00:00:00:00 - 00:00:00:15
Everyone.

00:00:00:15 - 00:00:05:03
And Michaela, thank you for the opportunity
to speak to this group today.

00:00:05:07 - 00:00:07:23
Matt on
my team is going to share the slide deck.

00:00:07:23 - 00:00:11:17
So I can go through a brief introduction
and background, and then,

00:00:12:05 - 00:00:14:23
he's going to be
the one you'll be hearing from most today.

00:00:14:23 - 00:00:18:18
He is by far,
our greatest expert on OSCAL,

00:00:18:20 - 00:00:21:05
and has a lot of interesting challenges
to share with you

00:00:21:05 - 00:00:24:11
that we've seen across the board as well
as, practical solutions.

00:00:24:11 - 00:00:26:19
So, Matt,
will you go ahead and share your screen?

00:00:26:19 - 00:00:29:11
Yep. can everyone, see the slide deck?

00:00:29:11 - 00:00:30:16
Can you see that? Yes.

00:00:30:16 - 00:00:33:18
I'll just briefly introduce ourselves,
Macey Smith

00:00:33:18 - 00:00:36:18
as Michaela said, vice
president and co-founder of USAI.

00:00:36:18 - 00:00:41:05
Matt Coughlin is our ISO, he has is also
one of our solutions architects and works

00:00:41:05 - 00:00:45:21
very closely, on our product suite
that leverages OSCAL at its core,

00:00:45:24 - 00:00:49:07
to enable what we call extreme innovation
or extreme automation.

00:00:49:10 - 00:00:53:05
We have been working with OSCAL
for the last 5 or 6 years now.

00:00:53:05 - 00:00:54:14
It has been at the core,

00:00:54:14 - 00:00:57:22
of everything that we do
from a product development perspective.

00:00:58:03 - 00:01:02:01
We think that it is absolutely critical,
to ensure the automation

00:01:02:07 - 00:01:04:05
that we're going to see in the future,

00:01:04:05 - 00:01:07:05
with some clients, we're seeing it
now, others in the future, in terms

00:01:07:05 - 00:01:11:03
of cybersecurity automation,
that will allow us to be more proactive

00:01:11:03 - 00:01:15:12
than reactive and leverage OSCAL,
to take a data first, approach

00:01:15:17 - 00:01:19:04
and intelligently automate
a lot of the opportunities that we have.

00:01:19:08 - 00:01:21:07
So, we've been a big part
of the community.

00:01:21:07 - 00:01:22:01
We worked on the ACT 

00:01:22:01 - 00:01:24:12
I ACT ATO as code group,
which I saw a couple

00:01:24:12 - 00:01:26:11
folks on the line here today,
such as Perus.

00:01:26:11 - 00:01:29:19
They were a part of that, as well
as many other parts of the organization.

00:01:29:19 - 00:01:32:08
They brought a lot of thought leadership
to how to implement OSCAL

00:01:32:08 - 00:01:36:12
And of course, Dr. Iorga
and her team at NIST and the FedRAMP team

00:01:36:16 - 00:01:39:17
amazing and have put a lot of thought
leadership into OSCAL as well.

00:01:39:22 - 00:01:44:01
And recently, Venable spun up
the OSCAL Foundation, which I think

00:01:44:01 - 00:01:47:16
is a great opportunity to get thought
leaders together and push OSCAL

00:01:47:18 - 00:01:51:12
beyond just, NIST and FedRAMP
and out to other frameworks globally.

00:01:51:14 - 00:01:54:15
When we were listening in on the OSCAL
Foundation,

00:01:54:17 - 00:01:58:03
meeting, earlier this week or last week,
we heard somebody make the comment.

00:01:58:03 - 00:01:59:06
how do we get started?

00:01:59:06 - 00:02:01:05
And that's oftentimes what we hear.

00:02:01:05 - 00:02:04:21
Here at USAI, we're very focused
on excellence but also speed.

00:02:04:21 - 00:02:08:05
So we thought it would be
a great opportunity for us to talk about

00:02:08:05 - 00:02:12:23
how we help our customers get started
with OSCAL as rapidly as possible.

00:02:13:02 - 00:02:16:24
And our hope is that what you all will
walk away with today are three actionable

00:02:16:24 - 00:02:20:07
steps that you can start with immediately,
either at your organizations

00:02:20:14 - 00:02:21:23
or with your customers.

00:02:21:23 - 00:02:25:04
In order to begin
at least prepare to implement OSCAL,

00:02:25:06 - 00:02:30:00
to frame, some of the conversation around
what, where OSCAL can get us the ACT IACT

00:02:30:00 - 00:02:33:17
ATO as code group put together
a compliance automation maturity model,

00:02:33:17 - 00:02:37:14
which is a framework to help organizations
adopt and scale OSCAL.

00:02:37:20 - 00:02:40:13
And we did this
with the same idea in mind.

00:02:40:13 - 00:02:42:03
Because we all have the same question

00:02:42:03 - 00:02:45:07
how do you practically get to
where we need to go.

00:02:45:07 - 00:02:50:06
OSCAL has a lot of applicability, very,
very advanced applicability.

00:02:50:11 - 00:02:54:04
But we see that oftentimes agencies
and organizations are at

00:02:54:04 - 00:02:57:08
still the ad hoc phase
of managing their compliance.

00:02:57:10 - 00:03:02:04
you'll see that they often don't have
a platform, to store, cybersecurity data.

00:03:02:06 - 00:03:04:07
Their processes are often in paper,

00:03:04:07 - 00:03:06:18
sometimes, often wet
signatures are still being used.

00:03:06:18 - 00:03:08:22
Everything is very ad hoc and manual.

00:03:08:22 - 00:03:12:23
challenge there is cyber happens
way faster than a document

00:03:12:23 - 00:03:15:16
that we can write or a document
we can search to identify

00:03:15:16 - 00:03:18:00
what is our policy
or how do we react to this.

00:03:18:00 - 00:03:19:24
We can't operate in that world anymore.

00:03:19:24 - 00:03:24:07
So we wanted to show these organizations,
how do I go from ad hoc and ultimately

00:03:24:07 - 00:03:25:16
get to automate and optimize?

00:03:25:16 - 00:03:27:12
But how can I practically get there?

00:03:27:12 - 00:03:31:00
Today we're going to show you
how to prepare for step three,

00:03:31:05 - 00:03:33:12
and we believe you all can do that
pretty rapidly.

00:03:33:12 - 00:03:35:13
And Matt
is going to talk through those examples.

00:03:35:13 - 00:03:37:22
just to kind of give you an idea,
I mentioned ad hoc.

00:03:37:22 - 00:03:39:19
AD hoc is paper based.

00:03:39:19 - 00:03:42:20
disconnected, you know, cybersecurity
tools and platforms.

00:03:42:20 - 00:03:45:01
Everything is very manual, labor
intensive.

00:03:45:01 - 00:03:47:16
Your security artifacts
are simply stored in a repository.

00:03:47:16 - 00:03:50:01
They're not digitized,
not being leveraged in any way.

00:03:50:01 - 00:03:53:20
There's very little standardization
of business risk around the systems

00:03:53:22 - 00:03:55:01
to get you to implement it.

00:03:55:01 - 00:03:58:08
We can help you get there pretty quickly
if you, implement the recommendations

00:03:58:08 - 00:03:59:05
we talked about today.

00:03:59:05 - 00:04:02:17
So first is getting the security artifacts
digitized in OSCAL

00:04:02:17 - 00:04:04:20
that's going to talk you through what
that data structure

00:04:04:20 - 00:04:07:15
likely looks like for you now
and what it needs to look like.

00:04:07:15 - 00:04:10:20
And I'll talk about how we
highly recommend using a tool to do that.

00:04:10:20 - 00:04:14:23
We've actually talked to some agencies
that have written, their Json or XML.

00:04:15:01 - 00:04:17:14
That takes way too much time.
We don't recommend doing that.

00:04:17:14 - 00:04:19:09
There's
a lot of great tools out on the market

00:04:19:09 - 00:04:21:14
that can help
you get that data into OSCAL.

00:04:21:14 - 00:04:24:17
Once you get it into OSCAL in a tool,
you can begin to automate compliance

00:04:24:17 - 00:04:25:10
checks.

00:04:25:10 - 00:04:29:05
You can begin to integrate
with your monitoring tools and run, checks

00:04:29:05 - 00:04:31:16
against what was actually,
written for your implementation

00:04:31:16 - 00:04:34:18
statements and OSCAL,
when you get to the integrated component,

00:04:34:18 - 00:04:38:10
you can, begin to look at
how your different systems are integrated

00:04:38:10 - 00:04:41:08
and how they leverage each other
to look at the supply chain risk.

00:04:41:08 - 00:04:43:14
Eventually leveraging measured phase,

00:04:43:14 - 00:04:46:02
you can begin to integrate
not just with cyber platforms,

00:04:46:02 - 00:04:50:00
but business platforms to see how security
is impacting the business.

00:04:50:00 - 00:04:51:01
And in the fifth phase,

00:04:51:01 - 00:04:54:24
that's when you begin to leverage
the OSCAL framework and run AI against it

00:04:55:05 - 00:04:56:10
that you can begin to get

00:04:56:10 - 00:05:00:07
the intelligent threat detection,
the intelligent compliance monitoring,

00:05:00:11 - 00:05:04:07
the intelligent recommendations on
how to improve your cybersecurity posture.

00:05:04:07 - 00:05:08:01
So OSCAL powers everything that you see
in this maturity model.

00:05:08:03 - 00:05:10:02
And again
today, we're just going to focus on

00:05:10:02 - 00:05:13:07
how do we get you to three,
so that you can begin that journey.

00:05:13:10 - 00:05:16:05
So I'll pause there,
and let Matt take it away.

00:05:16:05 - 00:05:19:06
I just want to thank you all again
for the opportunity to present to you.

00:05:19:06 - 00:05:22:10
And, I hope you enjoy what it is
that we have to present to you.

00:05:22:16 - 00:05:24:06
Please get your questions ready.

00:05:24:06 - 00:05:27:05
Because I really like to see Matt
get asked a lot of really tough questions

00:05:27:05 - 00:05:27:22
at the end.

00:05:27:22 - 00:05:29:15
thank you, Macey, you, for taking us off.

00:05:29:15 - 00:05:33:12
And, we'll kind of jump away
from this maturity model to what we see

00:05:33:12 - 00:05:35:04
as some of the main challenges today.

00:05:35:04 - 00:05:36:17
So, you these are challenges

00:05:36:17 - 00:05:39:17
from multiple different subcategories
that we're going to cover.

00:05:39:17 - 00:05:43:11
And at the end, I'm hoping
to give you all some quick, easy actions

00:05:43:11 - 00:05:46:17
that you can actually take back to your
organizations to start this transition

00:05:46:23 - 00:05:50:06
and get through those first two phases
and get you ready for phase three.

00:05:50:06 - 00:05:52:22
So OSCAL, like any tool, is a tool.

00:05:52:22 - 00:05:55:10
we always recommend
when going through a transformation

00:05:55:10 - 00:05:59:01
that especially is going to unlock
some of the automation and, compliance

00:05:59:01 - 00:06:02:16
in the compliance lifecycle that OSCAL will to start with the governance.

00:06:02:19 - 00:06:05:14
this is really, really important,
as this is going to set the foundation

00:06:05:14 - 00:06:09:03
for your organizations to move through
that maturity model and to implement

00:06:09:03 - 00:06:12:11
OSCAL appropriately
and correctly within your organization.

00:06:12:15 - 00:06:15:04
Some of the challenges
that we've seen around this, specific

00:06:15:04 - 00:06:18:21
to OSCAL is, things
like an undefined organizational profile.

00:06:19:01 - 00:06:22:20
those of you or familiar, which I believe
most on this call are with OSCAL,

00:06:22:20 - 00:06:26:05
the profile is one of the key components
where an organization can go

00:06:26:05 - 00:06:29:15
and define exactly what they're going
to be pulling from the catalog.

00:06:29:15 - 00:06:32:11
For requirements in their OSCAL
for their organization.

00:06:32:11 - 00:06:34:02
So we recommend that early on

00:06:34:02 - 00:06:37:03
in the process of transitioning
that you sit down within your teams,

00:06:37:03 - 00:06:40:22
you self-organize to define what
your organizational profile should be,

00:06:41:01 - 00:06:44:19
so that when you get to later on
in the process, you can start to share

00:06:44:19 - 00:06:47:14
that amongst your, practitioners
in the organization,

00:06:47:14 - 00:06:50:12
and they can begin to implement
that profile across your entire

00:06:50:12 - 00:06:52:07
The next common challenge that we've seen

00:06:52:07 - 00:06:55:22
terms of governance is the manual catalog
change management.

00:06:55:24 - 00:06:57:20
current processes and tools.

00:06:57:20 - 00:06:59:03
Really are paper based.

00:06:59:03 - 00:07:02:11
So change management
here was typically led by, NIST

00:07:02:11 - 00:07:03:20
or some of the other organizations

00:07:03:20 - 00:07:07:19
when they publish new requirements
around, say, the RMF process.

00:07:07:23 - 00:07:09:05
These are things like changes in

00:07:09:05 - 00:07:13:00
control statuses,
whether they're withdrawn or updated.

00:07:13:03 - 00:07:14:07
Requirements are stated.

00:07:14:07 - 00:07:16:24
That change process is very,
very manual today.

00:07:16:24 - 00:07:21:01
What we recommend here is leveraging
the scale that becomes very automated.

00:07:21:01 - 00:07:23:05
As the new catalogs
get published out by NIST,

00:07:23:05 - 00:07:25:13
you can pull them down immediately
incorporate that.

00:07:25:13 - 00:07:27:20
You should meet early on
in your organization

00:07:27:20 - 00:07:31:11
to define how you're going to handle this
new approach to change management

00:07:31:14 - 00:07:33:09
when it comes to the RMF lifecycle.

00:07:33:09 - 00:07:37:01
These are things like setting deadlines
and setting, timelines for your team

00:07:37:01 - 00:07:39:05
so that they understand
when it changes made to OSCAL

00:07:39:05 - 00:07:43:10
well how quickly do they need to adapt
and make those implementation changes

00:07:43:10 - 00:07:44:01
as well

00:07:44:01 - 00:07:45:09
so that they stay in compliance

00:07:45:09 - 00:07:48:14
with that overall catalog
and with your organization's profile?

00:07:48:17 - 00:07:50:19
The next common challenge around
governance,

00:07:50:19 - 00:07:54:12
that we like to highlight very early on
with any of our customers or partners,

00:07:54:12 - 00:07:58:03
when implementing OSCAL
is, the undefined risk appetite.

00:07:58:05 - 00:07:59:19
So OSCAL is a tool.

00:07:59:19 - 00:08:03:11
And that tool is going to provide
a lot of insight into overall risk

00:08:03:11 - 00:08:04:11
and compliance.

00:08:04:11 - 00:08:07:11
Through things like the validation
components, and schemas.

00:08:07:11 - 00:08:10:16
Now, we believe
and we always try to help our partners

00:08:10:16 - 00:08:14:02
and our customers to define
what their risk appetite is

00:08:14:04 - 00:08:16:23
so that when they start to leverage
things like the validator, they know

00:08:16:23 - 00:08:20:15
exactly how that can be incorporated
into their current RMF process.

00:08:20:15 - 00:08:25:08
how do you move forward into something
like continuous ATO,

00:08:25:10 - 00:08:28:15
or even just a standard,
ATO process that you may have today?

00:08:28:20 - 00:08:32:17
Taking as inputs those kind of validation
reports and outputs.

00:08:32:19 - 00:08:36:13
So very, very important
to define this early and really educate

00:08:36:13 - 00:08:37:17
your workforce on

00:08:37:17 - 00:08:40:21
is the risk appetite, across the board
for the different kinds of systems

00:08:40:21 - 00:08:42:22
and the different data
that you may be storing, or that you're

00:08:42:22 - 00:08:45:03
trying to run these compliance
operations against.

00:08:45:03 - 00:08:48:19
And then finally, I think this is big
pole in the tent, lack of a better term,

00:08:48:23 - 00:08:50:07
the lack of OSCAL

00:08:50:07 - 00:08:52:20
operational policies and procedures?

00:08:52:20 - 00:08:54:09
again, OSCAL is a tool.

00:08:54:09 - 00:08:58:11
There needs to be, operational policies
put in place within your organization

00:08:58:11 - 00:09:00:14
to further educate the workforce

00:09:00:14 - 00:09:04:18
on how to incorporate OSCAL, how
it's going to automate certain processes,

00:09:04:18 - 00:09:08:19
and how they can leverage that automation
when conducting compliance reviews.

00:09:08:19 - 00:09:12:17
And going through that RMF process
and then how to actually maintain OSCAL

00:09:12:17 - 00:09:15:24
through your organization
and updates to things, that just happen

00:09:15:24 - 00:09:17:11
naturally in cybersecurity.

00:09:17:11 - 00:09:19:01
So this is really, really critical.

00:09:19:01 - 00:09:22:10
And we recommend you start here
on these kind of governance issues.

00:09:22:10 - 00:09:24:03
First, to lay the foundation

00:09:24:03 - 00:09:28:08
of how your organization can
then actually implement OSCAL later on

00:09:28:08 - 00:09:31:24
and take the best advantage
or the most value out of that toolset.

00:09:32:07 - 00:09:36:02
The next challenges that we're going to
cover today is data readiness.

00:09:36:04 - 00:09:39:17
Data readiness is, I think where
most people jump to when thinking about

00:09:39:17 - 00:09:43:05
OSCAL, legacy
RMF tools and processes really do not

00:09:43:05 - 00:09:47:02
define compliance at the granularity
that OSCAL may require.

00:09:47:02 - 00:09:51:17
And so organizations should keep this
in mind early before they even start

00:09:51:17 - 00:09:57:07
to create the necessary
Jsons or XML or Yaml files to power OSCAL.

00:09:57:09 - 00:10:02:10
Some of the common challenges that we see
here are with the data that is locked

00:10:02:10 - 00:10:06:24
in physical paper or word, Excel, PDF,
or even legacy data structures

00:10:06:24 - 00:10:11:23
that really don't transition
well to the new data structure of OSCAL.

00:10:11:23 - 00:10:14:23
To allow that toolset to really power

00:10:14:23 - 00:10:17:23
the automations, the granularity
that makes it useful.

00:10:18:01 - 00:10:20:00
And we're going to show you
some examples of these.

00:10:20:00 - 00:10:23:06
in summary, I think a big one is
the control implementation statements,

00:10:23:08 - 00:10:25:19
they're not stored at the part level
in many cases.

00:10:25:19 - 00:10:26:14
We've run into this

00:10:26:14 - 00:10:30:09
with multiple customers where they may
have all of their statements

00:10:30:09 - 00:10:33:22
written in a word document
or, legacy tool, that the structure

00:10:33:22 - 00:10:37:21
just simply does not break down
the implementations by requirement

00:10:37:21 - 00:10:42:03
or part in the control,
which then leads to a data, migration

00:10:42:03 - 00:10:46:20
or transition within their organization
to get it to that OSCAL compliant structure

00:10:46:24 - 00:10:49:14
so that they can really leverage that,
that automation.

00:10:49:14 - 00:10:53:09
The next thing that we've seen is,
actually how you define your, SOD

00:10:53:14 - 00:10:56:24
or roles, OSCAL
requires roles to be assigned

00:10:56:24 - 00:11:00:10
to users as well as those roles and users
to be assigned to parties.

00:11:00:12 - 00:11:04:22
While legacy tools did not necessarily
require that, in many word documents,

00:11:04:22 - 00:11:09:23
you may just see a reference to a role,
but with no users defined accurately.

00:11:09:23 - 00:11:12:23
And and so the we've also seen
this in other legacy tools

00:11:12:23 - 00:11:16:07
where data structure just doesn't
support the assignment of a role.

00:11:16:07 - 00:11:17:18
And furthermore, to a party,

00:11:17:18 - 00:11:21:01
this is going to become
extremely important in your organizations

00:11:21:01 - 00:11:25:01
as one of the benefits of having
your compliance documentation in a machine

00:11:25:01 - 00:11:28:24
readable format is that should allow
for greater, participation

00:11:28:24 - 00:11:32:07
from the different parties,
from the assessors to the actual system

00:11:32:07 - 00:11:34:02
implementers of the system teams

00:11:34:02 - 00:11:37:03
up to the authorizing officials
and in organizations.

00:11:37:03 - 00:11:38:23
So being able to define and store

00:11:38:23 - 00:11:42:18
this information relevantly in the package
is extremely important.

00:11:42:21 - 00:11:45:17
And I'll talk to you about a little bit
more here in just a moment.

00:11:45:17 - 00:11:48:15
Finally, I think one of the big things
that we've noticed

00:11:48:15 - 00:11:51:16
with OSCAL
is the organizational defined parameters.

00:11:51:18 - 00:11:55:18
They do not follow the same ideas
structure that OSCAL does.

00:11:55:18 - 00:11:59:22
Now, in legacy tools and processes,
this is probably the first hurdle

00:11:59:22 - 00:12:04:14
that we encounter with any customer or
partner that's looking to transfer to OSCAL

00:12:04:16 - 00:12:08:14
is that they have to then go through
and either separate, organizational

00:12:08:14 - 00:12:10:16
defined parameters
where they may have combined them.

00:12:10:16 - 00:12:14:05
I think good examples of this
is actually on those dashboard controls.

00:12:14:05 - 00:12:19:20
Or their IDs do not really align
accurately, to transition them into OSCAL.

00:12:19:20 - 00:12:23:17
This once again leads that kind of data
migration or cleansing or, implementation

00:12:23:17 - 00:12:27:10
phase where they'll actually work
within teams of the organization

00:12:27:10 - 00:12:31:11
to break this information out, re
label it with the proper IDs

00:12:31:11 - 00:12:34:20
so that when they get to OSCAL, it's
very easy for them to begin

00:12:34:20 - 00:12:35:23
implementing this

00:12:35:23 - 00:12:39:09
across all of their different, boundaries
or, the organization as a whole.

00:12:39:15 - 00:12:42:23
The next common issue really want to
address is the tool.

00:12:43:01 - 00:12:44:14
Macie mentioned that we've spoken

00:12:44:14 - 00:12:48:19
with individuals who have actually tried
to create, XML or Json from hand.

00:12:48:22 - 00:12:51:21
And while this does get a good end result,
it is not,

00:12:51:21 - 00:12:55:14
necessarily the best path forward
as there are a lot of tools today

00:12:55:14 - 00:12:57:17
in the market
that can automate that generation.

00:12:57:17 - 00:13:01:06
And the reason why is this just opens
you up is very prone to human error

00:13:01:06 - 00:13:02:04
when you're drafting, not

00:13:02:04 - 00:13:05:09
you want an automated mechanism
that can handle that for you

00:13:05:10 - 00:13:09:12
move you away from those legacy
tool sets and processes.

00:13:09:15 - 00:13:12:07
The issues that we've seen
here are widespread.

00:13:12:07 - 00:13:15:18
I've mentioned it already, and you'll see
this as a common point throughout this

00:13:15:18 - 00:13:19:10
presentation is that a lot of
this was paper based for a very long time.

00:13:19:14 - 00:13:23:07
And getting that outside of those paper
documents, this word documents,

00:13:23:07 - 00:13:25:24
those PDFs,
whatever else it may be, then do a digital

00:13:25:24 - 00:13:29:07
format is going to be critical,
not just for moving to OSCAL,

00:13:29:07 - 00:13:32:16
but also maturing through
the maturity model that Macey briefed

00:13:32:18 - 00:13:35:18
and getting to those, phase 4
or 5 where you're really starting

00:13:35:18 - 00:13:39:19
to inject intelligence or leverage
intelligence, alongside OSCAL.

00:13:39:22 - 00:13:43:00
some of the other common challenges
here is the technology cost

00:13:43:00 - 00:13:46:24
to maintain legacy tooling, very
significant and often a common challenge

00:13:46:24 - 00:13:48:24
that we've heard from our partners
and customers.

00:13:48:24 - 00:13:51:15
It's very time
consuming to manage changes.

00:13:51:15 - 00:13:54:24
those changes to whether it's
the catalog requirements being defined

00:13:54:24 - 00:13:58:15
or if it's just managing the changes
to your actual compliance packages.

00:13:58:15 - 00:14:00:06
This is very, very time consuming.

00:14:00:06 - 00:14:03:08
I think this is reflected
in, how long it can take to just even get

00:14:03:08 - 00:14:07:10
to, authority to test or for you
to operate at a specific agency or,

00:14:07:13 - 00:14:11:12
this is highlighted as well,
due to the fact that those infrastructures

00:14:11:12 - 00:14:12:19
are not very flexible,

00:14:12:19 - 00:14:17:02
they can't really handle some of the
new technology that's coming out at speed,

00:14:17:06 - 00:14:18:15
which takes a lot of time to go

00:14:18:15 - 00:14:22:24
back, implement and restructure the data
to get it into it, make it usable.

00:14:22:24 - 00:14:24:09
And I think this was highlighted

00:14:24:09 - 00:14:28:12
with AI over the past few years
that those, unstructured data sets

00:14:28:12 - 00:14:32:08
just really weren't optimized,
be leveraged in AI.

00:14:32:08 - 00:14:35:11
And OSCAL is going to help with that
by giving you a structured format

00:14:35:11 - 00:14:39:03
that you can then transfer and build a
AI on top of, one of the big ones

00:14:39:03 - 00:14:41:10
that we like to call out
is the integrations.

00:14:41:10 - 00:14:43:21
what we're going to cover
today is going to get you to phase three.

00:14:43:21 - 00:14:46:21
And the reason why we say that is phase
three is all about

00:14:46:21 - 00:14:49:23
integrating
your separated security toolsets.

00:14:50:00 - 00:14:51:14
We believe OSCAL is going to give you

00:14:51:14 - 00:14:54:13
the ability not just leverage
the compliance automations,

00:14:54:13 - 00:14:58:07
but also pull in other things
that can actually power more insight

00:14:58:07 - 00:15:02:04
and really drive risk, and measuring
risk in your organizations

00:15:02:06 - 00:15:05:10
by having that integration
to all those tool sets.

00:15:05:12 - 00:15:06:13
Other big things,

00:15:06:13 - 00:15:10:12
here are common challenges that we've seen
is really the lack of automation,

00:15:10:14 - 00:15:11:15
those tool sets

00:15:11:15 - 00:15:15:23
that we've seen or processes really
look to have just a file repository.

00:15:15:23 - 00:15:18:08
This doesn't provide a lot of automation.

00:15:18:08 - 00:15:20:21
there's a lot of context lost
when you do this.

00:15:20:21 - 00:15:24:18
OSCAL is going to help to solve
that by being able to accurately summarize

00:15:24:18 - 00:15:27:15
your compliance,
but also give you the ability to go back

00:15:27:15 - 00:15:31:10
and verify that what's being generated
and what's being automated by OSCAL

00:15:31:11 - 00:15:35:02
is actually accurate and to, you know,
provide that sense of confidence.

00:15:35:14 - 00:15:38:01
And what OSCAL producing for
you and your teams?

00:15:38:01 - 00:15:38:09
Yeah.

00:15:38:09 - 00:15:40:15
So one thing- Matt, if I can interrupt
one point

00:15:40:15 - 00:15:43:02
I want to make here, I mean,
because I'm sure you all are familiar

00:15:43:02 - 00:15:45:10
with these challenges
that Matt's walking through.

00:15:45:10 - 00:15:50:07
we've done this with many, many agencies
and many commercial organizations as well.

00:15:50:07 - 00:15:54:03
So the biggest takeaway here is
and we don't want to name legacy tools,

00:15:54:03 - 00:15:57:20
we don't want to name modern tools,
but oftentimes we'll hear them say,

00:15:57:20 - 00:16:00:22
you know, all we really need to do
is be able to digitize something.

00:16:00:22 - 00:16:04:24
why would we need to buy a really
expensive tool that has AI enabled?

00:16:04:24 - 00:16:05:15
Well, sure.

00:16:05:15 - 00:16:08:15
To begin with, you need to be able
to digitize it and get it in OSCAL format.

00:16:08:15 - 00:16:12:14
But in the future, you are going to want
to be able to leverage intelligence,

00:16:12:14 - 00:16:16:06
and build out an ecosystem
for your cybersecurity capabilities.

00:16:16:06 - 00:16:20:18
So it's not just buying a tool
that can generate OSCAL, it's

00:16:20:18 - 00:16:26:01
buying a tool that enables you to do what
OSCAL will enable you to do in the future.

00:16:26:01 - 00:16:28:05
So Matt was kind of walking
through these one by one.

00:16:28:05 - 00:16:29:13
But I just wanted to highlight

00:16:29:13 - 00:16:33:01
the fact that and we're going to go
into what those modern tools look like

00:16:33:01 - 00:16:35:14
and what we recommend
you look for in them.

00:16:35:14 - 00:16:37:08
But legacy tools in general,

00:16:37:08 - 00:16:40:12
unless they're completely revamped,
typically they're on old stacks.

00:16:40:12 - 00:16:42:16
It's very, very expensive to redo them.

00:16:42:16 - 00:16:45:00
it's not a common stack
across all customers.

00:16:45:00 - 00:16:46:12
There's a lot of customization.

00:16:46:12 - 00:16:50:11
It's just going to take a lot of time
and money to modernize your legacy tools

00:16:50:11 - 00:16:51:07
if you have them.

00:16:51:07 - 00:16:55:17
There are a lot of great CSPs out there
that have amazing products

00:16:55:17 - 00:16:56:20
that will do this fast.

00:16:56:20 - 00:16:58:17
And while they may be
a little more expensive,

00:16:58:17 - 00:17:02:16
you know, we always recommend to customers
that they move in that direction.

00:17:02:22 - 00:17:06:18
Otherwise their automation journey
will just continue to be a challenge.

00:17:06:24 - 00:17:07:13
Yeah.

00:17:07:13 - 00:17:09:06
So the next thing that I'm going to walk
through

00:17:09:06 - 00:17:12:16
is actually some of the actual solutions
that you can take,

00:17:13:00 - 00:17:14:16
based on what we just covered, a lot of

00:17:14:16 - 00:17:17:19
these are going to focus around steps
that you can take within your data.

00:17:17:22 - 00:17:20:23
Based on those policies
that we recommend you focus on.

00:17:21:00 - 00:17:23:08
So the first is, really preparing,
your data.

00:17:23:08 - 00:17:26:12
I think an easy one that we've seen,
our customers and partners

00:17:26:12 - 00:17:29:21
start with is actually
how they define their users and roles,

00:17:29:24 - 00:17:32:24
to assign them back
to, groups or parties in OSCAL.

00:17:32:24 - 00:17:36:18
This is extremely powerful
when you move into a modern toolset

00:17:36:18 - 00:17:41:04
as when you begin to document and use,
something like role based access control

00:17:41:04 - 00:17:42:23
or role assignments within a tool one,

00:17:42:23 - 00:17:46:02
you're going to see the collaboration
explode in your organization.

00:17:46:02 - 00:17:50:11
know, we've seen organizations move out
of, that kind of, approval structure

00:17:50:11 - 00:17:54:17
where each step needs to be approved
to have a more fluid compliance process,

00:17:54:17 - 00:17:58:01
where system teams will make updates,
make changes to their boundary,

00:17:58:04 - 00:18:01:02
and assessors can actually come in
and immediately review and assess

00:18:01:02 - 00:18:05:07
and provide that feedback to create a more
continuous authorization standpoint.

00:18:05:07 - 00:18:09:03
Furthermore, defining users by role
and within their specific parties

00:18:09:03 - 00:18:10:09
in the organization,

00:18:10:09 - 00:18:14:08
you're going to also unlock,
actual automation for your, practitioners.

00:18:14:12 - 00:18:17:22
This can be done through,
automated alerts, customized workflows

00:18:17:22 - 00:18:19:01
by role, things like that,

00:18:19:01 - 00:18:23:21
that really can't just be leveraged, from,
the standard just user account,

00:18:23:24 - 00:18:27:15
but need to be assigned to specific roles
and structured in that way.

00:18:27:15 - 00:18:31:04
In the common examples we give here
is kind of moving to more of a digital

00:18:31:04 - 00:18:35:09
signature approach where we can define
who those signatory authorities are.

00:18:35:09 - 00:18:38:14
We can notify them when they're ready
to be have signatures captured,

00:18:38:16 - 00:18:41:04
and where exactly in the tool
they should to do that,

00:18:41:04 - 00:18:44:12
which can cut down that process
of authorization dramatically.

00:18:44:12 - 00:18:48:08
The next, place to what we, covered
a little bit earlier in regards

00:18:48:08 - 00:18:51:16
to the control structures,
you know, legacy tooling,

00:18:51:17 - 00:18:56:14
whether it's in a standard, legacy toolset
or if it's from the more document

00:18:56:14 - 00:18:59:23
based process,
really struggled at separating

00:18:59:23 - 00:19:03:02
out, controls and implementations
by requirement or part.

00:19:03:04 - 00:19:05:01
And we recommend that your teams go
through,

00:19:05:01 - 00:19:08:00
as they have this information
accessible to them through NIST.

00:19:08:00 - 00:19:12:17
And the requirement that are placed in,
you 800-53 baseline or any other control set.

00:19:12:17 - 00:19:14:22
They can really go in
and start to break this out

00:19:14:22 - 00:19:17:22
and start to allocate their requirements
or their implementations

00:19:17:22 - 00:19:19:10
to the specific requirements.

00:19:19:10 - 00:19:20:22
So when they get to OSCAL,

00:19:20:22 - 00:19:24:07
it's a much faster
transition, them all in that organization.

00:19:24:18 - 00:19:28:02
Finally, did want to cover
the organizational defined parameters.

00:19:28:08 - 00:19:32:03
is just one quick example of how
those IDs were set up previously to how

00:19:32:03 - 00:19:35:07
OSCAL is going to capture them
going through and doing this very simple

00:19:35:07 - 00:19:40:01
task of re tagging or re identifying
those, organizational defined parameters

00:19:40:03 - 00:19:44:05
pays off a lot transitioning into OSCAL
once you already have these ideas

00:19:44:05 - 00:19:48:06
in a semi-structured format,
you can very quickly begin to implement

00:19:48:06 - 00:19:52:00
OSCAL and transition
your boundaries over use this information.

00:19:52:00 - 00:19:54:02
And hopefully
when you start to run OSCAL ,

00:19:54:02 - 00:19:55:17
you'll start to be able to leverage

00:19:55:17 - 00:19:59:01
a lot more of the automation capabilities,
especially the validations.

00:19:59:01 - 00:20:01:05
Faster. Within your organization.

00:20:01:05 - 00:20:05:10
The next thing that want to talk about
as an actual solution is the adoption of

00:20:05:14 - 00:20:06:18
cloud native tools.

00:20:06:18 - 00:20:10:13
You know, I think Macy did a great job
summarizing on the tool set, slide

00:20:10:13 - 00:20:15:14
that we just discussed why it is so
important for organizations to modernize.

00:20:15:14 - 00:20:18:17
Now, to something
that is an OSCAL native platform

00:20:18:17 - 00:20:21:20
or already has a way
to transition you to OSCAL.

00:20:21:20 - 00:20:25:05
And what we've done here
is we're showing, the RMF lifecycle

00:20:25:05 - 00:20:30:05
and how it can be reduced and streamlined
using OSCAL in a modern toolset.

00:20:30:09 - 00:20:34:13
This is done by, automating certain steps,
whether it was in the traditional plant,

00:20:34:13 - 00:20:38:05
prepare, catalog or select phases of RMF
and really collapsing

00:20:38:05 - 00:20:39:13
that through automation

00:20:39:13 - 00:20:43:21
and getting you as quickly as possible
over to, implementing, assessing

00:20:43:21 - 00:20:48:02
and then continuously monitoring
these implementations having a toolset

00:20:48:02 - 00:20:52:00
that does this and creates that
collaborative space really streamlines

00:20:52:00 - 00:20:54:06
this transition for organizations.

00:20:54:06 - 00:20:58:13
And it's going to make it more useful
later on when you get to things like, more

00:20:58:13 - 00:21:02:17
modern AI techniques where you can insert
things, traditional machine learning,

00:21:02:17 - 00:21:06:06
but also large language models
to further automate this process

00:21:06:06 - 00:21:09:17
and really take full advantage
of OSCAL as a data structure.

00:21:10:02 - 00:21:13:14
So, our recommended approach,
any organization or any partner

00:21:13:14 - 00:21:18:04
that we have, looking to move into
OSCAL is to really start now

00:21:18:08 - 00:21:23:06
by creating your policies and procedures,
defining how your organization

00:21:23:06 - 00:21:26:24
would like to implement, leverage
and utilize OSCAL to start

00:21:26:24 - 00:21:30:21
to train your workforces
early on these new policies and procedures

00:21:30:23 - 00:21:34:15
this way, they have that kind of
knowledge, they can build up the expertise

00:21:34:15 - 00:21:38:10
and you can look to
then take a top down approach to your data

00:21:38:16 - 00:21:42:10
implementing a tool set
that really supports OSCAL, natively.

00:21:42:10 - 00:21:44:10
But then that data transition

00:21:44:10 - 00:21:48:01
to get you to actually building out
OSCAL packages.

00:21:48:01 - 00:21:49:01
And then finally, know,

00:21:49:01 - 00:21:52:14
we are big supporters of what,
NIST, FedRAMP the other organizations

00:21:52:14 - 00:21:55:21
that have pushed out OSCAL,
but also this community here on the call,

00:21:56:01 - 00:21:59:24
really would love to see this community
continue to push OSCAL forward

00:21:59:24 - 00:22:03:01
and to hopefully come together
as a community to define, standard

00:22:03:01 - 00:22:07:02
structure for RMF and OSCAL
can be widely adopted across

00:22:07:02 - 00:22:11:09
any organization and hopefully cut down
on, some of the transitional pains

00:22:11:13 - 00:22:13:04
that we foresee in the future.

00:22:13:04 - 00:22:17:09
we want to have a single kind of standard
profile or validation approach

00:22:17:09 - 00:22:21:12
so that, organizations or agencies
that implement OSCAL help and support

00:22:21:12 - 00:22:25:00
other agencies that are looking
to transition by providing packages, that

00:22:25:00 - 00:22:28:00
inheritance information across, you know,
the federal government as a whole.

00:22:28:01 - 00:22:31:22
So, I do want to end by saying thank you
to everyone for joining the discussion

00:22:31:22 - 00:22:32:10
today.

00:22:32:10 - 00:22:35:11
love to get some questions
about the content that we just went over

00:22:35:13 - 00:22:38:15
at this point, I'm going to ask, Michaela
if she can stop the recording

00:22:38:15 - 00:22:40:23
and then open up the floor
to you all for questions.