:47:15
where the critical mass of people are now.

00:02:47:15 - 00:02:48:29
And we think that that is like

00:02:48:29 - 00:02:51:29
on the editing environment,
so that we we're going to have a heavier

00:02:51:29 - 00:02:55:01
focus on the central repository,
which is the editing being able

00:02:55:01 - 00:02:59:03
to bring data in the attestation work
that allows us to create a solution.

00:02:59:08 - 00:03:02:02
So with that said,
drop down the first one.

00:03:02:02 - 00:03:02:24
one of the key areas

00:03:02:24 - 00:03:05:29
we found in OSCAL was it was
it was a critical data source for us,

00:03:06:16 - 00:03:08:14
allowed us
our standardization, attribution

00:03:08:14 - 00:03:11:22
and some of the basics
to allow us to build an environment.

00:03:11:27 - 00:03:13:20
So we knew what all the components were.

00:03:13:20 - 00:03:14:24
We knew what the builds were.

00:03:14:24 - 00:03:19:00
We knew how to, layout, you use the using
the framework and using baselines.

00:03:19:00 - 00:03:20:29
We were able to establish different,

00:03:20:29 - 00:03:24:14
we built a form generator
that can take any kind of OSCAL in

00:03:24:28 - 00:03:28:22
and present different forms very quickly, 
make them very flexible,

00:03:28:22 - 00:03:32:16
but as well as allow
a collaborative editing environment

00:03:32:23 - 00:03:35:21
and of course, push it out for submission
and output.

00:03:35:21 - 00:03:37:10
Now, at the same time,

00:03:37:10 - 00:03:40:28
what does OSCAL give us is it gives us
the opportunity to have data enrichment.

00:03:40:28 - 00:03:42:13
We have other sources pushing.

00:03:42:13 - 00:03:47:09
We can provide sources of data, and
we actually we can automate the collection

00:03:47:09 - 00:03:50:16
and, All the artifact collection
that's necessary for proper submission.

00:03:51:03 - 00:03:53:29
all we're showing here is just, you know,
we use it very heavily,

00:03:53:29 - 00:03:56:29
to lay out some of the base,
foundational data layers.

00:03:57:07 - 00:04:00:14
One of the things we also found
is when we are looking at ways of,

00:04:01:05 - 00:04:03:09
trying to expedite this,
you know, our objective was

00:04:03:09 - 00:04:07:00
how do we get things in quickly and to be
able to be processed quickly and out?

00:04:07:03 - 00:04:08:08
So we were trying to find

00:04:08:08 - 00:04:11:27
importing capabilities initially
as well as outporting capabilities.

00:04:12:03 - 00:04:15:13
and we had tried many different things,
including all the office,

00:04:15:17 - 00:04:19:00
ML stuff, was a document ML

00:04:19:06 - 00:04:19:15
Yeah.

00:04:19:15 - 00:04:22:05
In this case, we'll use FedRAMP
for an example.

00:04:22:05 - 00:04:25:19
form itself was, going to be hard
pressed to have people

00:04:25:24 - 00:04:28:25
not modify the form or use their own form
and then submit it.

00:04:28:25 - 00:04:30:29
So we didn't have any confidence

00:04:30:29 - 00:04:33:28
that we were going to be able
to use a data binding to move data.

00:04:33:28 - 00:04:35:09
So we had to build a pretty,

00:04:35:09 - 00:04:38:24
elaborate import tool
based on some, very specific parsing

00:04:39:13 - 00:04:42:28
and OSCAL provided all the framework
for us to actually identify

00:04:43:02 - 00:04:46:02
the should be as it could be, what's
necessary, what we were looking for.

00:04:46:02 - 00:04:48:10
And it allowed us to enhance
some of the natural language

00:04:48:10 - 00:04:50:08
processing tools we have used in the past.

00:04:50:08 - 00:04:53:11
and gave us kind of baseline
from which we could take something

00:04:53:11 - 00:04:55:12
and These are labeled here
on this, this slide.

00:04:55:12 - 00:04:59:04
But the left hand side, all we're showing
here is an original SSP.

00:04:59:08 - 00:05:02:02
you know, we can import right now
from word PDF.

00:05:02:02 - 00:05:04:09
course
we can pull from CSVs or some other,

00:05:04:09 - 00:05:05:29
you know, some some structured data set.

00:05:05:29 - 00:05:08:29
It was the unstructured is that
there were a, a little more tedious.

00:05:09:05 - 00:05:11:00
so on the left hand side of this document,

00:05:11:00 - 00:05:12:21
you'll see that's
actually a word document.

00:05:12:21 - 00:05:16:07
So obviously then what you see is here
here's an example of the form we have

00:05:16:07 - 00:05:17:26
where form is native to the application.

00:05:17:26 - 00:05:20:26
So we can import from existing
or we can create.

00:05:21:04 - 00:05:24:00
But the form tries to give you a familiar

00:05:24:00 - 00:05:27:00
feel in this case
with FedRAMP on the right hand side.

00:05:27:04 - 00:05:28:02
We have our output.

00:05:28:02 - 00:05:31:27
So literally we could just this import
to output process is just a few minutes.

00:05:32:05 - 00:05:35:05
We can take a brand new, SSP import it.

00:05:35:16 - 00:05:36:27
we're running typically about

00:05:36:27 - 00:05:42:07
98.5 to 98.7 kind of average accuracy.

00:05:42:16 - 00:05:45:22
it is very quick to to give you something
that looks very similar.

00:05:45:29 - 00:05:47:23
We couldn't have done that layout.

00:05:47:23 - 00:05:51:02
It would have been almost impossible
for us without leveraging OSCAL.

00:05:51:26 - 00:05:52:21
what we're trying to show

00:05:52:21 - 00:05:56:13
here is just we're able to walk
through a present the same templates

00:05:56:16 - 00:05:59:16
and then you'll see a corresponding,
output that we have here.

00:05:59:17 - 00:06:03:13
These outputs are again
those are what are generated  from

00:06:03:17 - 00:06:04:23
second image of the fourth image.

00:06:04:23 - 00:06:08:12
So the two bottom lower images
That's a hardcopy output.

00:06:08:25 - 00:06:11:25
Of course it would be quite,
quite different the XML submission.

00:06:12:08 - 00:06:13:18
same kind of thing here.

00:06:13:18 - 00:06:17:16
what we really realize is that the power
in the validating and getting on the,

00:06:17:16 - 00:06:17:22
you know,

00:06:17:22 - 00:06:20:25
the real time responses from, hey,
you hit this response point,

00:06:20:25 - 00:06:21:19
it created one,

00:06:21:19 - 00:06:24:22
but now we have another requirement
and we can have some insight.

00:06:24:22 - 00:06:26:17
Users can actually know what's going on.

00:06:26:17 - 00:06:30:14
So our validation of course
works for the entire Pre-submitted package

00:06:30:14 - 00:06:31:09
and for the SSP.

00:06:31:09 - 00:06:35:04
Or it can also, facilitate, just the,
the at the very end

00:06:35:04 - 00:06:39:11
where we want to final submission
with all the components SAR, SAP, SSP,

00:06:39:21 - 00:06:43:03
O&M and RA, for FedRAMP,
all the documents,

00:06:43:10 - 00:06:46:18
so I mean, really what we're trying to say
is that with the pre-validation

00:06:46:22 - 00:06:50:14
and the the transmission is what we all
want, we want to accelerate the process

00:06:50:14 - 00:06:55:02
from which an ATO can be authorized
or can be, maintain its authorization.

00:06:55:11 - 00:06:57:08
we we don't think this is something
that oh,

00:06:57:08 - 00:06:59:01
it wasn't even remotely close anywhere.

00:06:59:01 - 00:07:03:24
And it would have been a very large effort
without OSCAL for us and for the,

00:07:03:26 - 00:07:06:01
you know, for the program officers
or for the agencies.

00:07:06:01 - 00:07:08:04
It's really going to change the game.

00:07:08:04 - 00:07:11:04
and then the kind of the last area
that we actually just entire

00:07:11:08 - 00:07:14:09
application was designed 
a complete RESTful API design.

00:07:14:13 - 00:07:17:15
many of the XML services
we have were OSCAL services,

00:07:18:01 - 00:07:22:09
but we intend to furnish all of these out
as, services for service providers,

00:07:22:09 - 00:07:26:18
for extending, the entire, submission
set to other providers.

00:07:26:18 - 00:07:28:22
So if they're middleware providers
making tools

00:07:28:22 - 00:07:32:19
for connectivity to you to either query,
whether it's in an X query, X path

00:07:32:19 - 00:07:35:29
or they want to do an XML, Http, we can
we can take

00:07:35:29 - 00:07:39:03
and receive data right now
inside of a RESTful API service.

00:07:39:08 - 00:07:42:18
we're very close to publishing this
when we're waiting until the,

00:07:42:18 - 00:07:45:18
final on Rev5 FedRAMP.

00:07:45:19 - 00:07:48:24
And I think you guys were NIST
and FedRAMP are collaborating on that.

00:07:48:27 - 00:07:50:07
we have done quite a bit of work

00:07:50:07 - 00:07:50:27
up to the point

00:07:50:27 - 00:07:52:22
where we had to stop in December,

00:07:52:22 - 00:07:54:28
and I'm waiting
for the next stages of completion.

00:07:54:28 - 00:07:57:17
that's kind of where we are
on the on the RESTful services.

00:07:57:17 - 00:07:59:24
we recognize that
without having the ability

00:07:59:24 - 00:08:03:11
to extend the enterprise
to either receive or to serve data,

00:08:03:15 - 00:08:05:27
all most of the solutions
will end up being a single silo.

00:08:05:27 - 00:08:10:03
And our objective was to be very extensible and and to present a solution. And

00:08:11:09 - 00:08:13:04
we couldn’t have done without OSCAL.

00:08:13:04 - 00:08:14:22
And that's really it.