00:00:00:00 - 00:00:00:18 Hi, everyone. 00:00:00:18 - 00:00:02:03 Well, evening to you guys. 00:00:02:03 - 00:00:04:13 I'm Eugene, and, joined by Hunter. 00:00:04:13 - 00:00:07:06 Hunter, you just want to say hi? Hi. Good day, everybody. 00:00:07:06 - 00:00:08:14 Thanks for having us. 00:00:08:14 - 00:00:11:14 We are also joined by Beng Huay in a chat, from GovTech. 00:00:11:16 - 00:00:14:22 She's the director at the governance group in GovTech. 00:00:15:01 - 00:00:15:24 Hi, everyone. 00:00:15:24 - 00:00:17:01 Nice to be here. 00:00:17:01 - 00:00:19:01 I think we hope to learn from all as well. 00:00:19:01 - 00:00:23:02 just to briefly introduce ourselves, maybe Hunter can introduce yourself here. 00:00:23:06 - 00:00:25:23 So as, Doctor Michaela kindly introduced. 00:00:25:23 - 00:00:27:00 My name is Hunter. 00:00:27:00 - 00:00:29:18 I'm a distinguished engineer at, GovTech. 00:00:29:18 - 00:00:32:07 much of my focus is around the engineering practice. 00:00:32:07 - 00:00:34:12 In how we, drive, practice. 00:00:34:12 - 00:00:38:06 We look at, various different parts of the adoption of cloud. 00:00:38:12 - 00:00:42:18 I also find myself doing a lot of rather interesting work now in the space 00:00:42:21 - 00:00:43:16 we're talking about today. 00:00:43:16 - 00:00:48:11 And I can I'm Eugene, and I'm a lead security engineer where I run, the, 00:00:48:14 - 00:00:52:19 security engineering program at a team within GovTech, open government products. 00:00:53:00 - 00:00:56:12 I also come from the offensive security background, so, 00:00:57:01 - 00:00:58:22 I like to do that in my spare time. 00:00:58:22 - 00:01:01:05 To briefly introduce our organization. 00:01:01:05 - 00:01:04:03 GovTech, the government technology agency of Singapore. 00:01:04:03 - 00:01:07:23 part of the Singapore government and, you know, we work on deep technology, 00:01:08:01 - 00:01:10:02 products. All kinds of technology. 00:01:10:02 - 00:01:11:20 Domain in Singapore. 00:01:11:20 - 00:01:15:11 And the team I'm part of, OGP is just an experimental development team 00:01:15:18 - 00:01:17:15 that builds technology for the public good. 00:01:17:15 - 00:01:19:12 So it's good to meet all of you today. 00:01:19:12 - 00:01:22:16 So I'll be starting off the first half of this presentation 00:01:22:16 - 00:01:25:10 by giving you some context about Singapore. 00:01:25:10 - 00:01:26:19 government tech standards. 00:01:26:19 - 00:01:31:02 Where we came from, where we started, as well as the challenges that drove us, 00:01:31:07 - 00:01:34:03 and relooking way that we will tech standards. 00:01:34:03 - 00:01:36:20 Why OSCAL was a good fit for us at the time. 00:01:36:20 - 00:01:41:13 And, moving on into how we operationalize this within the Singapore government. 00:01:41:15 - 00:01:45:05 So all set of standards is called the Instruction Manual 00:01:45:05 - 00:01:48:17 for Infocomm Technology and Smart Systems, which is kind of a lot of words. 00:01:48:23 - 00:01:53:05 And as the ICT&SS it began as a set of internal policies, 00:01:53:05 - 00:01:56:17 meaning that this is policies internal to the Singapore government. 00:01:56:23 - 00:02:01:17 And the standards and guidelines, actually evolve organically and rapidly. 00:02:01:17 - 00:02:05:00 So within the government, the colloquial term for 00:02:05:02 - 00:02:08:09 this is called IM8 or Instruction manual 8. 00:02:08:12 - 00:02:11:12 And as you can see in the kind of domains covered by IM8, 00:02:11:14 - 00:02:15:07 this branch spans the range from your typical, governance, 00:02:15:09 - 00:02:19:04 on premise systems, cloud data and incident management. 00:02:19:16 - 00:02:22:18 And you can see it is quite organic in the way that these domains emerged. 00:02:22:22 - 00:02:26:14 Because they actually cover system types, but also other domains in cybersecurity 00:02:26:14 - 00:02:28:02 like governance and data. 00:02:28:02 - 00:02:29:24 And as technology evolve. 00:02:29:24 - 00:02:31:09 It also grew very rapidly. 00:02:31:09 - 00:02:33:01 So even within just one domain, 00:02:33:01 - 00:02:37:02 for example, the cloud domain, you would see even more, sub domains. 00:02:37:08 - 00:02:41:19 First you would have IaaS infrastructure as a service and platforms as a service. 00:02:41:22 - 00:02:44:10 Linked to the emergence of cloud, hyperscalers. 00:02:44:10 - 00:02:45:14 Software as a service 00:02:45:14 - 00:02:49:19 and more general infrastructure, application development and resilience. 00:02:49:24 - 00:02:50:17 Subdomains. 00:02:50:17 - 00:02:52:22 And, this is just for the cloud domain. 00:02:52:22 - 00:02:56:04 And you would see typically multi set domains for all other domains. 00:02:56:05 - 00:02:58:21 Governance on premise data incident management. 00:02:58:21 - 00:03:01:05 So it began to be, growing quite unruly. 00:03:01:05 - 00:03:03:08 Even though it is still growing quite organically. 00:03:03:08 - 00:03:06:19 So the key thing, to kind of communicate here is that, 00:03:06:19 - 00:03:09:21 IM8, began as kind of an internal set of policies, right? 00:03:09:22 - 00:03:11:08 Something that you would typically implement 00:03:11:08 - 00:03:15:03 in a small organizations, it grew to cover more and more over time. 00:03:15:03 - 00:03:17:21 especially since we began to engage vendors to build our systems. 00:03:17:21 - 00:03:21:07 A typical situation you would experience would be something like this. 00:03:21:09 - 00:03:24:02 We would maybe tell a vendor that they need to build 00:03:24:02 - 00:03:27:12 an IM8 compliance system for an agency and a vendor secret. 00:03:27:14 - 00:03:30:23 What does the IM8, actually include what are the controls? 00:03:31:00 - 00:03:33:09 the response would be, sorry, that's classified. 00:03:33:09 - 00:03:37:17 And that's just one of the many situations that arose from, how IM8, developed 00:03:37:17 - 00:03:39:01 within the Singapore government. 00:03:39:01 - 00:03:40:09 I think the main, issue 00:03:40:09 - 00:03:43:13 was that, one of the challenges that we face was that IM8 was a singular, 00:03:43:15 - 00:03:45:01 monolithic document. Right. 00:03:45:01 - 00:03:47:01 The very typical, you know, PDF file. 00:03:47:01 - 00:03:48:14 That goes to hundreds of pages. 00:03:48:14 - 00:03:50:13 And we faced several challenges. 00:03:50:13 - 00:03:55:00 The first being is structural problems of duplication and disorganization. 00:03:55:00 - 00:03:57:13 So as mentioned, there are many domains and sub domains. 00:03:57:13 - 00:04:01:08 But inevitably these domains and subdomains require controls. 00:04:01:14 - 00:04:02:17 appear similar. Right. 00:04:02:17 - 00:04:05:17 So you would see a control under the cloud development 00:04:05:18 - 00:04:08:17 application development control where it says use set up 00:04:08:17 - 00:04:11:06 static application security testing to scan source code. 00:04:11:06 - 00:04:14:06 And then you would see an on premise domain would be mentioning something 00:04:14:06 - 00:04:15:01 similar. Right. 00:04:15:01 - 00:04:17:20 They'll be saying hey, perform DevSecOps. 00:04:17:20 - 00:04:20:08 And that includes static application security testing. 00:04:20:08 - 00:04:23:07 then another domain, third party management would say, third party 00:04:23:07 - 00:04:26:18 should have a CICD pipeline and a CICD pipeline should have SaaS. 00:04:26:22 - 00:04:30:15 So we again begin to see some of the very classic traditional problems. 00:04:30:15 - 00:04:33:04 I think, that we had in previous, format. 00:04:33:04 - 00:04:36:03 another key problem was, lack of impact theory 00:04:36:03 - 00:04:39:16 of differentiation between system types, and impact level. 00:04:39:20 - 00:04:42:19 And this led to a lot of awkward control facing that 00:04:42:19 - 00:04:45:21 you would typically see within a, single control. 00:04:45:21 - 00:04:49:02 So in this case, for example, this control setting for systems classified 00:04:49:02 - 00:04:53:10 confidential above do X systems outside of this do y. 00:04:53:12 - 00:04:56:00 And by the way, there is one particular exception. 00:04:56:00 - 00:05:00:13 If you use this tool then you can do set Z right. 00:05:00:16 - 00:05:04:21 And you would see also controls with a lot of sub controls or sub points. 00:05:04:24 - 00:05:07:22 would not be out of place to see for example one control with 00:05:07:22 - 00:05:11:12 at least 13 different, bullet points underneath that each of which, 00:05:11:17 - 00:05:14:00 could be considered a control in of themselves. 00:05:14:00 - 00:05:14:17 this began 00:05:14:17 - 00:05:19:04 to affect the readability and usability of our text standards internally. 00:05:19:04 - 00:05:22:10 And also again, as mentioned, this was not very transparent or visible 00:05:22:11 - 00:05:23:19 the vendors that we were engaging, 00:05:23:19 - 00:05:26:07 that needed to build systems that were IM8 compliant. 00:05:26:07 - 00:05:27:06 Within the government. 00:05:27:06 - 00:05:29:14 what emerged was, workarounds. Right. 00:05:29:14 - 00:05:32:22 Because we were still stuck within the structure 00:05:32:22 - 00:05:36:05 of a monolithic single document with hundreds of pages, 00:05:36:09 - 00:05:40:05 and you begin to see a lot of workarounds, such as the superscripts. 00:05:40:06 - 00:05:42:04 So in this case, there would be this control. 00:05:42:04 - 00:05:45:13 There would be this asterix that says, hey, this doesn't apply to access. 00:05:45:18 - 00:05:48:08 And then there would be a prefix that says, this is just a guideline. 00:05:48:08 - 00:05:49:06 It's not mandatory. 00:05:49:06 - 00:05:53:07 Maybe it's mandatory for some systems later down the road at this point of time. 00:05:53:10 - 00:05:56:15 You say that, hey, this applies to your system, but not all of them. 00:05:56:18 - 00:05:59:16 So please check the footnotes for this double asterisk. 00:05:59:16 - 00:06:00:12 And, oh, by the way, 00:06:00:12 - 00:06:04:16 this additional superscript means that you need to comply with this by 2020. 00:06:04:18 - 00:06:07:05 And if you have a CX, there is no fixed date. 00:06:07:05 - 00:06:10:12 Please check another, appendix for which date displays too. 00:06:10:14 - 00:06:15:00 So this began to kind of really affect, the usability of these standards. 00:06:15:00 - 00:06:18:11 And I think it became kind of a challenge to ask anyone 00:06:18:11 - 00:06:22:00 if you actually read the entire, IM8, or understood it in its entirety. 00:06:22:02 - 00:06:23:23 this made compliance very difficult. 00:06:23:23 - 00:06:27:06 And of course, that affected our actual, implementations on the ground, 00:06:27:09 - 00:06:30:21 which then affected the security posture of our government systems. 00:06:31:05 - 00:06:33:22 So in some ways, when Hunter first suggested 00:06:33:22 - 00:06:37:16 the OSCAL schema did seem like it would resolve many of these challenges. 00:06:37:19 - 00:06:40:19 Simple things like duplication and overlapping of controls. 00:06:41:00 - 00:06:44:10 having a common catalog with atomic, sets of controls, 00:06:44:13 - 00:06:47:06 would then be the source of truth, and you could kind of mix and match. 00:06:47:06 - 00:06:49:08 Some of these, issues such as risk tiering, 00:06:49:08 - 00:06:52:14 are able to apply risk levels and, by using profiles. 00:06:52:14 - 00:06:56:10 So we can then kind of designate and have that kind of semantic meaning that says, 00:06:56:12 - 00:07:00:08 this is a must have or should have or good to have, depending on your risk level. 00:07:00:08 - 00:07:04:08 I'll talk a bit, a bit more about how we use risk levels instead of impact levels, 00:07:04:12 - 00:07:06:23 and what that actually means in our operations. 00:07:06:23 - 00:07:10:06 And the third is so system types of course, parameters actually, 00:07:10:06 - 00:07:13:06 because this provides a lot of additional customizations. 00:07:13:18 - 00:07:17:15 A lot of the initial IM8, we called IM8 classic, domains and subdomains 00:07:17:15 - 00:07:18:15 arose from the fact that, 00:07:18:15 - 00:07:22:14 hey, this control scheme specifically written for a certain type of system, 00:07:22:17 - 00:07:24:04 we may not require a 00:07:24:04 - 00:07:28:04 specific number of days to resolve a bond between an X system versus a Y system. 00:07:28:04 - 00:07:31:04 And so we need to write in a whole new domain to cover Y systems, 00:07:31:04 - 00:07:35:09 when parameters in the OSCAL schema really helps to resolve, most of this 00:07:35:09 - 00:07:38:18 and allows us to keep the same set of common catalog of controls. 00:07:39:00 - 00:07:42:09 But differentiated, based on system type or risk level. 00:07:42:17 - 00:07:46:16 So one of the key, things, is that we had a different approach. 00:07:46:20 - 00:07:51:01 we we needed to make a few customizations to fit our context within the Singapore 00:07:51:01 - 00:07:54:19 government and the practice that a lot of our agencies were used to. 00:07:54:24 - 00:07:58:17 And I'll go through some of them So one change, came 00:07:58:17 - 00:08:02:04 from kind of a structural issue or intuitive of understanding. 00:08:02:08 - 00:08:06:24 Was that must have for a low-risk system may not be a must have for a medium 00:08:06:24 - 00:08:07:13 risk system. 00:08:07:13 - 00:08:12:10 this kind of departs from saying the SP-853, which has impact levels. 00:08:12:10 - 00:08:14:22 And the profiles kind of like inherit from that. 00:08:14:22 - 00:08:18:00 This turns into kind of a risk, material level. 00:08:18:00 - 00:08:18:21 Exercise. 00:08:18:21 - 00:08:21:06 where we say, hey, you are low risk system. 00:08:21:06 - 00:08:25:00 In implementation, this control becomes, good to have for you, 00:08:25:02 - 00:08:28:18 but if you're a high risk system, then this control becomes a must have for you. 00:08:28:20 - 00:08:31:10 So this kind of emerged from our discussions, you know, 00:08:31:10 - 00:08:34:18 with our various stakeholders, especially our, senior, management, 00:08:34:20 - 00:08:37:18 on, what risk level they're comfortable with. 00:08:37:18 - 00:08:41:18 Especially because, the IM8, was an internal set of controls and policy. 00:08:41:18 - 00:08:44:18 So it was pretty much mandatory except for maybe the guidelines. 00:08:44:21 - 00:08:47:24 breaking this up into risk levels, help to kind of soften that a little. 00:08:48:01 - 00:08:52:12 So that was a new introduction to this compliance regime within the government 00:08:52:16 - 00:08:55:23 where we now have should have and the question begins to be that, 00:08:56:11 - 00:08:59:11 what is a must have was a should have and should we then tier it 00:08:59:17 - 00:09:01:08 by the risk level of a system. 00:09:01:08 - 00:09:02:20 So this is very important for us. 00:09:02:20 - 00:09:05:20 And kind of led to, maybe an unconventional, outcome, 00:09:05:23 - 00:09:07:07 I would like to discuss here. 00:09:07:07 - 00:09:11:00 And the key problem is that, as mentioned, because the risk, materiality 00:09:11:00 - 00:09:13:19 level of a system is linked to the level of enforcement 00:09:13:19 - 00:09:15:07 of the controls that we have. 00:09:15:07 - 00:09:17:01 couldn't just use a single profile set. 00:09:17:01 - 00:09:19:07 We can't just have three, impact levels. 00:09:19:07 - 00:09:22:23 just tell that, hey, if you are low impact level, just do the low impact stuff. 00:09:23:02 - 00:09:27:02 We kind of have any, additional layer on top of that where we say, okay, 00:09:27:02 - 00:09:30:01 some things are now a must have for you, some things I should have for you. 00:09:30:01 - 00:09:31:05 And the rest of it. 00:09:31:05 - 00:09:33:04 It's kind of good to have. So you can try that. 00:09:33:04 - 00:09:36:07 And in operation, this means that our agencies, 00:09:36:10 - 00:09:40:15 will have a committee that kind makes some of this, risk trade offs and, 00:09:40:15 - 00:09:44:05 approvals, this needs to be part of our, implementation of OSCAL. 00:09:44:09 - 00:09:49:17 So what this meant in practice was that we had a bit more verbosity 00:09:49:17 - 00:09:50:20 at the profile level, 00:09:50:20 - 00:09:53:15 and if this seems unusual or if this is something that, 00:09:53:15 - 00:09:56:00 some of our participants have implemented in past, 00:09:56:00 - 00:09:58:02 and this meant that we had profiles, 00:09:58:02 - 00:10:01:19 that would kind of get it at the risk level as well as the system type. 00:10:01:19 - 00:10:05:15 So for example, in lowest crowd we would have three profiles level 00:10:05:15 - 00:10:07:01 zero, level one, double two. 00:10:07:01 - 00:10:11:08 Similarly for medium risk cloud level zero one and two, and as it happens, 00:10:11:12 - 00:10:15:23 We start to see more controls, sets of profiles for different system types, 00:10:16:02 - 00:10:21:11 such as SaaS, more system type gradually being introduced within the new IM8. 00:10:21:15 - 00:10:25:05 So in some ways, in order to capture this operational complexity 00:10:25:08 - 00:10:29:07 and, operational requirements for risk acceptance, this translated 00:10:29:10 - 00:10:31:17 into the way that we have a lot of profiles, 00:10:31:17 - 00:10:33:15 for our system and it's still something that we are dealing with. 00:10:33:15 - 00:10:34:15 So something we're discussing, 00:10:35:14 - 00:10:37:04 So one of the key 00:10:37:04 - 00:10:40:04 experiences we had in moving from a one size fits 00:10:40:04 - 00:10:43:14 all, kind of a monolithic, document to more risk based and right 00:10:43:14 - 00:10:47:03 size approach, OSCAL required bridging and change management. 00:10:47:03 - 00:10:49:06 Right. And this is some of the feedback we got. 00:10:49:06 - 00:10:53:10 So the on where we moving more towards a self, defined, SSP 00:10:53:10 - 00:10:57:04 where we give them a set of controls and we tell them to discuss 00:10:57:08 - 00:11:00:22 on how they are planning to, implement the controls. 00:11:01:00 - 00:11:03:14 And you'll see comments like, just tell me what to do. Right. 00:11:03:14 - 00:11:06:13 I'm used to you telling me what to do with a single document. 00:11:06:13 - 00:11:07:15 Got uncomfortable 00:11:07:15 - 00:11:08:11 Just too much freedom. 00:11:08:11 - 00:11:11:11 And I'm not equipped to make risk assessments. 00:11:11:11 - 00:11:15:15 And so we had to work with, multiple partners within the government, 00:11:15:17 - 00:11:16:22 including the governance group. 00:11:16:22 - 00:11:21:09 And one of the first things that we did was we added a risk statement property. 00:11:21:09 - 00:11:24:13 So we, added a props, and the risk statement. 00:11:24:16 - 00:11:25:16 Risk statement. 00:11:25:16 - 00:11:29:08 And just pretty much just kind of, does partially what the guideline, 00:11:29:11 - 00:11:30:14 guidance statement does. 00:11:30:14 - 00:11:33:22 In the typical OSCAL schema, but we decided to make it explicit 00:11:34:02 - 00:11:35:17 that this was a risk statement. 00:11:35:17 - 00:11:39:12 And this risk statement could then be used by, the various committees 00:11:39:12 - 00:11:42:10 within the agencies to decide, hey, say this should have, 00:11:42:10 - 00:11:46:22 should I still implement it or is it safe for me to not implement it? 00:11:46:22 - 00:11:50:17 And it can use various risk assessment as well as threat modeling, frameworks 00:11:50:23 - 00:11:52:03 to guide this decision. 00:11:52:03 - 00:11:55:04 But the key thing is, is that, within the risk statement property, 00:11:55:04 - 00:11:58:21 this is, visible and published, to all end users. 00:11:58:21 - 00:12:02:04 So they can kind of use this as a way to guide risk decisions. 00:12:02:07 - 00:12:04:02 Of course we can own operations as well. 00:12:04:02 - 00:12:05:16 We ran risk assessment workshops. 00:12:05:16 - 00:12:10:04 And this was really, a transformation in not just in our content of the IM8 00:12:10:05 - 00:12:13:07 or the structure of IM8, but the operationalization of 00:12:13:10 - 00:12:16:10 IM8, I think that's one of the key, points I want to make here 00:12:16:17 - 00:12:21:09 is that the operations really affected the way that we structure our content, 00:12:21:09 - 00:12:22:07 and vice versa. 00:12:22:07 - 00:12:25:23 And there's still something that's evolving today as agencies get more used 00:12:26:04 - 00:12:30:08 to, handling risk assessments as well as constructing your own SSPs. 00:12:30:18 - 00:12:32:00 And one perhaps, 00:12:33:03 - 00:12:33:21 way that we 00:12:33:21 - 00:12:37:10 did it a little differently, was that we didn't just use profiles, 00:12:37:13 - 00:12:40:15 but we distributed something called template SSPs. 00:12:40:17 - 00:12:42:07 this came with default parameter 00:12:42:07 - 00:12:46:09 values set at both the profile and at the SSP level. 00:12:46:09 - 00:12:49:13 So this would be kind of the major point 00:12:49:13 - 00:12:52:14 of reference that all of our agency users will be using. 00:12:52:16 - 00:12:53:22 This will be our main distribution. 00:12:53:22 - 00:12:57:15 And we give them this template, SSP that's already been pre-configured with, 00:12:57:17 - 00:13:01:14 some generic, system components and implementations, as well as the, 00:13:01:17 - 00:13:02:23 default parameter values. 00:13:02:23 - 00:13:06:00 And then we asked them to use this template, SSP, customize it. 00:13:06:04 - 00:13:09:06 And that will become their actual SSP that reflects their system. 00:13:09:09 - 00:13:10:21 In some ways I think this was 00:13:10:21 - 00:13:14:18 a result of the considerations I've talked about in the earlier slides. 00:13:14:20 - 00:13:17:12 But what we've seen is that this then comes into conflict 00:13:17:12 - 00:13:20:13 with some of the tooling we have, which Hunter we'll talk a bit more, soon. 00:13:20:17 - 00:13:23:24 In particular, the one that we're using right now is a, Trestle, 00:13:24:03 - 00:13:27:03 which we used to set up our initial repository. 00:13:27:09 - 00:13:29:15 So, as I mentioned, while we use Trestle, 00:13:29:15 - 00:13:33:18 as our initial setup for the Json based, repository 00:13:33:22 - 00:13:38:01 with our catalog, profiles, as well as of system security plans. 00:13:38:11 - 00:13:41:24 What we needed to do next was to make it easy for our agencies 00:13:41:24 - 00:13:45:02 to author and submit their SSPs. 00:13:45:10 - 00:13:49:00 think one challenge we had was that we really could not expect 00:13:49:00 - 00:13:53:01 our agency users to give us the Json file or even an XML file, Yaml file. 00:13:53:03 - 00:13:57:10 a result, it became, necessary for us to build we call it IM8 portal. 00:13:57:15 - 00:13:59:14 this is just an editing and submission portal 00:13:59:14 - 00:14:03:19 UI on top of OSCAL to facilitate, central approvals. 00:14:03:21 - 00:14:08:15 And give us visibility of, the state of SSP, being submitted in the government. 00:14:08:17 - 00:14:11:18 So just to take you through, example, this, kind of screenshot 00:14:11:20 - 00:14:14:22 You'll see, for example, the you first enter your system information 00:14:15:03 - 00:14:18:10 and now they're at the second step which is the controls configuration. 00:14:18:13 - 00:14:20:21 And you will see level zero. Level one. 00:14:20:21 - 00:14:22:18 The level two controls in this case. 00:14:22:18 - 00:14:25:19 This is a level one control meaning that it's a should have. 00:14:25:24 - 00:14:28:03 there are various options for your course of action. 00:14:28:03 - 00:14:29:04 You can comply. 00:14:29:04 - 00:14:31:19 You can deviate, you can mark. It's not applicable. 00:14:31:19 - 00:14:34:08 Or you can even Mark as different handling. 00:14:34:08 - 00:14:38:02 And then right now we had a stage where, haven't adopt it fully, 00:14:38:02 - 00:14:40:10 at the agency level, all aspects of SSP. 00:14:40:10 - 00:14:43:18 But we do have a box where they can talk about how they implemented it. 00:14:43:18 - 00:14:47:15 So this is kind of the implemented, requirement, section of an SSP. 00:14:47:15 - 00:14:49:12 That would then be reflected over time. 00:14:49:12 - 00:14:53:03 What we hope to do is to gradually, introduce more portions 00:14:53:11 - 00:14:56:21 of the SSP schema and make it invisible to agencies. 00:14:56:21 - 00:15:01:08 So moving from generic system components to having agencies, record 00:15:01:10 - 00:15:04:11 the exact system components that are implementing these controls, 00:15:04:15 - 00:15:10:02 and so on, and eventually then give us full, usage of the SSP, structure. 00:15:10:05 - 00:15:13:11 So that's where we we're at right now in terms of our rollout. 00:15:13:12 - 00:15:16:04 We just really started this journey about a year ago. 00:15:16:04 - 00:15:19:12 And that involved, you know, getting agencies from a single document, 00:15:19:16 - 00:15:22:15 hundreds of pages long, one size fits all kind of situation 00:15:22:15 - 00:15:26:19 with a lot of superscripts and asterisks and caveats, just to fit whatever system 00:15:26:19 - 00:15:27:09 they might have. 00:15:27:09 - 00:15:31:10 Another thing I want to point out was that this was really a, blocklist, 00:15:31:15 - 00:15:32:13 scenario, right? 00:15:32:13 - 00:15:35:13 Where everything was mandatory except the guideline statement. 00:15:35:15 - 00:15:40:04 And if you wanted to deviate, you had to get waiver for specific controls. 00:15:40:07 - 00:15:42:24 by moving to OSCAL, we really transformed the way that we did. 00:15:42:24 - 00:15:44:02 Risk-based Controls. 00:15:44:02 - 00:15:47:10 And it became more of a allow-list system where you have 00:15:47:10 - 00:15:50:23 multiple options, courses of actions for every single control in the SSP. 00:15:51:06 - 00:15:55:02 This will be saved as a separate property of how you're implementing it. 00:15:55:02 - 00:15:59:01 And it also gives agencies a lot more flexibility and control 00:15:59:01 - 00:16:03:10 over the level of implementation they want for all of our template SSP. 00:16:03:16 - 00:16:07:04 So what you see in the way that we constructed the, from bosses 00:16:07:04 - 00:16:11:00 to, you know, profiles as well as the template SSP kind of construct, 00:16:11:06 - 00:16:14:06 I think can be a reflection of the, the on the ground 00:16:14:06 - 00:16:17:18 realities and challenges we had in moving, you know, so drastically. 00:16:17:18 - 00:16:20:02 I think in some ways, from a full compliance, 00:16:20:02 - 00:16:23:13 and compliant model to more for compliant speed models in some senses. 00:16:23:13 - 00:16:26:13 And in this case, giving agencies the flexibility to say 00:16:26:15 - 00:16:29:08 and to what extent get implementing a control. 00:16:29:08 - 00:16:33:09 So I think now Hunter will kind of move on to and share a bit more 00:16:33:16 - 00:16:36:19 about how we, implementing some of this. 00:16:37:05 - 00:16:38:17 On the technical side. 00:16:38:17 - 00:16:40:04 Sorry. Give me a moment. 00:16:40:04 - 00:16:41:02 Getting these things up. 00:16:41:02 - 00:16:45:08 So, a bit of a tough act to follow there with Eugene, but I think, there is a lot 00:16:45:08 - 00:16:49:19 of, really interesting things that, we learned along the way in this journey. 00:16:49:21 - 00:16:51:00 I mean, I think part of what 00:16:51:00 - 00:16:54:04 we were really starting to look at was to build a better rulebook. 00:16:54:06 - 00:16:57:22 that's really only the starting point and I think is sort of hinted at, 00:16:57:22 - 00:17:00:15 there are a number of challenges that we, we faced along the way. 00:17:00:15 - 00:17:02:08 I mean, I think as we're probably all quite 00:17:02:08 - 00:17:06:03 familiar, traditional policy development, word documents, 00:17:06:11 - 00:17:11:11 spreadsheets, PDFs, know, these things, were a challenge to really do at scale. 00:17:11:13 - 00:17:15:01 We were getting to that point where it was quite unwieldy. 00:17:15:04 - 00:17:19:23 the authoring was done somewhat, privately and then shared in various 00:17:19:23 - 00:17:21:12 different feedback forums. 00:17:21:12 - 00:17:23:05 It was internal only. 00:17:23:05 - 00:17:27:04 we'd always have to, to lock a vendor in a room and, and show them a document, 00:17:27:04 - 00:17:31:02 that they could try and memorize and take back to be able to implement. 00:17:31:02 - 00:17:34:24 it really didn't mean, you know, this kind of conducive approach 00:17:34:24 - 00:17:36:07 to to how we build policy. 00:17:36:07 - 00:17:38:09 And of course, finally, the kind of slow releases 00:17:38:09 - 00:17:43:07 now, there's this tension between being able to deliver quickly, as well as, 00:17:43:07 - 00:17:46:22 being able to take time for, for teams to adopt 00:17:46:22 - 00:17:49:23 and to understand changes a particular scope. 00:17:49:23 - 00:17:50:19 So, you know, 00:17:50:19 - 00:17:53:07 these are the sorts of things that we started to really think about. 00:17:53:07 - 00:17:55:12 How can we address some of these challenges? 00:17:55:12 - 00:17:59:09 And, our journey began, roughly two years ago. 00:17:59:10 - 00:18:03:04 So we actually started our first approach to this by, 00:18:03:06 - 00:18:08:00 taking a smaller part of rethinking it, taking a lighter approach to the controls. 00:18:08:00 - 00:18:12:08 We're writing, making it more approachable to modern development practices, 00:18:12:08 - 00:18:13:19 things like markdown. 00:18:13:19 - 00:18:16:14 Git and even looking at technologies like backstage 00:18:16:14 - 00:18:19:19 to be able to provide a means of automated assessment. 00:18:19:21 - 00:18:20:20 But it was only really sort 00:18:20:20 - 00:18:24:17 of, last 18 months that we really started to look at OSCAL more seriously. 00:18:24:17 - 00:18:28:10 And to look at the means of how we do standardization, automation 00:18:28:10 - 00:18:30:16 and the approach to doing policy development. 00:18:30:16 - 00:18:32:08 And finally, last year, we actually launched, 00:18:32:08 - 00:18:35:12 we wanted to take a fairly conservative 00:18:35:12 - 00:18:38:12 approach to it while, you know, we were learning as we went. 00:18:38:15 - 00:18:40:21 We wanted to make sure that we started small. 00:18:40:21 - 00:18:43:17 And so from what we were tasked with, from our leadership 00:18:43:17 - 00:18:47:09 was really starting with our low risk system is first testing it out. 00:18:47:11 - 00:18:48:19 Building in the approach 00:18:48:19 - 00:18:53:08 that we can have beta releases, we can get feedback, we can shift left. 00:18:53:08 - 00:18:56:17 If you want to use the somewhat overused term to be able 00:18:56:17 - 00:19:00:01 to get feedback and improve and iterate as we go through. 00:19:00:02 - 00:19:03:22 And so this was an important part that we built on, we learned on. 00:19:03:22 - 00:19:05:22 We're still learning on, I would have to say, 00:19:05:22 - 00:19:07:19 and I think that's, that's a key part is it's, 00:19:07:19 - 00:19:10:10 there's a lot to learn as we're going through this journey. 00:19:10:10 - 00:19:14:00 But we did launch last year, and, seeing successful adoption. 00:19:14:00 - 00:19:17:13 We're seeing, meaningful, improvements to teams 00:19:17:13 - 00:19:21:01 to be able to understand the policy and implement 00:19:21:01 - 00:19:24:14 thankfully, a subset of, types of controls that we used to have, 00:19:24:21 - 00:19:29:05 but it's an improvement to be able to see how we can both, deliver better, 00:19:29:09 - 00:19:33:02 as well as balance risk as we're going forward now. 00:19:33:05 - 00:19:34:21 That was then open to the industry. 00:19:34:21 - 00:19:38:17 So now the policy is not only available, it doesn't have to be locked away 00:19:38:17 - 00:19:40:20 and is open source now on GitHub. 00:19:40:20 - 00:19:45:12 So that the community and the industry can start to an understanding of, 00:19:45:17 - 00:19:48:22 where we're going and potentially build out that ecosystem on top. 00:19:49:08 - 00:19:52:24 So we really wanted to take a very different mindset than you 00:19:53:00 - 00:19:55:15 we would typically think about policy development. 00:19:55:15 - 00:19:57:12 Obviously coming to an approach. 00:19:57:12 - 00:20:00:15 As an engineer, this was was an important part But I think 00:20:00:15 - 00:20:04:02 as we started to adopt OSCAL, we also needed to, 00:20:04:04 - 00:20:07:15 be mindful that we improved our practices as we started 00:20:07:15 - 00:20:12:08 to, modernize the approach and the machine readable formats that we took. 00:20:12:09 - 00:20:16:21 So transparency was obviously a key part of it developing in the open. 00:20:16:24 - 00:20:19:03 started initially as in a source. 00:20:19:03 - 00:20:23:03 And once we got better confidence and we opened it up to wider 00:20:23:03 - 00:20:24:11 parts of the government, 00:20:24:11 - 00:20:27:14 we then once we released our first Cup, took it out to the industry. 00:20:27:14 - 00:20:29:12 Interoperability is important. 00:20:29:12 - 00:20:33:03 Obviously, that's a fundamental piece of adopting OSCAL. 00:20:33:03 - 00:20:36:09 That meant that we could really start to see how we could 00:20:36:09 - 00:20:40:04 then bring in other agencies to contribute back again to, build out 00:20:40:04 - 00:20:44:12 something that, you know, we can validate, we can test independently, 00:20:44:14 - 00:20:48:12 but also build out that community that goes along with it, engaging internally, 00:20:49:07 - 00:20:52:08 giving feedback, both from the teams who were starting to adopt it, 00:20:52:16 - 00:20:56:05 the vendors who may be working on it, as well as opening it 00:20:56:05 - 00:20:59:10 up to the wider Singapore the industry, globally. 00:20:59:14 - 00:21:02:10 And as part of that, I think the other shift is really thinking 00:21:02:10 - 00:21:03:21 about policy as product. 00:21:03:21 - 00:21:07:19 It was never really about just, improving, language. 00:21:07:19 - 00:21:12:03 It was never really about improving how we, delivered a document. 00:21:12:06 - 00:21:15:19 It was about really fundamentally rethinking how we deliver this. 00:21:15:19 - 00:21:16:21 And this comes down to, 00:21:16:21 - 00:21:20:15 as Eugene had showed, part of our remit, this GovTech is that we provide 00:21:20:15 - 00:21:23:24 that central IT function for the whole of government in Singapore. 00:21:24:02 - 00:21:25:18 That's up to about 100 agencies. 00:21:25:18 - 00:21:31:18 And, we provide a lot of common platforms the teams that, run and provision, 00:21:31:21 - 00:21:32:23 or, you know, hand out 00:21:32:23 - 00:21:36:22 accounts to, cloud service providers we provide CICD platforms. 00:21:36:22 - 00:21:39:10 And this was treated in the same way. 00:21:39:10 - 00:21:43:15 wanted it to be user centric, to understand needs of their agencies. 00:21:43:15 - 00:21:46:15 needs of development teams implementing as well 00:21:46:15 - 00:21:50:15 as, CISOs, the auditors, all of the other parts to be able to come together. 00:21:50:18 - 00:21:55:09 And this is really an ongoing journey as we start to talk about and go into, 00:21:55:11 - 00:21:58:12 part of that is being data driven and the, you know, one of the key parts 00:21:58:12 - 00:22:02:18 and the really, great way that we found of selling the idea of a system 00:22:02:18 - 00:22:06:22 security plan was that we're starting to collect this sort of data centrally. 00:22:06:24 - 00:22:11:10 While in the past we've always had GRC tools, it was always very static. 00:22:11:10 - 00:22:15:16 People only went there when they needed to, submit something about the compliance 00:22:15:16 - 00:22:18:12 of the system. And it didn't always stay up to date. 00:22:18:12 - 00:22:22:24 What we wanted to do was to, build in, some ability to keep these things 00:22:22:24 - 00:22:25:18 maintained and updated so we get better visibility, 00:22:25:18 - 00:22:27:13 we get better understanding of the systems, 00:22:27:13 - 00:22:29:24 and we can make better data driven, decisions 00:22:29:24 - 00:22:32:24 about where we're planning to go, as well as a collaboration. 00:22:33:03 - 00:22:35:17 You know, at the end of the day, the inputs and the improvements. 00:22:35:17 - 00:22:39:01 When we sat down and ran beta tests, we worked through 00:22:39:01 - 00:22:42:10 with the different teams to understand the challenges for implementation. 00:22:42:10 - 00:22:43:21 Is it policy wording? 00:22:43:21 - 00:22:45:06 Is it the tooling? 00:22:45:06 - 00:22:47:11 Is it the portals that we're building? 00:22:47:11 - 00:22:49:01 How can we use these to make it? 00:22:49:01 - 00:22:51:17 better for everyone with that means of collaboration. 00:22:51:17 - 00:22:56:23 So that was a very key part as we sort of built this thing up a significant change 00:22:56:23 - 00:23:01:05 because the traditional approach of governance is, is somewhat top down. 00:23:01:08 - 00:23:02:09 It's somewhat restrictive. 00:23:02:09 - 00:23:04:21 And we wanted to really start to rethink how we do that. 00:23:04:21 - 00:23:09:01 And we had to do that through our leadership to our permanent secretaries. 00:23:09:03 - 00:23:12:04 chief executives insisted on this, that we started 00:23:12:04 - 00:23:15:14 to make it much more open and much more collaborative. 00:23:15:15 - 00:23:18:23 change the previous culture, which wasn't as effective. 00:23:19:11 - 00:23:22:22 And part of that is really applying the practices, you know, with OSCAL 00:23:22:23 - 00:23:26:16 I think it's somewhat, you know, implied that we're we're using technologies 00:23:26:16 - 00:23:27:02 like git. 00:23:27:02 - 00:23:28:15 We're thinking about DevOps. 00:23:28:15 - 00:23:31:16 It's obviously not a very traditional part of of how, 00:23:31:24 - 00:23:34:16 you know, policy development and governance is traditionally done. 00:23:34:16 - 00:23:38:10 Part of that is, being able to do issue train milestone tracking, you know, git 00:23:38:10 - 00:23:41:12 history, versus these kind of back and forth of word documents 00:23:41:12 - 00:23:45:14 that, get handed out to, to various different teams over many, many months. 00:23:45:14 - 00:23:49:03 Being able to have, branches and code owners, 00:23:49:03 - 00:23:52:06 all of these things that we somewhat take for granted, you know, is opened up 00:23:52:06 - 00:23:56:07 explaining these things as well, to teams who are not familiar was a challenge. 00:23:56:07 - 00:23:58:08 But it was important to, to bring these things. 00:23:58:08 - 00:24:01:15 A lot of them is implementation detail, at least to the teams implementing. 00:24:01:15 - 00:24:05:04 But we for those teams who were curious, those teams who wanted to contribute, 00:24:05:07 - 00:24:07:16 we wanted to be able to make it much more open. 00:24:07:16 - 00:24:08:21 As we said, and transparent. 00:24:08:21 - 00:24:12:22 And finally, the releases, you know, tags, automatic change logs, 00:24:12:22 - 00:24:17:00 all of these things that may have somewhat got lost in a traditional approach, 00:24:17:03 - 00:24:21:16 of a word document, then change tracking and spreadsheets in the same way. 00:24:21:16 - 00:24:24:01 These things are obviously structured. 00:24:24:01 - 00:24:25:24 We have a repeatable process. 00:24:25:24 - 00:24:29:21 We're able to iterate more quickly and include a lot of these things 00:24:29:21 - 00:24:32:21 in the development or the DevOps process. 00:24:33:02 - 00:24:35:12 Eugene had mentioned that our use of compliance Trestle 00:24:35:12 - 00:24:38:12 So, it's a great tool we adopted very early on. 00:24:38:12 - 00:24:41:01 it helped us, move very, very quickly. 00:24:41:01 - 00:24:43:12 think, as we sort of talked about, we've followed 00:24:43:12 - 00:24:46:08 releases as we've gone through, we've also made some changes. 00:24:46:08 - 00:24:49:08 At least to the structure of the OSCAL that didn't directly fit. 00:24:49:08 - 00:24:52:10 But we still have, kept up in that approach. 00:24:52:10 - 00:24:55:22 And we're looking at areas that we build off the back of that as well. 00:24:55:24 - 00:24:58:10 We've built a lot of things around markdown documents 00:24:58:10 - 00:25:00:21 to be able to make this visible in other areas. 00:25:00:21 - 00:25:05:01 But we, using them not as a means of authoring, for example, 00:25:05:01 - 00:25:07:00 but as a means of distribution. 00:25:07:00 - 00:25:08:21 So, this was a really critical part. 00:25:08:21 - 00:25:11:00 And, I understand some of the team might be here. 00:25:11:00 - 00:25:13:00 And so thank you very much for the great work on that. 00:25:13:00 - 00:25:16:19 It's been a really, really critical part and, and really thankful 00:25:16:19 - 00:25:19:22 that there is this wider community that's, able to, to work with. 00:25:20:02 - 00:25:23:13 The the other part is, and are building out static content. 00:25:23:13 - 00:25:26:13 We're generating markdown and building them into a modern content 00:25:26:13 - 00:25:27:10 management system. 00:25:27:10 - 00:25:31:08 We're taking a lot of these controls and putting this user friendly view. 00:25:31:08 - 00:25:34:24 Obviously we don't want to distribute OSCAL and Json files directly. 00:25:34:24 - 00:25:38:16 Most of the teams who are looking at these things will probably freak out 00:25:38:16 - 00:25:41:08 and not want to touch it, if that was the way we were doing it. 00:25:41:08 - 00:25:44:01 So it needed to be user friendly. It needed to be available. 00:25:44:01 - 00:25:46:18 Being able to search, being able to do deep linking, 00:25:46:18 - 00:25:50:12 all of these things, as well as being able to continuously deploy in there, 00:25:50:14 - 00:25:55:14 meant that we could have a, site that evolved fairly quickly for doing previews. 00:25:55:14 - 00:25:58:16 We can test things out quickly, and then once we do a release snapshot 00:25:58:16 - 00:26:01:02 that can then be published in different areas, 00:26:01:02 - 00:26:05:03 including to GitHub, being able to, put on to others, 00:26:05:03 - 00:26:09:00 content manager assistance or the inclusion in our IM8 portal 00:26:09:06 - 00:26:12:12 for, being able to publish that space and all of the other parts to. 00:26:12:17 - 00:26:14:17 The other thing which we found quite interesting 00:26:14:17 - 00:26:18:11 and a kind of it was coming at the at the time when was this trend, you know, 00:26:18:14 - 00:26:21:15 still going on, of LLMs, AI tools. 00:26:21:15 - 00:26:25:12 We did build out a AI bot that would help us generate 00:26:25:12 - 00:26:29:01 the Json as well as fill in things like risk statements. 00:26:29:01 - 00:26:33:14 It was, using, a rag that we could take, our existing IM8 controls. 00:26:33:14 - 00:26:36:06 We could then start to, put in the style guides 00:26:36:06 - 00:26:39:21 that we developed, the principles behind it be able to build out 00:26:39:21 - 00:26:43:06 something that at least would help accelerate a good starting point. 00:26:43:06 - 00:26:47:03 It's obviously not going to be, tersely valid necessarily. 00:26:47:03 - 00:26:51:01 While it most of the time it was valid, it's also not necessarily always 00:26:51:01 - 00:26:54:23 perfect language, but it was a good piece that when we have teams who are starting 00:26:54:23 - 00:26:59:05 to familiarize themselves with building out, or understanding 00:26:59:09 - 00:27:03:15 OSCAL understanding the new language that we're using for writing controls, 00:27:03:17 - 00:27:07:06 this became a really key part, and it really helped teams move it along 00:27:07:06 - 00:27:11:15 without having to necessarily dive into source code or, configuration in code. 00:27:11:15 - 00:27:13:05 As we started to build it out. 00:27:13:05 - 00:27:16:22 And so, you know, as mentioned, we really did take these releases 00:27:16:22 - 00:27:19:23 and we published them to various different sources. 00:27:19:23 - 00:27:23:18 Both the beta sites, review branches, review 00:27:23:18 - 00:27:26:23 environments, the submission portal, you know, publishing information 00:27:26:23 - 00:27:27:21 as well as open source. 00:27:27:21 - 00:27:31:12 So this was a really important part as we started to be able to distribute, 00:27:31:12 - 00:27:35:15 it was an important part of why we adopted this DevOps approach to, to doing it. 00:27:35:18 - 00:27:37:24 And it meant that we could iterate more quickly. 00:27:37:24 - 00:27:41:15 you know, a few areas of lessons learned that we've come through this journey. 00:27:41:15 - 00:27:45:11 We're definitely nowhere close to the end, and very open to, 00:27:45:14 - 00:27:49:12 wisdom of teams have probably a little bit further along in the journey, 00:27:49:12 - 00:27:50:17 or have different perspectives. 00:27:50:17 - 00:27:51:16 But for us, I think, 00:27:51:16 - 00:27:54:14 you know, obviously governance teams are not familiar with git Json. 00:27:54:14 - 00:27:57:14 But the great thing that we found was that they were willing to learn, and, 00:27:57:17 - 00:27:59:13 and the training and the help, the tools were needed. 00:27:59:13 - 00:28:01:16 As you saw, we're building out our tools. 00:28:01:16 - 00:28:03:15 We spent a long time doing workshops. 00:28:03:15 - 00:28:05:08 it was really quite, positive. 00:28:05:08 - 00:28:07:07 And we all great to see that 00:28:07:07 - 00:28:10:12 there was such interest in doing it, not just internally in GovTech. 00:28:10:15 - 00:28:13:17 can, you know, get the teams on board in GovTech. 00:28:13:23 - 00:28:17:15 We're seeing, agencies come back and also start to be interested 00:28:17:15 - 00:28:18:18 in doing these things to, 00:28:18:18 - 00:28:22:22 the approach and the change to how we, we built policy was important. 00:28:23:00 - 00:28:25:15 our leadership wanted to change that approach of, 00:28:25:15 - 00:28:28:23 taking a checklist and people turning off their brains and just, 00:28:29:04 - 00:28:32:01 just trying to tick all the boxes they wanted us to to come up 00:28:32:01 - 00:28:35:01 with something that, gave us, a better outcome. 00:28:35:06 - 00:28:38:23 that was also scary because it meant the teams had to take on a, 00:28:38:23 - 00:28:42:14 responsibility and potentially the risk, which they didn't necessarily want to do. 00:28:42:15 - 00:28:46:05 LMS themselves, could help accelerate, but obviously need a, oversight. 00:28:46:08 - 00:28:48:17 Definitely not perfect by any means. 00:28:48:17 - 00:28:53:06 Now, this is really where, we're starting to think about where we're going to next. 00:28:53:06 - 00:28:56:01 We're improving the rulebook, but it was really only the start. 00:28:56:01 - 00:28:58:03 think everyone's probably seen this meme. 00:28:58:03 - 00:29:02:06 we're obviously trying to improve how we, start to do assessment. 00:29:02:09 - 00:29:05:00 The audit and compliance process, in government, 00:29:05:00 - 00:29:07:11 at least currently, it's still pretty much manual. 00:29:07:11 - 00:29:10:01 Lots of spreadsheets, lots of posing the world. 00:29:10:01 - 00:29:11:23 Well, development teams kind of dig, 00:29:11:23 - 00:29:14:02 everything out of the back and start to hand them across 00:29:14:02 - 00:29:17:03 to both third party auditors as well as our internal auditors as well. 00:29:17:08 - 00:29:18:20 It's obviously not optimal. 00:29:18:20 - 00:29:22:18 When we first started, permanent secretary had this, know, stood up in front of, 00:29:22:18 - 00:29:25:15 our, GovTech conference and basically said, 00:29:25:15 - 00:29:28:13 I want you to start to think about how we can get rid of auditors. 00:29:28:13 - 00:29:28:23 The reality 00:29:28:23 - 00:29:30:12 was that he didn't mean to actually 00:29:30:12 - 00:29:32:22 get rid of auditors in that sense, but he wanted to shift out 00:29:32:22 - 00:29:33:24 how we actually approached it, 00:29:33:24 - 00:29:36:13 rather than them going and spending significant time 00:29:36:13 - 00:29:38:14 repeating the same things for every different team. 00:29:38:14 - 00:29:40:04 How can we change the scope of audit? 00:29:40:04 - 00:29:43:05 How can we start to think about, is it the we're doing thematic audits 00:29:43:05 - 00:29:46:05 potentially, common stuff can be automated away. 00:29:46:06 - 00:29:50:13 Is the audit being done on the correctness of the code that's doing checks 00:29:50:13 - 00:29:54:05 and Those are the sorts of things that he wanted us to start to think about 00:29:54:05 - 00:29:57:16 and to push the organization to be able to transform that for, 00:29:57:20 - 00:29:59:04 the entirety of government. 00:29:59:04 - 00:30:00:09 that was an important part. 00:30:00:09 - 00:30:01:20 And so we obviously wanted 00:30:01:20 - 00:30:05:19 to go to something that was a little bit more towards continuous deployment 00:30:05:19 - 00:30:08:19 And you know, we we obviously want that nice smooth road, running, 00:30:08:19 - 00:30:09:16 you all the time. 00:30:09:16 - 00:30:10:04 And really 00:30:10:04 - 00:30:14:01 the outcome that he was wanting was it wasn't just about being compliant. 00:30:14:01 - 00:30:15:10 That's a good baseline. 00:30:15:10 - 00:30:19:16 We wanted to ultimately to secure, to have teams 00:30:19:16 - 00:30:24:01 that are taking on, that focus rather than just ticking the boxes 00:30:24:01 - 00:30:27:06 because, it's not the outcomes that we necessarily want. 00:30:27:12 - 00:30:30:16 And so, where I wanted to go now was, really where we're starting 00:30:30:16 - 00:30:32:22 to think about a little bit, a bit further on. 00:30:32:22 - 00:30:35:22 as Eugene mentioned, we've only really got, halfway through, 00:30:36:00 - 00:30:39:18 the implementation layer, system security plans in the selection of controls 00:30:39:18 - 00:30:41:23 that apply to a system that doesn't even extend 00:30:41:23 - 00:30:45:04 to the use of components in, in any meaningful way. 00:30:45:04 - 00:30:48:07 But we are really starting to think now and design the approach 00:30:48:07 - 00:30:51:02 as we're going forward, particularly to, assessment layers. 00:30:51:02 - 00:30:53:09 And really starting to think about how this becomes 00:30:53:09 - 00:30:56:09 something scalable that we can build into an ecosystem 00:30:56:09 - 00:30:59:11 for, both inside of government as well as the industry itself. 00:30:59:13 - 00:31:01:20 well, we can establish assessment plans. 00:31:01:20 - 00:31:04:20 we can, you establish results then the reports. 00:31:05:01 - 00:31:08:11 The piece in the middle is a really critical part that we're thinking about. 00:31:08:14 - 00:31:12:13 does it look like for a means that we can have both common tooling, 00:31:12:13 - 00:31:16:04 for being able to do automated assessment, and manual assessment, 00:31:16:04 - 00:31:18:18 because the reality is not everything's going to be automatable. 00:31:18:18 - 00:31:20:00 What does that framework look like? 00:31:20:00 - 00:31:20:16 What does, you know, 00:31:20:16 - 00:31:24:11 potential SDK look like that we can have for, fetches and checkers 00:31:24:11 - 00:31:28:06 as well as that, evidence log or, or the archival storage that we think about, 00:31:28:08 - 00:31:30:24 there's, there's auditory and there's a number of things out there 00:31:30:24 - 00:31:33:07 which, certainly are in the right direction. 00:31:33:07 - 00:31:38:01 How does that look like if we're making it easier for agencies in government? 00:31:38:04 - 00:31:41:19 They may not necessarily want to be experts in this thing. 00:31:41:19 - 00:31:46:03 How do we make it as simple as possible to both, fetch evidence, 00:31:46:05 - 00:31:47:00 fetch the artifacts 00:31:47:00 - 00:31:50:19 that are potentially needed, as well as doing checks on that as well, to empower 00:31:50:19 - 00:31:54:13 those things that we may not be able to build out without common platforms. 00:31:54:15 - 00:31:59:05 we started quite early on to be able to build out, tools that report compliance 00:31:59:08 - 00:32:00:15 on our cloud environments. 00:32:00:15 - 00:32:04:11 We have a great tool called Cloud Scape that will do, somewhat CSPN 00:32:04:16 - 00:32:06:24 functionality, reporting on the compliance. 00:32:06:24 - 00:32:11:04 We also have one called Code scape in the family that, checks out our CI 00:32:11:04 - 00:32:15:08 CD pipelines to make sure that we're protecting branches and, and reporting 00:32:15:08 - 00:32:19:14 on the compliance status of our, software delivery pipelines and process. 00:32:19:17 - 00:32:23:10 But that's only going to be a part that, is not necessarily scalable 00:32:23:10 - 00:32:24:17 to an entire system. 00:32:24:17 - 00:32:26:11 There's always going to be custom code. 00:32:26:11 - 00:32:30:13 There are things that overlap in a shared responsibility model as well 00:32:30:13 - 00:32:34:12 as, the parts that we, may need to do manually that we still need to be able 00:32:34:12 - 00:32:38:13 to capture and potentially, do other work on or independent checks, 00:32:38:13 - 00:32:41:13 particularly with LLMs as we start to see, 00:32:41:13 - 00:32:44:01 one of the sorts of things that have been done was prior art. 00:32:44:01 - 00:32:47:13 What are people thinking about in, in the industry as well as, know, how much 00:32:47:13 - 00:32:50:24 and what's being taken up by the burden of GRC tools 00:32:50:24 - 00:32:52:10 or the open source tools that are out there, 00:32:52:10 - 00:32:55:23 but versus what we can build ourselves, we're we're very open to that. 00:32:55:23 - 00:32:58:06 But it's obviously one, one thought process. 00:32:58:06 - 00:33:01:11 So, part of that is, you know, the approval, the coupling, 00:33:01:11 - 00:33:03:06 going to be a really key part of that, too. 00:33:03:06 - 00:33:06:02 So, that's one area that we're really starting to, 00:33:06:02 - 00:33:09:22 to dive into now for our workstream for the next year. 00:33:10:01 - 00:33:12:22 the other parts is, again, really coming to those components. 00:33:12:22 - 00:33:14:24 We built a lot of platforms in government. 00:33:14:24 - 00:33:19:07 And the way that it's always been is most teams have to kind of prove themselves 00:33:19:07 - 00:33:20:18 from scratch to the auditors. 00:33:20:18 - 00:33:22:14 There's no means of leveraging. 00:33:22:14 - 00:33:26:09 And there is to a certain extent, because teams, you know, in that policy, 00:33:26:09 - 00:33:28:01 we actually have some wording that says 00:33:28:01 - 00:33:30:14 if you're using a cloud platforms, you don't have to do as much, 00:33:30:14 - 00:33:33:02 but that's not necessarily the outcome we want. 00:33:33:02 - 00:33:35:18 That's somewhat, implicit in the use of it. 00:33:35:18 - 00:33:39:08 want to bring those things out so that we do are able to have much better 00:33:39:08 - 00:33:41:18 visibility, much better understanding of the systems 00:33:41:18 - 00:33:44:07 across the shared responsibility model components. 00:33:44:07 - 00:33:47:10 Obviously, a key part of that certifications, leveraged authorization, 00:33:47:10 - 00:33:51:00 I think, is, is that kind of key part, which we're starting to really, 00:33:51:00 - 00:33:54:16 get our heads around because it's, from going from a piece of 00:33:54:16 - 00:33:58:18 we've just come from writing controls to, the adoption of certainly parts of 00:33:58:23 - 00:34:03:08 how we're now starting to think about the other, more nuanced parts that, are 00:34:03:08 - 00:34:07:05 not quite as familiar to, particularly to, the more traditional governance teams. 00:34:07:05 - 00:34:10:20 part of that is also thinking about how we change the culture, the practice, 00:34:10:20 - 00:34:14:15 so that platform teams also will start to build their components and share them. 00:34:14:15 - 00:34:17:23 A lot of these teams, understand the pain they have to kind of help 00:34:17:23 - 00:34:21:02 from scratch and agency comes along and says, are you compliant with this? 00:34:21:02 - 00:34:23:08 They have to pull out some, some documentation, 00:34:23:08 - 00:34:27:06 and try and, convince the auditors, this is a means that helps them as well. 00:34:27:06 - 00:34:29:23 getting by and, timelines, all of the other things 00:34:29:23 - 00:34:32:13 is a really critical part, as well as partner engagement. 00:34:32:13 - 00:34:35:10 At the end of the day, we are using a lot of SaaS tools. 00:34:35:10 - 00:34:36:17 We're using Cots tools. 00:34:36:17 - 00:34:39:17 how do we build this into a wider ecosystem that, 00:34:39:18 - 00:34:42:23 we can align open source controls, with open source profiles. 00:34:42:23 - 00:34:46:00 these are the sorts of areas that we can start to to think about how it 00:34:46:01 - 00:34:49:20 ties with our SSP and component definitions, I'm going to, pause it here. 00:34:50:02 - 00:34:53:09 Open it up for discussion And, I'm sure everyone's got a lot of questions. 00:34:53:17 - 00:34:54:13 Thank you very much. 00:34:54:13 - 00:34:55:13 This is very interesting. 00:34:55:13 - 00:34:57:19 I will stop the recording at this moment,