00:00:00:04 - 00:00:04:12
So we're here to talk about, OSCAL
catalogs, creating easily and using

00:00:04:12 - 00:00:09:05
broadly as, Michaela mentioned, we're going
to do quick little introductions.

00:00:09:05 - 00:00:10:00
My name is Pirooz.

00:00:10:00 - 00:00:12:09
I'm the co-founder
and CTO of Easy Dynamics.

00:00:12:09 - 00:00:14:17
With me we have Brian and Juan.

00:00:14:17 - 00:00:16:16
Do you want to introduce yourselves?

00:00:16:16 - 00:00:20:06
Hi. I'm Brian Ruff. I’m an OSCAL SME, 
supporting Easy Dynamics.

00:00:20:12 - 00:00:23:23
And I'm Juan Risso, lead developer
for the Compliance Hero project.

00:00:23:23 - 00:00:25:01
at Easy dynamics.

00:00:25:01 - 00:00:26:01
Well,

00:00:26:01 - 00:00:29:20
thank you for the opportunity, letting us
come in provide an update on our journey.

00:00:29:20 - 00:00:33:14
Michaela, this isn't the first time,
we've participated in this forum.

00:00:33:15 - 00:00:37:11
We have been, involved in OSCAL
community for several years now.

00:00:37:11 - 00:00:39:19
Over the years,
we participated on the ACT I-ACT.

00:00:39:19 - 00:00:43:12
ATO as code, project, with some other folks

00:00:43:12 - 00:00:46:21
that have participated on this forum
I think Macey presented last time.

00:00:46:23 - 00:00:50:02
We've also published
several open source projects

00:00:50:02 - 00:00:53:08
that include, OSCAL viewing
and editing capabilities.

00:00:53:08 - 00:00:56:08
In addition to that,
we managed the OSCAL.io website

00:00:56:08 - 00:01:00:04
where we published the content registry
with viewing capabilities

00:01:00:04 - 00:01:05:09
while we're, evangelizing a, proposed
public specification for an API

00:01:05:10 - 00:01:09:03
for OSCAL to OSCAL for tool
to tool exchanges of OSCAL.

00:01:09:04 - 00:01:12:07
finally, helped organize
a Mid-Atlantic OSCAL community group.

00:01:12:07 - 00:01:15:11
for those that have participated
in the past, we haven't met in a while.

00:01:15:11 - 00:01:16:12
That's not on purpose.

00:01:16:12 - 00:01:18:24
We have been busy behind the scenes
and looking forward

00:01:18:24 - 00:01:21:12
to giving you an update
on what we were been working on today.

00:01:21:12 - 00:01:23:07
Hope to get something scheduled soon.

00:01:23:07 - 00:01:26:24
So to kick us off,
like to, hand over to somebody

00:01:26:24 - 00:01:30:06
that, I don't know anybody that knows more
about OSCAL catalogs.

00:01:30:06 - 00:01:33:04
And this gentleman, Brian Ruff,
do you want to get us going?

00:01:33:04 - 00:01:35:11
All right. Pirooz. Thank you. Yeah.

00:01:35:11 - 00:01:39:09
So today
we're going to have about 20 minutes of,

00:01:39:11 - 00:01:42:11
discussion slides
followed by about 20 minutes

00:01:42:11 - 00:01:46:10
of demonstrations,
and then we'll open it up for questions.

00:01:46:19 - 00:01:48:20
what we really want to talk about today,

00:01:48:20 - 00:01:51:20
as you get from the title,
is we're doing a deeper dive on catalogs.

00:01:52:07 - 00:01:55:22
We want to talk about the original design
goals for catalogs,

00:01:56:00 - 00:01:59:00
and then challenge you by
and getting you to think about

00:01:59:00 - 00:02:02:11
some additional use cases
for, OSCAL catalogs.

00:02:02:18 - 00:02:06:08
talk about why should consider
those broader use cases.

00:02:06:08 - 00:02:11:07
And then as we get into the
how you can start to apply these use cases

00:02:11:07 - 00:02:15:22
to OSCAL catalogs, that's what
we'll transition into the demo All right.

00:02:16:01 - 00:02:18:21
So we hear the term OSCAL all the time.

00:02:18:21 - 00:02:19:12
And we might

00:02:19:12 - 00:02:23:19
know what the words mean in the acronym,
but I want to dissect them for a second.

00:02:23:24 - 00:02:27:07
Open security controls
assessment language.

00:02:27:07 - 00:02:29:02
So the open is critical.

00:02:29:02 - 00:02:32:21
Part of why this is a NIST standard
is the idea that there's nothing

00:02:32:21 - 00:02:33:23
proprietary here.

00:02:33:23 - 00:02:39:09
Every, OSCAL model is an open
standard available for all to use freely.

00:02:39:09 - 00:02:42:07
And this is important,
especially in its adoption.

00:02:42:07 - 00:02:45:19
Now, OSCAL is focused
on security controls.

00:02:45:19 - 00:02:48:09
really, controls are,

00:02:48:09 - 00:02:52:07
there's a control definition,
and then there's a control implementation.

00:02:52:07 - 00:02:55:13
Control definitions
typically are requirements statements

00:02:55:18 - 00:02:58:21
NIST 800-53 they are functional requirements
statements.

00:02:58:21 - 00:03:01:05
They could be technical requirements
statements.

00:03:01:05 - 00:03:04:06
But really when you get down to it,
a control definition

00:03:04:06 - 00:03:07:06
is a specific form
of a requirement statement.

00:03:07:08 - 00:03:09:21
And I want you to keep that in mind
as we continue.

00:03:09:21 - 00:03:11:20
But assessment language.

00:03:11:20 - 00:03:16:01
the idea of OSCAL
is that you have your control definition.

00:03:16:01 - 00:03:19:10
Then somebody implements
according to that definition.

00:03:19:10 - 00:03:24:03
So they have their control implementation
and then some other party

00:03:24:03 - 00:03:28:17
performs an assessment to adjudicate
whether the implementation was,

00:03:28:23 - 00:03:32:22
created in a way that actually satisfies
the control definition.

00:03:33:02 - 00:03:34:15
So that's the assessment piece.

00:03:34:15 - 00:03:39:03
And so it's a language
that's intended for anytime you have

00:03:39:08 - 00:03:43:05
a set of requirements, an implementation
against those requirements.

00:03:43:05 - 00:03:45:18
And then a third party adjudication

00:03:45:18 - 00:03:48:17
that those requirements
have been properly satisfied.

00:03:48:17 - 00:03:51:22
So OSCAL catalogs
are the backbone of OSCAL.

00:03:51:24 - 00:03:55:16
the other six models all traced back
ultimately to catalog.

00:03:55:19 - 00:03:59:01
this is by design, the OSCAL was created.

00:03:59:04 - 00:04:03:02
So that A, you avoid duplication
as much as possible.

00:04:03:11 - 00:04:06:07
B, you always have that traceability.

00:04:06:07 - 00:04:08:11
Why does this implementation statement
say what it does?

00:04:08:11 - 00:04:09:08
Let's trace back

00:04:09:08 - 00:04:13:02
through the profile to the catalog
and see what the original requirement was.

00:04:13:02 - 00:04:15:21
Well we're now we're doing the assessment
well.

00:04:15:21 - 00:04:19:12
Assessments are always
in the context of a requirement.

00:04:19:18 - 00:04:21:15
assessing an implementation.

00:04:21:15 - 00:04:24:17
So you have those linkages
from the assessment

00:04:24:17 - 00:04:28:09
activity to the implementation
that you are, evaluating.

00:04:28:09 - 00:04:30:21
Back to the requirements
that that implementation

00:04:30:21 - 00:04:35:08
is trying to meet, that the traceability
is by design catalogs are the root.

00:04:35:12 - 00:04:37:23
Now, when I OSCAL was created,

00:04:37:23 - 00:04:41:21
there was a use case, in mind
that this was compliance frameworks.

00:04:42:01 - 00:04:47:12
So NIST SP 800-53, SOC 2, ISO-27001

00:04:47:12 - 00:04:50:16
So really
these are cyber regulatory frameworks.

00:04:50:20 - 00:04:54:10
It was also designed with the idea
that organizations might have to define

00:04:54:10 - 00:04:58:04
their own cyber controls,
because they have some unique mission

00:04:58:04 - 00:05:02:06
requirements that go beyond the frameworks
that they're trying to apply,

00:05:02:11 - 00:05:05:06
or they might have customer requirements
that they're trying to meet.

00:05:05:06 - 00:05:07:18
So OSCAL can handle that as well.

00:05:07:18 - 00:05:11:14
But if you really get down to it
OSCAL catalogs can be used more broadly.

00:05:11:14 - 00:05:15:20
Any requirement that you can express,
you can capture in an

00:05:15:20 - 00:05:17:06
OSCAL catalog format.

00:05:17:06 - 00:05:21:20
And the concept of requirements
exists across virtually all domains.

00:05:22:00 - 00:05:24:24
whether you're working on a system,
which is what we tend to think

00:05:24:24 - 00:05:28:08
about with OSCAL
or building a product, products

00:05:28:16 - 00:05:32:05
and services are all great examples
where you have some kind of requirement

00:05:32:05 - 00:05:35:09
that you're trying to meet
as you create that product,

00:05:35:09 - 00:05:38:14
as you follow that process,
or as you offer that service,

00:05:38:18 - 00:05:41:22
organizations
may have some unique requirements as well

00:05:41:22 - 00:05:46:14
that they want to capture for the purposes
of tracking and assessing.

00:05:46:18 - 00:05:50:09
So really, when you get down to what
a requirement is, it's

00:05:50:09 - 00:05:52:08
any time you need to clearly define

00:05:52:08 - 00:05:56:03
what must be accomplished
or how an entity must behave.

00:05:56:08 - 00:05:58:04
So any place you have that

00:05:58:04 - 00:06:01:22
you can capture that clear definition
in a OSCAL catalog.

00:06:02:01 - 00:06:04:23
Also any place where you need to track

00:06:04:23 - 00:06:07:23
requirements,
from implementation to assessment.

00:06:07:24 - 00:06:13:02
Here's just a broader example of IT
requirements that you may come

00:06:13:02 - 00:06:17:12
across beyond just cybersecurity,
nonfunctional requirements.

00:06:17:17 - 00:06:22:10
tend to be things like response time
and performance, reliability.

00:06:22:14 - 00:06:24:21
Now availability and security,
they overlap

00:06:24:21 - 00:06:28:05
and they tend to be more in the topic area
that we're used to hearing about.

00:06:28:05 - 00:06:29:00
OSCAL.

00:06:29:00 - 00:06:32:16
But even things like usability
and maintainability can be forms

00:06:32:16 - 00:06:37:16
of requirements that are defined
for a system implemented and tracked.

00:06:37:19 - 00:06:41:04
Over on the right column there,
there's some broader categories

00:06:41:13 - 00:06:44:19
of requirements
that you may encounter for a system.

00:06:44:19 - 00:06:46:04
I'm not going to hit on all of them,

00:06:46:04 - 00:06:49:20
but just for example, near
the bottom there, transition requirements.

00:06:49:23 - 00:06:52:23
Let's say we're creating a new system,
and we need to have a plan

00:06:52:23 - 00:06:56:04
for how we're going to migrate
from the old system to the new system

00:06:56:06 - 00:06:59:08
a way that doesn't
disrupt user experience and availability.

00:06:59:08 - 00:07:01:24
And so those might be requirements
that you can capture

00:07:01:24 - 00:07:04:20
in, in OSCAL catalog
and track to make sure

00:07:04:20 - 00:07:07:20
you're ready to do the transition
as smoothly as possible.

00:07:08:05 - 00:07:13:02
But if you think about broader domains
manufacturing, health care, construction,

00:07:13:02 - 00:07:14:11
financial service,

00:07:14:11 - 00:07:17:18
they all have different requirements
that you could track with an

00:07:17:18 - 00:07:18:14
OSCAL catalog.

00:07:18:14 - 00:07:22:17
You can you can capture that way,
in manufacturing things like product

00:07:22:17 - 00:07:27:06
specifications and safety requirements,
construction and zoning,

00:07:27:09 - 00:07:31:04
requirements, environmental requirements,
like any of these things.

00:07:31:04 - 00:07:33:00
Material specifications.

00:07:33:00 - 00:07:35:02
These are all requirements
that you could capture

00:07:35:02 - 00:07:37:15
and might need to track in health care,
right?

00:07:37:15 - 00:07:41:13
Patient care equipment,
safety equipment, specifications.

00:07:41:13 - 00:07:44:12
Medical devices have very specific
needs around them.

00:07:44:12 - 00:07:45:16
And financial services.

00:07:45:16 - 00:07:49:11
This is one we where we are already
seeing an uptick in OSCAL adoption.

00:07:49:12 - 00:07:54:00
Beyond just the cyber requirements
into the greater regulatory requirements,

00:07:54:13 - 00:07:57:14
financial services,
you can capture all of these

00:07:58:04 - 00:08:01:14
We want you to think about this,
as a set of concentric circles.

00:08:01:18 - 00:08:05:24
the center of the circles is OSCAL
tooling, and the OSCAL specification.

00:08:05:24 - 00:08:09:03
The idea is that
the tools are following the specification.

00:08:09:03 - 00:08:13:05
As you move out from the center, OSCAL
catalogs are where you define

00:08:13:05 - 00:08:14:08
the requirements.

00:08:14:08 - 00:08:15:08
Implementation.

00:08:15:08 - 00:08:19:14
Traditionally, the, the SSP, and component
definitions is the implementation

00:08:19:14 - 00:08:20:14
layer of OSCAL.

00:08:20:14 - 00:08:24:17
But this is where you're capturing
how requirements are implemented.

00:08:24:17 - 00:08:27:24
And then the next ring out
is the independent evaluation.

00:08:27:24 - 00:08:29:15
That's the assessment models.

00:08:29:15 - 00:08:35:08
Traditionally AP are the program for
tracking any problems with implementation.

00:08:35:10 - 00:08:38:18
And then the outermost ring
is that consumption by stakeholders.

00:08:38:18 - 00:08:42:24
Who cares about whether or not
you're following these requirements.

00:08:43:03 - 00:08:46:04
Whether that is, an authorizing official
in the context

00:08:46:04 - 00:08:49:06
of the US federal government,
or it's a building inspector.

00:08:49:09 - 00:08:53:10
or it's the ultimate customer at the end
that needs to make sure that you're doing

00:08:53:10 - 00:08:55:00
everything you need to be doing.

00:08:55:00 - 00:08:55:21
Now, the idea

00:08:55:21 - 00:09:00:07
is that the topic areas on the previous
slides are slices of this pie.

00:09:00:07 - 00:09:03:08
So, if we talk about something
like ANSI standards,

00:09:03:15 - 00:09:06:15
how much torque can a bolt handle?

00:09:06:15 - 00:09:08:07
That may be a requirement.

00:09:08:07 - 00:09:10:20
The implementation
might be the manufacturer

00:09:10:20 - 00:09:14:06
that bolts, decide
to make it using certain materials,

00:09:14:12 - 00:09:17:09
and a certain process
to make sure it has the strength

00:09:17:09 - 00:09:20:00
it's supposed to have according
to the ANSI standard.

00:09:20:00 - 00:09:25:17
Then the third party lab might verify
that so that when a construction company

00:09:25:23 - 00:09:30:08
needs to rely on a bolt that can support
a certain amount of weight or torque,

00:09:30:08 - 00:09:31:11
they can trust that

00:09:31:11 - 00:09:35:10
that bolt was manufactured
in a way that meets that requirement.

00:09:35:10 - 00:09:38:03
Material safety
data sheets, are another example.

00:09:38:03 - 00:09:40:18
Actually, that's an old term. Now
they're just called safety data sheets.

00:09:40:18 - 00:09:42:16
But the idea that
there are certain materials

00:09:42:16 - 00:09:45:16
that are dangerous to handle,
there are requirements around

00:09:45:16 - 00:09:48:17
what kind of container you can put them in
and what kind of, personally

00:09:48:17 - 00:09:49:16
protective equipment

00:09:49:16 - 00:09:53:18
you should be using when you're handling
that, how to safely store it.

00:09:54:00 - 00:09:54:08
Right.

00:09:54:08 - 00:09:58:14
So these are published,
but they're published in more traditional

00:09:58:14 - 00:10:02:07
PDF, word format for consumption
or print and paper.

00:10:02:12 - 00:10:05:15
Boy, wouldn't it be great
to have those digitized to track easier

00:10:05:18 - 00:10:09:18
so that when those materials are handled,
and when an inspector comes around

00:10:09:18 - 00:10:12:22
to make sure they're being handled
properly, there can be more tools to help

00:10:12:22 - 00:10:15:22
automate what those requirements are
and ensuring they're being met.

00:10:16:07 - 00:10:17:05
Down at the bottom,

00:10:17:05 - 00:10:20:06
going to talk more about federal PKI
in the next couple of slides.

00:10:20:11 - 00:10:24:24
that's a use case where we already
have applied this to some degree.

00:10:25:03 - 00:10:28:03
And so we can talk a little bit
more real world examples there.

00:10:28:05 - 00:10:31:15
But again, the idea is that
the concentric circles are the same

00:10:31:19 - 00:10:34:23
no matter what topic area talking about.

00:10:35:05 - 00:10:38:03
You're always moving from the center out.

00:10:38:03 - 00:10:42:19
Now we're going to double
click into, federal PKI policy.

00:10:42:24 - 00:10:44:22
Again. This is a real world example.

00:10:44:22 - 00:10:45:15
Rob Sherwood's on

00:10:45:15 - 00:10:49:06
the call, but, Rob has done
a lot of work in this area, for example.

00:10:49:10 - 00:10:54:04
Basically, this is just one statement
out of the federal PKI policy.

00:10:54:04 - 00:10:58:15
Now that PKI policy is managed by GSA,
the federal PKI is something

00:10:58:15 - 00:11:02:23
that is used across government,
by government, industry partners,

00:11:03:02 - 00:11:06:03
and by others who have to interact
with the government in different ways.

00:11:06:19 - 00:11:10:04
And there's this overarching policy
that governs

00:11:10:08 - 00:11:13:18
how all this organizations,
have to behave and function

00:11:13:24 - 00:11:17:12
if they want to be integrated
with the federal PKI.

00:11:17:12 - 00:11:21:21
So here's one example section
2.2.2 out of that policy

00:11:21:21 - 00:11:23:11
that has three statements in it.

00:11:23:11 - 00:11:27:15
The certificate policy must be publicly
available on a particular website.

00:11:27:15 - 00:11:31:10
The certificate practice statement
annual PCI compliance audit

00:11:31:10 - 00:11:34:15
letter,
have to also be available on that website.

00:11:34:15 - 00:11:37:22
And finally,
for the adopting organizations,

00:11:38:12 - 00:11:41:19
information about certificate authorities,
that they're operating

00:11:41:22 - 00:11:45:01
relative
to the federal PKI, information about

00:11:45:01 - 00:11:49:10
that has to be published
on that organization's public repository.

00:11:49:10 - 00:11:53:00
So each organization has to carve out
a publicly accessible place

00:11:53:04 - 00:11:57:03
their certificate practice statement
in their PKI compliance audit letter.

00:11:57:05 - 00:11:59:01
So these are three requirements.

00:11:59:01 - 00:12:01:06
They're functional requirements
that have to be met.

00:12:01:06 - 00:12:05:13
And the way a PKI assessor would, check
these is they would come

00:12:05:13 - 00:12:08:13
in, they would have these three assessment
objectives.

00:12:08:14 - 00:12:11:14
So ensure the certificate policy
is appropriately published,

00:12:11:14 - 00:12:15:17
ensure the practice statement and audit
letter published, and ensure

00:12:15:17 - 00:12:20:14
any organizational certificate authority,
information is appropriately published.

00:12:20:14 - 00:12:23:05
It just so happens
these are all inspection

00:12:23:05 - 00:12:25:12
in terms of assessment methods.

00:12:25:12 - 00:12:28:01
there's test interview and inspector.

00:12:28:01 - 00:12:31:12
year examiner, the three types
of, methods that are out there

00:12:31:18 - 00:12:33:12
and the assessment objects,

00:12:33:12 - 00:12:37:00
are websites where this information
has to be published.

00:12:37:01 - 00:12:40:01
So that's where the assessor is looking.

00:12:40:04 - 00:12:44:09
Now if we go to express this in OSCAL, we have to decompose it a little bit,

00:12:44:16 - 00:12:48:15
and we have to start to think about
the information needs of OSCAL.

00:12:48:15 - 00:12:52:00
We're going to show you raw OSCAL
on the next couple of slides.

00:12:52:00 - 00:12:53:21
But this is an intermediate step.

00:12:53:21 - 00:12:57:23
This is where we start to think about,
the identifiers that OSCAL requires.

00:12:57:23 - 00:13:01:07
fact that OSCAL breaks apart a title,
there's a label like,

00:13:01:08 - 00:13:03:09
that's what the humans are used to seeing.

00:13:03:09 - 00:13:06:12
you might want to define
that for, you're presenting this data

00:13:06:12 - 00:13:09:20
and then you get into the individual
statements, and each statement

00:13:09:20 - 00:13:13:07
has to have an identifier, each assessment
objective has to have an identifier.

00:13:13:07 - 00:13:14:13
And each method,

00:13:14:13 - 00:13:17:22
and you know, so this is just like more
like a planning sheet, if you will.

00:13:17:22 - 00:13:21:00
And this is just one of the three
statements that we looked at,

00:13:21:02 - 00:13:24:17
and the assessment objective
and method that goes with that statement.

00:13:25:04 - 00:13:28:07
Now we're looking at,
this is OSCAL  Json format.

00:13:28:10 - 00:13:29:16
And so we're looking at just what

00:13:29:16 - 00:13:33:14
the three statements would look like
if you were to express this in a OSCAL.

00:13:33:14 - 00:13:35:09
So we're breaking it down further.

00:13:35:09 - 00:13:39:18
The three highlighted areas here are the
three statements there in the upper right.

00:13:39:18 - 00:13:42:18
And then all of the other, information
that you see here

00:13:42:20 - 00:13:46:10
is what OSCAL requires
in order to manage this data properly.

00:13:46:10 - 00:13:49:15
Now, we had to break this across
two slides to present it to you.

00:13:49:19 - 00:13:53:01
So the objectives and methods
are on the next slide.

00:13:53:01 - 00:13:55:13
here we have the three assessment
objectives.

00:13:55:13 - 00:13:58:13
The first three yellow highlights
are the three assessment objectives.

00:13:58:15 - 00:14:01:10
The traced back to the three statements
on the previous slide.

00:14:01:10 - 00:14:03:05
and I'm sorry,
the assessment objectives. Yeah.

00:14:03:05 - 00:14:05:14
And then the assessment
method is examined for all three.

00:14:05:14 - 00:14:09:09
then we have really two assessment objects
that apply to the three statements.

00:14:09:19 - 00:14:12:01
Now, why would you go to this trouble

00:14:12:01 - 00:14:14:11
you know,
how would you go about approaching this?

00:14:14:11 - 00:14:15:14
So in the next slide,

00:14:15:14 - 00:14:19:18
the why is probably the single biggest
reason is the ease of ingestion.

00:14:19:23 - 00:14:23:06
So regardless of what your domain is,

00:14:23:13 - 00:14:28:11
or what your requirement category is,
by using an open

00:14:28:11 - 00:14:33:02
standard like OSCAL catalogs,
you create this ease of ingestion.

00:14:33:08 - 00:14:36:09
basically you're making it
so that the other stakeholders

00:14:36:09 - 00:14:39:15
in your process, can create tooling around

00:14:39:16 - 00:14:42:16
your now machine readable requirements.

00:14:42:20 - 00:14:46:03
It is the cornerstone of any work
you're doing with automation

00:14:46:08 - 00:14:49:08
is to get those requirements digitized.

00:14:49:12 - 00:14:51:16
So the tools can start to manage them.

00:14:51:16 - 00:14:56:06
But more than that, it's hard
to go from word or PDF to OSCAL.

00:14:56:09 - 00:15:01:04
But if you are working in OSCAL
with your content as your source of truth,

00:15:01:07 - 00:15:05:04
it becomes very easy to go from OSCAL
more human readable

00:15:05:04 - 00:15:07:14
formats like HTML, Word and Excel.

00:15:07:14 - 00:15:08:22
The idea being that not

00:15:08:22 - 00:15:12:08
everybody is going to have tooling,
especially early on in, in evolution.

00:15:12:11 - 00:15:15:06
so you still need to have
this human readable artifacts

00:15:15:06 - 00:15:18:21
if you start with OSCAL,
you can then mix and match.

00:15:18:21 - 00:15:22:01
You can present different ways,
and in different formats.

00:15:22:05 - 00:15:26:08
But more than that, by starting with OSCAL,
you can you enable the machine

00:15:26:08 - 00:15:27:08
readable responses.

00:15:27:08 - 00:15:31:13
So you enable your stakeholders
to start to package up, their responses

00:15:31:13 - 00:15:32:20
to your requirements.

00:15:32:20 - 00:15:36:00
Their implementation
statements, assessment statements.

00:15:36:08 - 00:15:39:24
the more you create the ability
for an ecosystem like that, then

00:15:39:24 - 00:15:43:16
the more you enable the machine
readable reviews and adjudication.

00:15:43:24 - 00:15:48:16
publishing requirements in an OSCAL format,
you're getting implementation statements,

00:15:48:24 - 00:15:52:11
in an OSCAL format, assessment results
in an OSCAL format 

00:15:52:11 - 00:15:56:23
and then any other consumers of this data
now have an easier time

00:15:57:04 - 00:15:59:06
with the correlation of that data.

00:15:59:06 - 00:16:02:23
They can focus on one requirement,
one implementation statement,

00:16:02:23 - 00:16:07:21
one, assessment finding in context,
because tools now make it easy to do that

00:16:08:03 - 00:16:11:13
instead of three different documents
and trying to manually cross-reference.

00:16:11:18 - 00:16:15:09
So now how do I digitize this content?

00:16:15:22 - 00:16:18:19
And this is where
I'm going to turn it over to Pirooz.

00:16:18:19 - 00:16:22:11
He's going to show you a little bit
about how Comply Zero can be used

00:16:22:11 - 00:16:23:22
for authoring catalogs.

00:16:23:22 - 00:16:25:15
And then we'll get into some demos.

00:16:25:15 - 00:16:26:12
Thanks, Brian.

00:16:26:12 - 00:16:30:16
So what we see on the screen
is another Json example

00:16:30:16 - 00:16:34:13
of, control coming out of the NIST
digital identity guidelines.

00:16:34:13 - 00:16:39:05
And, Easy Dynamics is a company
is a systems integrator, and we do support

00:16:39:05 - 00:16:42:23
a number of fisma regulatory compliance
efforts across the federal government.

00:16:42:23 - 00:16:44:08
But we also support federal

00:16:44:08 - 00:16:48:13
PKI audits as well as,
assessments of digital identity systems.

00:16:48:17 - 00:16:52:13
we quickly ran into scenarios
where, we needed catalogs

00:16:52:13 - 00:16:55:14
or if we wanted to, manage
a compliance lifecycle through OSCAL,

00:16:55:22 - 00:16:58:24
that there was gaps in terms
of available catalogs that were out there.

00:16:58:24 - 00:17:02:04
And we can't take the credit for
the development of the federal PKI policy.

00:17:02:04 - 00:17:04:00
That was Rob Sherwood's great work.

00:17:04:00 - 00:17:07:15
we were able to kind of convert
the 800-63 catalog.

00:17:07:15 - 00:17:08:22
And as Brian mentioned,

00:17:08:22 - 00:17:12:19
the entire compliance
lifecycle of OSCAL relies on a catalog.

00:17:12:19 - 00:17:15:20
So what we're here to do
today is to preview

00:17:15:21 - 00:17:18:00
with you a portion of Comply Zero.

00:17:18:00 - 00:17:19:24
It's a platform product capability

00:17:19:24 - 00:17:23:20
that we're developing with an opinionated,
on OSCAL, editing capabilities.

00:17:23:20 - 00:17:27:16
There are several tenants that I did
want to highlight while we were developing

00:17:27:16 - 00:17:30:14
comply zero.
One of them is it's API first.

00:17:30:14 - 00:17:35:03
What that means is we're designing a UI,
around a robust restful API.

00:17:35:03 - 00:17:38:03
And really we're doing that
because we're trying to provide developers

00:17:38:03 - 00:17:42:01
automation, endpoints and capabilities
for anything we may be and will be

00:17:42:01 - 00:17:43:01
short sighted of.

00:17:43:01 - 00:17:46:14
The next is we're OSCAL native,
what does it mean to be native?

00:17:46:14 - 00:17:50:18
That means we restore the OSCAL files
as Json, and,

00:17:50:22 - 00:17:53:19
we're validating conformity
with every transaction.

00:17:53:19 - 00:17:55:15
Yes. That does mean we're building

00:17:55:15 - 00:17:59:08
and, enforcing our validation rules
and our validation schema.

00:17:59:13 - 00:18:03:17
We've been comparing that against the,
available CLI and,

00:18:04:03 - 00:18:07:00
continue to mature our validation engine,
but that gives us

00:18:07:00 - 00:18:10:20
an ability to validate and making sure
we're maintaining OSCAL.

00:18:12:01 - 00:18:14:11
Maintaining
the integrity of the specification.

00:18:14:11 - 00:18:15:03
And last,

00:18:15:03 - 00:18:18:21
we also recognize that there's many use
cases of the compliance lifecycle.

00:18:18:24 - 00:18:23:06
There are workflows
and, use cases that are very abundant.

00:18:23:08 - 00:18:28:11
Our goal is to build to OSCAL
first and, continue to develop towards

00:18:28:14 - 00:18:31:24
any use cases we see
that's around the OSCAL interactions

00:18:31:24 - 00:18:35:05
and the ability
to share and work with OSCAL files.

00:18:35:05 - 00:18:38:06
That said, I want to jump into a demo.

00:18:38:13 - 00:18:41:13
and give me a second as I switch over.

00:18:42:13 - 00:18:43:05
All right.

00:18:43:05 - 00:18:48:22
So, I'm logged into the application right
now, And what I see is quick dashboard,

00:18:49:15 - 00:18:53:00
entry, and I have some, links up here.

00:18:53:00 - 00:18:54:22
Implementation
assessments have been grayed out,

00:18:54:22 - 00:18:57:00
but under controls I can get to catalogs.

00:18:57:00 - 00:18:58:18
And I see that I don't have any catalogs.

00:18:58:18 - 00:19:01:18
And what I'd like to do
is work on developing a catalog with,

00:19:01:19 - 00:19:02:16
the group today.

00:19:02:16 - 00:19:06:00
So we're going to go ahead
and call this NIST Workshop

00:19:06:06 - 00:19:09:02
Digital Identity Guidelines.

00:19:10:02 - 00:19:13:02
Version 3.0.

00:19:14:09 - 00:19:16:21
And within catalog

00:19:16:21 - 00:19:20:23
I have main controls,
tab metadata and back matter.

00:19:21:02 - 00:19:23:17
And I can start to build out my catalog.

00:19:23:17 - 00:19:26:17
So what I'd like to do is go ahead
and add a group

00:19:26:18 - 00:19:29:05
called that Key Management.

00:19:29:05 - 00:19:29:21
Sorry.

00:19:29:21 - 00:19:33:19
KM group title key management.

00:19:33:19 - 00:19:36:19
And I'm going to go ahead
and create a nested control.

00:19:36:24 - 00:19:41:04
And I'm going to call this Key generation

00:19:42:24 - 00:19:45:24
Entropy

00:19:46:17 - 00:19:50:02
So once I have my control
I have my, dashboard here.

00:19:50:02 - 00:19:53:23
I have some badges to see params, props
because I did give it a label

00:19:54:05 - 00:19:58:02
that there is a, prop
that's available already automatically.

00:19:58:02 - 00:20:01:22
But I'm going to go ahead and build out
control with the quick overview.

00:20:01:22 - 00:20:04:04
We support the markdown capabilities.

00:20:04:04 - 00:20:09:01
So if I wanted to kind of emphasize
something, I can emphasize it.

00:20:10:09 - 00:20:11:07
I'm going to go ahead

00:20:11:07 - 00:20:14:07
and add a statement here.

00:20:16:23 - 00:20:17:23
And emphasize

00:20:17:23 - 00:20:21:12
one of the “shall” statements,
but basically enforce minimum entropy

00:20:21:12 - 00:20:26:22
requirements for key generation, 112 bits
for symmetric and 2048 for asymmetric.

00:20:26:22 - 00:20:29:22
And I do want to add some guidance.

00:20:30:16 - 00:20:33:12
And I see here that there's maybe a link.

00:20:33:12 - 00:20:36:12
I'm going to go ahead and.

00:20:36:23 - 00:20:39:23
Pretend this goes to google.com.

00:20:40:03 - 00:20:43:03
And I got

00:20:43:14 - 00:20:46:14
Brackets backwards.

00:20:50:01 - 00:20:53:01
And I see that that links up.

00:20:53:03 - 00:20:55:22
I'll add an assessment objective as well.

00:20:55:22 - 00:20:59:20
I don't need to fill out every portion
here, but essentially you see that,

00:21:00:04 - 00:21:04:02
we have drawers
that pop up and provide you some kind of,

00:21:04:04 - 00:21:07:11
ability to edit
each of the, objectives or statements.

00:21:07:11 - 00:21:10:11
I do have the ability
to add additional statements.

00:21:11:02 - 00:21:14:02
And I have the ability
to add additional assessment objectives.

00:21:14:04 - 00:21:16:19
And last,
I'll do the assessment method here.

00:21:18:13 - 00:21:20:08
Set this to examine.

00:21:20:08 - 00:21:22:16
And I'm now examining.

00:21:22:16 - 00:21:26:08
But what I'd like to do is
I do notice that, my control statement

00:21:26:08 - 00:21:29:09
here does have opportunities
for organizational parameters.

00:21:29:09 - 00:21:31:15
I see here that I have no parameters set.

00:21:31:15 - 00:21:35:15
So I can go to the parameters
page and add new parameters.

00:21:35:15 - 00:21:38:10
But I'm going to go ahead and do it
directly from the statement.

00:21:38:10 - 00:21:41:07
I have 112 bits right here.

00:21:41:07 - 00:21:44:05
I'd like to replace that.
So we do have an add parameter.

00:21:44:05 - 00:21:48:20
And this gets a little bit interesting
because we have a list of parameters.

00:21:48:20 - 00:21:49:17
There's none available.

00:21:49:17 - 00:21:52:01
So I need to create a new one in here.

00:21:52:01 - 00:21:56:07
I'm going to just go ahead and call
this bits for symmetric key systems.

00:21:57:23 - 00:21:58:23
Usage.

00:21:58:23 - 00:22:02:09
And what I'd like to
do is also add a constraint.

00:22:03:21 - 00:22:05:21
With the test criteria.

00:22:05:21 - 00:22:09:02
Putting in an expression
that has to be at least 112.

00:22:09:17 - 00:22:14:05
So I'm putting in the adding
the constraint saving that.

00:22:14:17 - 00:22:17:03
And now I have this new parameter
available to me.

00:22:17:03 - 00:22:19:21
So I can select that
and click add parameter.

00:22:19:21 - 00:22:22:13
And I see
now that I've inserted the parameter

00:22:22:13 - 00:22:25:20
I hit save
I now have the parameter available to me.

00:22:25:20 - 00:22:27:08
And I see that there's one parameter.

00:22:27:08 - 00:22:32:06
parameters can be in OSCAL built
at the control level, at the group level.

00:22:32:06 - 00:22:35:14
And I believe at the catalog level
currently we support parameters

00:22:35:14 - 00:22:36:23
just at the control level.

00:22:36:23 - 00:22:39:24
That kind of aligns with 800-53.

00:22:40:01 - 00:22:44:08
I'm going to go ahead and show
another parameter of replacing 2048.

00:22:44:16 - 00:22:47:20
In this situation,
I'm going to make it a selection parameter

00:22:47:23 - 00:22:52:07
and bits for a submit metric to systems.

00:22:53:14 - 00:22:54:13
Usage.

00:22:54:13 - 00:22:58:07
And I'm going to go ahead
and add a choice here of 2048.

00:22:59:21 - 00:23:02:21
And just add another one of 4096.

00:23:04:11 - 00:23:05:12
Save that.

00:23:05:12 - 00:23:08:12
And I see here
I do have a selection parameter.

00:23:08:12 - 00:23:10:00
I'm going to go ahead and insert that.

00:23:10:00 - 00:23:14:01
And now I have two options 2048 or 4096.

00:23:14:01 - 00:23:16:02
Within the, control.

00:23:16:02 - 00:23:18:23
So, to give you an idea,
metadata is available.

00:23:18:23 - 00:23:24:09
So as back matter, I'm not going to go
into the details around all of these, but,

00:23:24:15 - 00:23:27:24
you can create roles and, let's call
this document

00:23:27:24 - 00:23:30:24
creator DC for short.

00:23:31:01 - 00:23:35:09
And, you know, there is,
I think, the evolution of OSCAL,

00:23:35:09 - 00:23:40:02
particularly as you start to think
about properties, links and namespaces

00:23:40:02 - 00:23:42:15
and how it's used our goal
when we were developing

00:23:42:15 - 00:23:45:13
this product was to support
high fidelity OSCAL.

00:23:45:13 - 00:23:47:24
So as you see here,
some of these links and props

00:23:47:24 - 00:23:50:17
I can drill in
and and create new properties.

00:23:50:17 - 00:23:54:15
These properties may take on behaviors
that as the market kind of matures

00:23:54:15 - 00:23:58:01
and we see how people and companies
are using properties will adjust.

00:23:58:01 - 00:24:01:02
But this does give us an ability
to, have certain

00:24:01:02 - 00:24:04:10
fidelity in terms of managing,
and creating an all OSCAL catalog.

00:24:04:10 - 00:24:07:17
but what's the value of this as,
Brian was mentioning, you know,

00:24:07:17 - 00:24:11:11
the value here is to be able to interact
and to be able to share and disseminate.

00:24:11:11 - 00:24:15:00
So, I'll go ahead and export this,
and I've chewed it up.

00:24:15:00 - 00:24:17:01
It's available for download.

00:24:17:01 - 00:24:19:12
I'll go ahead and download this file.

00:24:19:12 - 00:24:22:07
While I drag this into the screen.

00:24:22:07 - 00:24:24:10
And let me just hit pretty pink.

00:24:24:10 - 00:24:25:07
Pretty print.

00:24:25:07 - 00:24:28:20
here we'll see that, 
catalog has been made available.

00:24:28:20 - 00:24:31:04
We are a Json, based system.

00:24:31:04 - 00:24:33:09
do have conversion capabilities on OSCAL.io

00:24:33:09 - 00:24:36:23
to go between Yaml and XML,
and that's kind of our methodology.

00:24:36:23 - 00:24:38:20
But we're going to be Json.

00:24:38:20 - 00:24:43:18
And as you see here, the the control
was added with the correct, parts.

00:24:43:22 - 00:24:49:02
And you see here
that, parameters are also developed

00:24:49:02 - 00:24:53:06
with IDs, labels, usage tests
with the expression available.

00:24:53:06 - 00:24:58:13
And I'll just zoom in a little bit here so
you get a sense of the generated OSCAL.

00:24:58:23 - 00:25:02:15
And the value here is that now
that I have this file, I can publish this,

00:25:02:15 - 00:25:04:03
to some available resource

00:25:04:03 - 00:25:08:01
for, implementers downstream
to be able to take advantage of.

00:25:08:01 - 00:25:08:20
let me come back.

00:25:08:20 - 00:25:09:21
And I think the,

00:25:09:21 - 00:25:13:15
last part of the demonstration
for the UI and the capabilities,

00:25:13:15 - 00:25:15:03
we're going to go back to catalogs
and we're

00:25:15:03 - 00:25:16:22
just going to go ahead and import some.

00:25:16:22 - 00:25:21:01
I have a set of catalogs
here, about 10 or 11 that I'll import.

00:25:21:03 - 00:25:24:22
while we're importing, we are importing
and validating to OSCAL schema,

00:25:25:00 - 00:25:28:23
in this scenario,
all of these catalogs should validate

00:25:28:24 - 00:25:32:19
I'm uploading, units 1.2MB file,

00:25:32:24 - 00:25:36:07
and they've all successfully uploaded
and validate.

00:25:36:07 - 00:25:40:10
So if I go back, I now
have a number of catalogs available to me.

00:25:40:10 - 00:25:43:02
I'm going to go ahead
and go into the X509.

00:25:43:02 - 00:25:46:04
And here we see that under 2.2.2

00:25:46:05 - 00:25:50:06
what Brian was showing earlier
that the CP must be publicly available.

00:25:50:12 - 00:25:53:17
So some of the Json that Brian was showing
we have here

00:25:53:17 - 00:25:56:17
is three different statements
that can be, responded to,

00:25:56:21 - 00:25:58:24
go ahead and show
a couple of other scenarios

00:25:58:24 - 00:26:02:01
where we're seeing, controls
and groups used in different ways.

00:26:02:10 - 00:26:04:04
So the Australian information,

00:26:04:04 - 00:26:08:00
we see that they kind of organize
a first set of, controls

00:26:08:00 - 00:26:13:05
or groups more as an introductory,
to the manual intended audience.

00:26:13:05 - 00:26:15:24
So we're seeing different uses of, OSCAL.

00:26:15:24 - 00:26:17:05
Emerge.

00:26:17:05 - 00:26:20:14
And likewise the Singapore
manual did not work immediately.

00:26:20:14 - 00:26:24:09
We have submitted a pull request, on the
but this is a functioning,

00:26:24:09 - 00:26:27:18
working, valid OSCAL file
for the Singapore Singapore manual.

00:26:28:00 - 00:26:31:23
And you get to see some of the, 
different uses of our OSCAL has been,

00:26:31:23 - 00:26:34:04
our catalogs are being developed
in the market.

00:26:34:04 - 00:26:39:22
Lastly, 800-53, let's say version five high,
the number of controls

00:26:39:22 - 00:26:41:24
that we have in here
and the nested controls.

00:26:41:24 - 00:26:45:15
So take a look at AC-2
and we see a much more robust statement,

00:26:45:15 - 00:26:49:15
all the different parameters
that are available to us guidance,

00:26:49:15 - 00:26:51:02
assessment objectives.

00:26:52:19 - 00:26:55:09
So gives you a sense of how the platform
kind of handles

00:26:55:09 - 00:26:58:08
the different, complexities
that may come with the OSCAL catalog.

00:26:58:08 - 00:27:03:17
That said, what I'd like to do now is stop
sharing and hand over to Juan Risso.

00:27:03:21 - 00:27:04:23
Thank you Pirooz.

00:27:04:23 - 00:27:08:22
I love how easy is to create or edit OSCAL files
with a comply zero UI,

00:27:08:22 - 00:27:13:06
but what makes this even more impressive
is the powerful API behind it. In comply

00:27:13:06 - 00:27:17:00
zero, we advocate for a public API
specification.

00:27:17:00 - 00:27:19:02
Let me share that with you.

00:27:19:02 - 00:27:23:17
This is enable developers to build
applications of workflows on top of it.

00:27:23:17 - 00:27:28:05
This specification has been available
at OSCAL.io and will remain

00:27:28:05 - 00:27:31:13
a cornerstone of supporting the open,
scalable integrations.

00:27:31:13 - 00:27:36:06
As OSCAL adoptions grow, a common exchange
protocol becomes increasingly essential

00:27:36:06 - 00:27:39:21
to improving compliance interactions
within and across organizations.

00:27:39:21 - 00:27:43:04
We are committed to expanding our API
capabilities, continue

00:27:43:04 - 00:27:47:05
to promote public specification
and engaging with the community to drive

00:27:47:05 - 00:27:49:16
adoption of OSCAL power tools
while they comply

00:27:49:16 - 00:27:52:19
zero UI handle complex task interactively.

00:27:53:00 - 00:27:54:23
Our API goes even further.

00:27:54:23 - 00:28:00:16
The API can enable advanced automation,
custom workflows, and powerful use cases.

00:28:00:16 - 00:28:02:02
Beyond the UI capabilities.

00:28:02:02 - 00:28:03:16
Now let's make this real.

00:28:03:16 - 00:28:07:21
Let me show you a little bit
of how we can use, the API. go.

00:28:08:04 - 00:28:11:08
Please let me know when you see my screen.

00:28:11:13 - 00:28:13:24
We see it Juan. Perfect. Thank you.

00:28:13:24 - 00:28:17:07
So a lot of you,
you may have data in something

00:28:17:07 - 00:28:21:03
like an Excel file where you have
all the specifications and control.

00:28:21:03 - 00:28:24:08
So what I will try to do
now is using the API.

00:28:24:08 - 00:28:28:11
I will try to import this to the catalog
that was created before.

00:28:28:11 - 00:28:29:19
So let me log in.

00:28:29:19 - 00:28:33:00
And we should
when we go to continue to the catalog

00:28:33:00 - 00:28:36:00
we should see all the,
the ones that it Pirooz

00:28:36:01 - 00:28:37:11
just imported.

00:28:37:11 - 00:28:40:07
So now I will

00:28:40:07 - 00:28:43:15
look for the one that Pirooz created here.

00:28:43:15 - 00:28:48:06
We have and we can see that
we have only one, group.

00:28:48:12 - 00:28:52:15
So first let me try to log in to the API.

00:28:56:10 - 00:28:57:09
Once I

00:28:57:09 - 00:29:00:21
logging things that I can do, for
example, is list

00:29:00:24 - 00:29:04:13
all the catalogs, similar
to what we saw before.

00:29:04:16 - 00:29:07:14
So I see the catalog right here.

00:29:07:14 - 00:29:10:15
And now what I will try to do is import

00:29:10:19 - 00:29:14:16
that, catalog, like that Excel file.

00:29:14:16 - 00:29:16:20
that you saw before into the catalog.

00:29:16:20 - 00:29:19:20
So I will copy the ID.

00:29:22:14 - 00:29:25:14
And I will paste it here that.

00:29:26:17 - 00:29:27:02
Okay.

00:29:27:02 - 00:29:29:00
Looks like it imported correctly.

00:29:29:00 - 00:29:33:09
So I'm going back to that catalog
I will refresh and we can see

00:29:33:09 - 00:29:36:23
now everything on
the Excel file was imported.

00:29:37:10 - 00:29:40:21
One more thing that we as

00:29:41:04 - 00:29:45:20
Pirooz mentioned before, we do validation
before we persist the data.

00:29:46:01 - 00:29:48:02
So this is very important.

00:29:48:02 - 00:29:50:18
There are things that are hard to enforce.

00:29:50:18 - 00:29:54:07
For example,
one thing is when you have IDs

00:29:54:18 - 00:29:57:05
you cannot have IDs in the same control.

00:29:57:05 - 00:30:03:09
So I will try to import this again
and see if the validation, actually

00:30:03:15 - 00:30:04:21
fails, because

00:30:06:03 - 00:30:06:21
there we go.

00:30:06:21 - 00:30:11:05
You can not have the same ID
so the API level, we are validating that

00:30:11:05 - 00:30:16:08
all the data that you're bringing into
your catalog is OSCAL compatible.

00:30:16:08 - 00:30:18:09
And works on it imports.

00:30:18:09 - 00:30:20:07
hope you enjoyed this demo.

00:30:20:07 - 00:30:25:04
We have one more demo on how you can
integrate the API in your daily workflow.

00:30:25:04 - 00:30:27:24
And for that I will switch to you.
Brian. Right. Thank you.

00:30:27:24 - 00:30:33:16
You all should be seeing,
now, an Excel spreadsheet.

00:30:33:19 - 00:30:37:00
This is an example, where before we had

00:30:37:00 - 00:30:42:09
a, OSCAL catalog authoring tool,
we needed to get 800-63

00:30:42:16 - 00:30:46:19
in, OSCAL catalog format
for some work that we were doing.

00:30:46:23 - 00:30:50:10
so what we had done at the time
was we created this spreadsheet

00:30:50:10 - 00:30:54:09
and we had knowledgeable
people, break the content down.

00:30:54:16 - 00:30:59:05
And this was a great way to stage of bulk,
creation of a OSCAL catalog.

00:30:59:05 - 00:31:04:03
originally had just had these create Json
or create XML and we could generate,

00:31:04:06 - 00:31:09:10
a raw OSCAL file, from this,
Excel content using this spreadsheet.

00:31:09:10 - 00:31:12:10
And this is,
just VBA script behind the scenes.

00:31:12:14 - 00:31:15:21
And then we realized as we created the
tool that, hey, this would be a great way

00:31:15:21 - 00:31:20:00
to bulk stage, catalog content
and upload it into the tool.

00:31:20:06 - 00:31:22:19
we added the API portion over here.

00:31:22:19 - 00:31:28:00
So now here's the same, catalog that,
we've been using for the other portions

00:31:28:00 - 00:31:31:00
that Pirooz created and that one, used

00:31:31:00 - 00:31:34:00
the API to do the 800-63A upload.

00:31:34:08 - 00:31:38:00
What I'm going to do is,
I missed getting one thing.

00:31:38:07 - 00:31:41:07
I'm going to I'm going to come back here
to the catalog list.

00:31:41:07 - 00:31:46:17
I'm going to find the NIST workshop, and
I need to get the identifier from here.

00:31:46:17 - 00:31:51:14
I'm then going to go here
to the identifier, and,

00:31:51:18 - 00:31:54:24
we already have the API endpoint
specified.

00:31:54:24 - 00:31:57:07
We can specify any API back end.

00:31:57:07 - 00:31:59:23
And then we have the login credentials.

00:31:59:23 - 00:32:03:01
And I'm going to go ahead and click
upload via API.

00:32:03:05 - 00:32:08:12
What this is going to do is it's
going to go through all of the rows in 63

00:32:08:12 - 00:32:14:22
B, the 63 B tab, and it will create a 63
B group and upload all of this content.

00:32:16:11 - 00:32:19:20
And so
behind here this is just my debug window.

00:32:19:20 - 00:32:22:23
So I can make sure things are running
not throwing any errors, but

00:32:22:23 - 00:32:26:07
even while it's running,
I can come over here.

00:32:26:11 - 00:32:30:01
I can, open the workshop,
and I can already see

00:32:30:01 - 00:32:32:11
that the 63 B group has been created.

00:32:32:11 - 00:32:35:11
And some of the controls are already in
here.

00:32:35:17 - 00:32:38:08
Takes about 30 seconds to import them all.

00:32:38:08 - 00:32:41:02
That's about 200 controls
from the spreadsheet, but

00:32:41:02 - 00:32:44:23
I'm going to come in here
and here's the statement

00:32:44:23 - 00:32:49:11
from the spreadsheet, the guidance,
assessment objective and the methods.

00:32:49:22 - 00:32:52:15
And that's
what the spreadsheet happened to have.

00:32:52:15 - 00:32:56:05
Now, again,
I'm going to do an export here.

00:32:56:14 - 00:33:00:00
To my download.

00:33:00:07 - 00:33:03:19
And then I'm going to open this in oxygen.

00:33:04:11 - 00:33:06:15
Go ahead and make this nice again.

00:33:06:15 - 00:33:08:18
I'm going to take this a step further.

00:33:08:18 - 00:33:13:05
And here's the catalog Json schema
that this publishes.

00:33:13:13 - 00:33:18:17
And I see that I have green,
which means this, this entire content

00:33:18:23 - 00:33:24:00
that we created for you
live, is being validated by the NIST

00:33:24:01 - 00:33:28:10
OSCAL schema that's published for 113
and is being found to be fully valid.

00:33:30:05 - 00:33:33:05
And you can see
all the, I'm all the way at the bottom.

00:33:33:05 - 00:33:34:20
Here, let me get to the top.

00:33:34:20 - 00:33:38:19
you know, what happens in here is the
the order gets changed in Json,

00:33:38:19 - 00:33:41:20
so I have to find the metadata
group down here.

00:33:41:20 - 00:33:47:08
But I should be able to see that the,
last modified date is today, and,

00:33:47:12 - 00:33:50:23
I think that's, universal time,

00:33:51:04 - 00:33:54:15
which is why it's a little bit off
from our eastern time schedule, we've

00:33:54:15 - 00:33:58:15
created OSCAL content just right here
for you on the call from 800-63.

00:33:58:17 - 00:33:59:21
And thank you, Brian.

00:33:59:21 - 00:34:04:08
I think that concludes, the briefing
and demonstration.

00:34:04:09 - 00:34:07:13
Happy to open up the floor
to conversation and questions.