00:00:00:01 - 00:00:02:12
Thank you, Michaela, for welcoming us to
the workshop.

00:00:02:12 - 00:00:03:06
My name is Chris.

00:00:03:06 - 00:00:05:17
I work at a company
called Container Solutions.

00:00:05:17 - 00:00:06:06
And today,

00:00:06:06 - 00:00:06:24
I'm going to be talking to you

00:00:06:24 - 00:00:08:20
about, the continuous compliance
framework,

00:00:08:20 - 00:00:10:18
which we've been working on
for the last couple of months.

00:00:10:18 - 00:00:14:18
Now, in all fairness, originally
the talk was titled, working with subjects

00:00:14:18 - 00:00:18:10
and components and how we sort of map them
in the continuous compliance framework.

00:00:18:10 - 00:00:20:17
But since then, we've done
quite a bit of work on our,

00:00:20:17 - 00:00:22:07
framework and the editor involved.

00:00:22:07 - 00:00:25:00
So I'll show at the end
a little bit about that as well.

00:00:25:00 - 00:00:26:21
Who are we, in terms of Container
Solutions?

00:00:26:21 - 00:00:28:20
we are a cloud native consultancy.

00:00:28:20 - 00:00:30:01
We've written a bunch of books.

00:00:30:01 - 00:00:32:08
We've published a bunch of open source
projects,

00:00:32:08 - 00:00:34:18
like External Secrets Operator,
which some of you might have heard of.

00:00:34:18 - 00:00:37:16
The Java operator SDK,
which we eventually handed over.

00:00:37:16 - 00:00:38:23
For some people to work on.

00:00:38:23 - 00:00:42:16
And now we're working on the continuous
compliance framework after OSCAL nicely

00:00:42:16 - 00:00:45:22
released us into the world of compliance
and helped us to map things

00:00:45:22 - 00:00:47:07
machine readily.

00:00:47:07 - 00:00:49:08
Compliance framework,
if you haven't heard of it.

00:00:49:08 - 00:00:52:14
the continuous compliance
framework is bringing control

00:00:52:14 - 00:00:56:24
mapping and compliance automation
to technology essentially.

00:00:57:04 - 00:01:00:14
I want to say cloud native, but
it also does a lot more than just cloud.

00:01:00:24 - 00:01:02:09
As I'll show you in a little bit.

00:01:02:09 - 00:01:04:00
It is open source. You can run it.

00:01:04:00 - 00:01:06:03
You can test it.
you can see it on your local machine.

00:01:06:03 - 00:01:07:10
It is a work in progress.

00:01:07:10 - 00:01:08:21
So we're currently working on

00:01:08:21 - 00:01:11:19
a lot of the editor inside
of the continuous compliance framework

00:01:11:19 - 00:01:16:03
for building stuff like system security
plans and parties and roles and, catalogs.

00:01:16:03 - 00:01:19:03
And next will come assessment
plans and assessment results.

00:01:19:14 - 00:01:21:00
And then findings.

00:01:21:00 - 00:01:23:04
I’ll talk a little bit about that
in a couple minutes as well.

00:01:23:04 - 00:01:25:14
We are looking for
help, the continuous compliance framework.

00:01:25:14 - 00:01:28:01
At this very moment,
what we’re specifically looking for

00:01:28:01 - 00:01:30:10
And hopefully the editor helps

00:01:30:10 - 00:01:33:02
Lubricate that conversation a little bit,
but what we're looking for

00:01:33:02 - 00:01:36:11
is people who are implementing system
security plans in OSCAL.

00:01:36:11 - 00:01:38:22
we would love to talk to you
about your system security plans

00:01:38:22 - 00:01:43:01
and see how we make our editor,
useful to you in every way possible.

00:01:43:01 - 00:01:44:01
So you can build easily

00:01:44:01 - 00:01:48:06
without having to manually work on Json
files, which can get quite annoying.

00:01:48:07 - 00:01:48:21
Perfect.

00:01:48:21 - 00:01:52:00
So, to the original topic of this
talk, in the continuous compliance

00:01:52:00 - 00:01:56:16
framework, we have got automated agents,
which distribute across the organization

00:01:56:16 - 00:01:59:03
to collect evidence of control
implementations,

00:01:59:03 - 00:02:03:01
from across the organization
and then map those to regulatory controls.

00:02:03:01 - 00:02:03:24
One of the challenges

00:02:03:24 - 00:02:07:18
we've had with OSCAL is mapping
those evidences back to subjects.

00:02:07:18 - 00:02:09:24
I'm going to show this in little demo
very soon.

00:02:09:24 - 00:02:13:24
But mapping those findings
and observations back to subjects in a way

00:02:13:24 - 00:02:18:13
where we don't have to reach out to an
OSCAL API to ask what a subject's ID is.

00:02:18:20 - 00:02:21:23
Or anything related to that,
where we can map automatically

00:02:21:23 - 00:02:24:23
to subjects from different agents
in different places.

00:02:25:00 - 00:02:28:16
Also things like if we look at a single
to say Linux machine,

00:02:28:16 - 00:02:31:16
if we're looking at the configuration of SSH
from one perspective

00:02:31:16 - 00:02:34:19
and the configuration of the EC2 instance
which you're running,

00:02:34:19 - 00:02:37:19
one is sitting inside that machine
one is sitting outside the machine.

00:02:37:19 - 00:02:41:14
How do we map that to a singular subject
to, say, this machine,

00:02:41:18 - 00:02:42:24
test it from multiple angles.

00:02:42:24 - 00:02:45:03
And then the other is component
identifiers.

00:02:45:03 - 00:02:47:04
Meaning that, if there's a component
running on a machine, like,

00:02:47:04 - 00:02:49:23
let's say
a operating system, as a component,

00:02:49:23 - 00:02:53:14
how do we say the same component
all of these distributed agents,

00:02:53:14 - 00:02:56:01
which we have
for a singular operating system?

00:02:56:01 - 00:02:59:11
If we do not know the UUID
and we can't go and fetch that UUID

00:02:59:14 - 00:03:01:15
because
we're not readily going to talk to the API

00:03:01:15 - 00:03:03:11
due to the distributed
nature of our agents.

00:03:03:11 - 00:03:06:06
So we're going to lightly talk
about how we solve those two problems.

00:03:06:06 - 00:03:07:10
We're not the first to solve it.

00:03:07:10 - 00:03:09:02
I just like talking about it essentially.

00:03:09:02 - 00:03:11:09
So in the continuous compliance
framework,

00:03:11:09 - 00:03:13:18
you'll see in the center there's a CCF API.

00:03:13:18 - 00:03:14:23
That's the sort of central points

00:03:14:23 - 00:03:18:09
where all this evidence
gathering and policy testing,

00:03:18:09 - 00:03:21:02
which happens in our agents,
gets collected in a single place.

00:03:21:02 - 00:03:23:21
But if you have multiple machines,
you need to map the same subjects.

00:03:23:21 - 00:03:27:07
So how we do that is via subject
mapping attributes.

00:03:27:07 - 00:03:30:19
So instead of trying to say a subject
is a thing, a singular thing

00:03:31:01 - 00:03:35:05
where we actually in the CCF identify
a subject that is a set of attributes.

00:03:35:09 - 00:03:38:13
if those set of set of attributes
are close enough to each other

00:03:38:13 - 00:03:42:01
or similar enough, and we can relate those
to being the same subject.

00:03:42:04 - 00:03:44:08
try to draw it in
stickies on the right hand side to show

00:03:44:09 - 00:03:45:11
different agents.

00:03:45:11 - 00:03:46:24
But yeah, so on the left hand side,
you'll see that

00:03:46:24 - 00:03:48:19
all these things
come from different sides.

00:03:48:19 - 00:03:52:06
And in the API we want to say, right
this subject, give us all of the things

00:03:52:06 - 00:03:55:16
that you've tested against the subject
from all of the perspective agents and

00:03:55:18 - 00:03:56:20
and positions.

00:03:56:20 - 00:03:59:03
So, I have said
a little bit of how we do that,

00:03:59:03 - 00:04:02:04
but we do seeded
UUIDs through attribute maps.

00:04:02:04 - 00:04:06:13
So we build an attribute
map for each subject from our plugin

00:04:06:13 - 00:04:07:23
and policy systems,

00:04:07:23 - 00:04:11:04
which sit on that machine outside
that machine, or testing that machine.

00:04:11:08 - 00:04:14:23
And then from that map,
we essentially have sort of rule engine

00:04:14:24 - 00:04:17:03
says, right,
if these attributes match,

00:04:17:03 - 00:04:21:06
then use X attribute
to build a random ID for this thing.

00:04:21:08 - 00:04:25:14
But if another agent sends evidence or, 
findings

00:04:25:22 - 00:04:29:11
for that specific subject on the maps,
attribute maps are similar enough

00:04:29:11 - 00:04:31:13
that ID that comes out
the other end will be the same.

00:04:31:13 - 00:04:35:00
So we sort of use
UUIDs in a sort of hash fashion,

00:04:35:00 - 00:04:38:14
say, right, generate IDs from a seeded map
rather than universally unique.

00:04:38:17 - 00:04:41:10
And then, yeah, if it looks the same,
it might be the same.

00:04:41:10 - 00:04:44:13
One of the other troubles we've had
is exactly the same sort of thing

00:04:44:15 - 00:04:45:15
mapping components.

00:04:45:15 - 00:04:48:04
So I spoke a little bit
about these operating systems.

00:04:48:04 - 00:04:50:01
So if you have an operating system

00:04:50:01 - 00:04:54:01
on six different hosts,
how do you find a common UUID across them?

00:04:54:01 - 00:04:56:03
Exactly the same.
Not exactly the same thing.

00:04:56:03 - 00:04:59:22
So for components,
what we've done is mapped human readable

00:05:00:02 - 00:05:02:23
component identifiers to them to say

00:05:02:23 - 00:05:06:00
this is operating system Ubuntu 18 for example.

00:05:06:02 - 00:05:08:01
And if that's the same across
multiple agents

00:05:08:01 - 00:05:11:19
sending results, we sort of map
that to the same component identifier.

00:05:12:00 - 00:05:15:06
So that from a component
you can see all of the different subjects

00:05:15:16 - 00:05:18:10
things in your organization
essentially implementing that component

00:05:18:10 - 00:05:20:12
using that component
or being that component.

00:05:20:12 - 00:05:23:15
We have got a sort of common component
library for things like that.

00:05:23:17 - 00:05:26:03
talk more about that soon.
That's not the topic of today though.

00:05:26:03 - 00:05:27:09
The topic of the day

00:05:27:09 - 00:05:31:00
is specifically to show you
the subject map and the component mapping.

00:05:31:02 - 00:05:34:03
I'll reshare because I have to go
to a different window There we go.

00:05:34:12 - 00:05:35:20
This. Move. This.

00:05:35:20 - 00:05:38:01
So this is the continuous compliance
framework.

00:05:38:01 - 00:05:41:20
And you see on this page,
we've got a bunch of findings related to

00:05:41:20 - 00:05:45:21
information that's being collected,
from all over our organization.

00:05:45:22 - 00:05:47:04
I've run two agents for the moment.

00:05:47:04 - 00:05:50:22
A GitHub agent
and our machine agent. So.

00:05:53:03 - 00:05:54:18
If I do that,

00:05:54:18 - 00:05:58:04
you'll see that We've got four findings
related to a single machine being,

00:05:58:07 - 00:06:01:21
SSH checks being run on that machine,
And then apt package,

00:06:02:02 - 00:06:03:24
version checks on that machine as well.

00:06:03:24 - 00:06:07:01
Now, how we collect this information,
as I've said, is through these agents

00:06:07:03 - 00:06:09:12
and through plugin,
it has a plugin system.

00:06:09:12 - 00:06:11:04
So on this machine is an agent

00:06:11:04 - 00:06:15:00
running two different plugins
with two different sets of rego policies,

00:06:15:02 - 00:06:17:13
which then collect information
about specific

00:06:17:13 - 00:06:21:14
running systems or running services
on those machines, populate that into Json

00:06:21:14 - 00:06:22:18
and then run that through rego

00:06:22:18 - 00:06:24:23
so you can write policies
against those machines

00:06:24:23 - 00:06:27:19
or against the checks being run
or the configuration being collected.

00:06:27:19 - 00:06:30:07
That then pops into the CCF API.

00:06:30:07 - 00:06:33:03
And then this is what it looks like
if you sort of look a machine.

00:06:33:03 - 00:06:36:06
Now I spoke about the subject mapping
and you'll see that in here.

00:06:36:20 - 00:06:38:22
I broke this earlier.

00:06:38:22 - 00:06:43:11
If we now look at this machine instance,
we have all of the different checks

00:06:43:16 - 00:06:47:08
related to the same subject in CCF,

00:06:47:08 - 00:06:50:10
which means you can look at this subject
holistically from all of the different

00:06:50:10 - 00:06:51:07
things you're testing.

00:06:51:07 - 00:06:54:14
And that then means that from our agents,
we don't actually need to know

00:06:54:14 - 00:06:57:14
what a subject ID is or what
a component IDs.

00:06:57:15 - 00:07:02:03
The API sorts that out as we collect information into this sort of central place.

00:07:03:23 - 00:07:04:20
Fantastic.

00:07:04:20 - 00:07:07:21
So that's a little bit of what I managed
to talk about, the subject mapping,

00:07:07:23 - 00:07:09:16
to show how that works.

00:07:09:16 - 00:07:12:16
And then we can jump over to catalogs.

00:07:12:16 - 00:07:17:08
Before I jump onto that, subjects in CCF
are also compounding subjects.

00:07:17:10 - 00:07:21:18
So I'll use the example of our GitHub 
agent running here.

00:07:21:18 - 00:07:25:13
You'll see that we can test
for a software repository specific things.

00:07:25:13 - 00:07:28:02
And each software
repository can be a subject on its own,

00:07:28:02 - 00:07:33:01
but holistically a software organization
can also be a subject.

00:07:33:11 - 00:07:38:06
And so findings can be related to
compounding sort of subjects as a whole.

00:07:38:06 - 00:07:39:22
And so you can form this view

00:07:39:22 - 00:07:43:02
which you can zoom out or zoom in
as far as you like on a subject

00:07:43:04 - 00:07:44:22
and see all of the findings
which you've collected

00:07:44:22 - 00:07:47:12
across your business
for that specific subject.

00:07:47:12 - 00:07:49:11
And components will function very much
the same.

00:07:49:11 - 00:07:51:08
The components view isn't on here.

00:07:51:08 - 00:07:55:02
We've got some small, things
which we need to clean up for the UI,

00:07:55:06 - 00:07:57:10
and they will pop those units here
as well.

00:07:57:10 - 00:07:58:16
Fantastic. Cool.

00:07:58:16 - 00:08:01:02
The next piece
I wanted to show and talk a little bit

00:08:01:02 - 00:08:05:05
about is the editor,
which we've got inside of CCF now.

00:08:05:05 - 00:08:07:00
And this is where we need lots
and lots of help

00:08:07:00 - 00:08:10:04
to define what this looks like
in real organizations.

00:08:10:06 - 00:08:12:10
Especially ones
who are talking to auditors

00:08:12:10 - 00:08:16:00
or implementing system security plans
in OSCAL to talk to auditors, to,

00:08:17:02 - 00:08:20:18
So, the system security plan editor,
which we've got in OSCAL a system

00:08:20:18 - 00:08:25:03
security plans got characteristics, system
information sensitivity levels.

00:08:25:05 - 00:08:26:14
Then there's a bunch of diagrams

00:08:26:14 - 00:08:31:01
around, authorization boundaries
and network diagrams and data flows,

00:08:31:04 - 00:08:34:11
and then their system implementation,
which has your users, your components here.

00:08:34:20 - 00:08:36:12
inventory items, that sort of thing.

00:08:36:12 - 00:08:38:10
So this is where the components
piece comes in.

00:08:38:10 - 00:08:41:10
So I wanted to talk a bit about the,
editor and see

00:08:42:01 - 00:08:45:08
if there's people out there with SSPs
want to talk to us, essentially.

00:08:45:11 - 00:08:48:15
So one of the cool features
which I wanted to show around

00:08:48:15 - 00:08:52:02
the system security plans is the diagram
editors, which we've included.

00:08:52:02 - 00:08:55:18
So diagrams in OSCAL are notoriously weird
and difficult.

00:08:55:22 - 00:08:58:18
get they all get,
exported to base64 format.

00:08:58:18 - 00:09:03:02
So that an image can be displayed
in a OSCAL editor slash viewer.

00:09:03:06 - 00:09:06:14
And so we've tried to include the diagram
editing inside the editor

00:09:06:17 - 00:09:10:13
so that, that can be seen from
or be used within CCF and then form

00:09:10:13 - 00:09:12:16
part of your overall OSCAL of output.

00:09:12:16 - 00:09:13:20
We'd love some feedback on it.

00:09:13:20 - 00:09:16:02
I'd love some testing on it
to see whether people can use it

00:09:16:02 - 00:09:18:20
and whether it works correctly
and whether, the things export correctly.

00:09:18:20 - 00:09:21:03
So again,
if you have system security plans

00:09:21:03 - 00:09:23:24
or you editing system
security plans by hand, come talk to us.

00:09:23:24 - 00:09:25:04
we're quite friendly, I think.

00:09:25:04 - 00:09:29:08
And then there’s a system implementation
which has a uses in your components, soon

00:09:29:08 - 00:09:32:15
I think, we will be working
with inventory items as well.

00:09:32:18 - 00:09:35:22
Once we build a better picture
of what inventory looks like for

00:09:35:22 - 00:09:39:11
an organization, and potentially collect
these from agents, as well.

00:09:39:22 - 00:09:41:01
I've flown through that.

00:09:41:01 - 00:09:42:06
I was meant to be lots longer.

00:09:42:06 - 00:09:45:15
I can talk a little bit
more about our findings,

00:09:45:15 - 00:09:48:15
and how specifically these work,
because those relate as well.

00:09:48:16 - 00:09:51:24
And then talk about the roadmap,
what's coming next for CCF.

00:09:52:02 - 00:09:53:10
So in terms that it does.

00:09:53:10 - 00:09:53:23
Yes Ian?

00:09:53:23 - 00:09:57:05
So I go and I think it's worth
showing the evidence gathering for those.

00:09:58:00 - 00:09:59:08
Yeah. Yes, absolutely.

00:09:59:08 - 00:10:02:17
So we've been talking about these, agents
which are collecting information as well.

00:10:02:20 - 00:10:07:06
everything in here that you see is all
OSCAL, all OSCAL compatible or OSCAL capable.

00:10:07:06 - 00:10:09:12
Because of the subject mapping
and the component mappings,

00:10:09:12 - 00:10:11:15
we do, we've got some endpoints
for our agents

00:10:11:15 - 00:10:14:11
which are not directly OSCAL,
but at the end of the day

00:10:14:11 - 00:10:15:11
the output to OSCAL.

00:10:15:11 - 00:10:18:11
So you can export full OSCAL Documents.

00:10:18:11 - 00:10:19:20
For your findings. So,

00:10:21:09 - 00:10:24:11
I’ll go into one of these to show you what
that sort of looks like.

00:10:24:14 - 00:10:26:23
again, we sit with these agents.

00:10:26:23 - 00:10:29:24
Which collect information from all over
so we don't in CCF,

00:10:29:24 - 00:10:32:15
we don't have the concept
of a central control unit,

00:10:32:15 - 00:10:35:05
which goes out into the world
to go and fetch information.

00:10:35:05 - 00:10:38:05
We see that as slightly insecure
because we don't.

00:10:38:05 - 00:10:38:20
Not only do

00:10:38:20 - 00:10:41:24
we not want your keys in one place,
we don't really want your keys at all.

00:10:42:02 - 00:10:44:03
So we decided to use this
agent architecture

00:10:44:03 - 00:10:48:02
where we have really small agents
which have very, very limited access

00:10:48:02 - 00:10:51:06
to only test the thing that it's testing
or only collect evidence

00:10:51:06 - 00:10:55:04
on the thing that it's looking at
and not have any other means

00:10:55:04 - 00:10:59:04
of sort of moving laterally,
or causing chaos within the organization.

00:10:59:04 - 00:11:02:23
So they collect information continuously,
every x amount of time

00:11:03:02 - 00:11:04:14
and which is fully configurable.

00:11:04:14 - 00:11:07:00
They then collect information
about the implementation

00:11:07:00 - 00:11:08:23
of how we implement
the specific components.

00:11:08:23 - 00:11:12:00
And these can be specific
pieces of software example

00:11:12:02 - 00:11:13:10
SSH running on host machine.

00:11:13:10 - 00:11:15:06
Or these could be more widespread

00:11:15:06 - 00:11:18:20
due to plug in system we've got,
you could pretty much test anything.

00:11:19:03 - 00:11:20:23
I know that Ian likes to say anything.

00:11:20:23 - 00:11:24:07
You can turn into a Json
document can be passed into the CCF.

00:11:24:08 - 00:11:28:18
So once you turn this stuff into Json
object, we then have a policy engine

00:11:28:18 - 00:11:29:17
where you can write

00:11:29:17 - 00:11:33:13
policies against those things map
those specifically to controls.

00:11:33:13 - 00:11:35:15
That's one piece I missed,
which I'll talk about in a second.

00:11:35:15 - 00:11:38:22
And so these findings from these agents
are then continuously sent

00:11:39:00 - 00:11:44:05
to the central CCF API
and mapped to catalogs and controls,

00:11:44:07 - 00:11:48:02
mapped to subjects, mapped to components,
and then forming a OSCAL picture

00:11:48:05 - 00:11:51:02
so that by the time you're ready,
you can export that for OSCAL

00:11:51:02 - 00:11:54:13
and have the latest results
being, continuous essentially.

00:11:55:09 - 00:11:57:16
I'll show you a little bit
about the catalogs as well.

00:11:57:16 - 00:11:59:02
Just because that's quite interesting.

00:11:59:02 - 00:12:02:04
So these agents are continuously,
sending information

00:12:02:04 - 00:12:05:14
in and in those policies
we've built into the policy engine.

00:12:05:16 - 00:12:09:04
We've built a control mapping feature
where you can map

00:12:09:11 - 00:12:13:07
the findings to specific controls
that they providing or that they trying

00:12:13:07 - 00:12:14:17
to provide evidence for.

00:12:14:17 - 00:12:18:17
And once we get to the editor stage
where we have assessment plans, assessment

00:12:18:17 - 00:12:19:09
results,

00:12:19:09 - 00:12:23:20
you'll be able to link these automated
findings directly into assessment results

00:12:23:20 - 00:12:26:01
so that your assessment results
are continuously updated.

00:12:26:01 - 00:12:29:13
Which you can then export your sort of
compliance footprint at any point in time.

00:12:29:13 - 00:12:31:13
I'll share a little bit
about how those are mapped.

00:12:31:13 - 00:12:37:02
So if we look at the SP 800-53 catalog,
which is in CCF, mapped,

00:12:37:15 - 00:12:40:10
I know that work is
I've got now sending to

00:12:40:10 - 00:12:43:11
IA2 for multifactor
authentication. Yes.

00:12:43:21 - 00:12:46:21
So, this is the SP 800-53.

00:12:46:23 - 00:12:47:13
Catalog.

00:12:47:13 - 00:12:50:24
And you see the statements and guidance
and objectives and assessment methods.

00:12:51:09 - 00:12:54:09
And then there's two specific controls
multifactor authentication

00:12:54:09 - 00:12:57:18
to privileged accounts and multifactor
authentication to non privileged accounts.

00:12:58:02 - 00:12:59:19
And that has the full control in it.

00:12:59:19 - 00:13:02:20
But also you'll see these little green
and red buttons over here.

00:13:02:20 - 00:13:05:00
Those are these
continuous checks being run

00:13:05:00 - 00:13:08:14
and then sent to the CCF API
and mapping directly to controls.

00:13:08:14 - 00:13:10:00
So if I go to those findings

00:13:10:00 - 00:13:12:16
you'll see specifically two factor
authentication is required.

00:13:12:16 - 00:13:16:15
An organizational level meaning
that it is switched on in our GitHub.

00:13:16:15 - 00:13:18:04
then you can view that finding

00:13:18:04 - 00:13:20:21
see more details
on how exactly the evidence was collected.

00:13:20:21 - 00:13:24:20
So if I go into the tasks and see how that
evidence was collected across the agent,

00:13:24:24 - 00:13:28:12
then because we're essentially talking
about continuous compliance,

00:13:28:24 - 00:13:30:04
this has a history.

00:13:30:04 - 00:13:33:11
It's green because it has been green
across every check we've done.

00:13:34:01 - 00:13:36:20
But you can sort of
see the history of this check over time

00:13:36:20 - 00:13:38:06
and see how long it was satisfied.

00:13:38:06 - 00:13:41:08
And you can see when that dips, 
talking about when that dips,

00:13:41:12 - 00:13:45:08
you can also aggregate
sort of findings together into dashboards.

00:13:45:08 - 00:13:47:01
If you're working on a specific,

00:13:47:01 - 00:13:50:08
security implementation
or improving controls in a specific place.

00:13:50:12 - 00:13:53:09
So if I go back to findings, I'm
jumping around a lot.

00:13:53:09 - 00:13:55:13
I apologize,
but I think that should be okay.

00:13:55:13 - 00:13:59:13
So if I go to type repository,
I just search for everything

00:13:59:13 - 00:14:03:15
repository like
and we filter for, let's say,

00:14:03:15 - 00:14:06:20
S2 problematic repositories,
which we wrote it out.

00:14:06:21 - 00:14:08:18
I say this policy template over here.

00:14:11:12 - 00:14:14:21
And let's say our configuration service.

00:14:18:22 - 00:14:20:01
You see that those then list

00:14:20:01 - 00:14:23:09
all of the findings related to just
specifically those two repositories.

00:14:23:17 - 00:14:27:08
And we can
then save that search into primary

00:14:27:14 - 00:14:30:14
vulnerability goals.

00:14:30:19 - 00:14:31:24
And if I submit those

00:14:31:24 - 00:14:35:05
if you go over to dashboards,
you'll see those persisted.

00:14:35:05 - 00:14:37:03
So you can sort of monitor
those over time.

00:14:37:03 - 00:14:40:07
These don't currently have an influence
on your actual or OSCAL documents,

00:14:40:08 - 00:14:41:18
they do have an influence on.

00:14:41:18 - 00:14:45:18
Giving you an overview of where you are
in terms of, control implementations,

00:14:45:18 - 00:14:46:23
POAMs, that sort of thing.

00:14:46:23 - 00:14:49:14
Chris, sorry to interrupt.

00:14:49:14 - 00:14:51:06
We got a couple of questions coming in.

00:14:51:06 - 00:14:52:15
So one was what is SAMA,

00:14:52:15 - 00:14:55:23
which I've explained is the Saudi
Arabian Monetary Authority. Yes.

00:14:56:15 - 00:14:57:20
Michela had a question.

00:14:57:20 - 00:14:58:22
You're mapping the finding

00:14:58:22 - 00:15:02:23
to an implementation of a control
or to the control in a catalog.

00:15:03:01 - 00:15:06:02
And I said we're mapping it to the catalog
at the moment, but

00:15:06:02 - 00:15:09:21
that could be extended to other parts
of the OSCAL hierarchy as well.

00:15:10:00 - 00:15:14:08
Yes. So, I should put in findings
and in brackets evidence over here

00:15:14:15 - 00:15:15:23
because these findings are things

00:15:15:23 - 00:15:19:08
that we find on machines,
but not necessarily OSCAL findings,

00:15:19:08 - 00:15:22:14
which are going to go to an auditor,
or to a regulatory body.

00:15:22:14 - 00:15:25:18
So these findings are things
that we finding on the machines,

00:15:25:18 - 00:15:29:07
which are related to controls, to say
these are testing for X,

00:15:29:07 - 00:15:30:06
Y, and z controls.

00:15:30:06 - 00:15:33:20
They relate
specifically to a catalog control now

00:15:33:23 - 00:15:37:22
or to a profile resolved catalog
when we get to the editor

00:15:37:22 - 00:15:41:14
that has assessment
plans and assessment results in it.

00:15:41:17 - 00:15:43:15
When you build an assessment result,

00:15:43:15 - 00:15:47:04
you will essentially be able to link
the automated agent findings

00:15:47:07 - 00:15:50:09
to a set of findings
in that assessment results

00:15:50:12 - 00:15:52:18
which link to the control implementations.

00:15:52:18 - 00:15:54:13
So these findings are pure data.

00:15:54:13 - 00:15:58:03
So we collect as much data as possible
about compliance and configuration

00:15:58:03 - 00:16:00:21
across the business.
Feed those into the CCF API.

00:16:00:21 - 00:16:03:24
And then based on your assessment
plan and assessment results,

00:16:03:24 - 00:16:06:17
you'll be able to filter
those automated findings to say

00:16:06:17 - 00:16:09:11
these ones are the relevant ones
in this assessment plan.

00:16:09:11 - 00:16:13:00
And then build your, findings,
which relate to the control implementation

00:16:13:00 - 00:16:15:09
from the findings
that relate to the control, because we

00:16:15:09 - 00:16:18:09
then build a mapping
between those controls to say,

00:16:18:12 - 00:16:22:06
that these are relevant in this specific
assessment plan you're implementing.

00:16:22:06 - 00:16:23:12
I hope that makes sense.

00:16:23:12 - 00:16:25:20
With your permission, I'll jump to explain.

00:16:25:20 - 00:16:30:03
So OSCAL is designed
to support the risk management framework.

00:16:30:03 - 00:16:35:14
That is very, flexible and is looking
and supporting all the roles

00:16:35:14 - 00:16:40:00
and responsibilities
and of phases, in this process.

00:16:40:00 - 00:16:44:11
So control in the catalog is
not implemented when you tailor it.

00:16:44:11 - 00:16:47:11
You have to put it
in the context of the system, allow

00:16:47:11 - 00:16:52:02
the system owner to determine
if it wants to satisfy that control.

00:16:52:11 - 00:16:56:07
Then the assessment, assessment
plan is to assess

00:16:56:15 - 00:17:00:07
what the system security plan
says, right.

00:17:00:07 - 00:17:04:18
How that control was implemented
for every single component of the system.

00:17:05:01 - 00:17:10:06
Now when you are collecting the results,
your agents should go and test

00:17:10:12 - 00:17:15:16
what the plan says and report
then how satisfactory

00:17:15:16 - 00:17:17:11
the control implementation is.

00:17:17:11 - 00:17:22:14
So the final adjudication has to consider
all those assets, right.

00:17:22:14 - 00:17:26:12
And allow all those, entities to, complete

00:17:26:12 - 00:17:30:03
their responsibilities, roles
and exercise them.

00:17:30:03 - 00:17:31:00
Absolutely.

00:17:31:00 - 00:17:35:05
So one of the pieces that hurts in
terms of compliance is the manual control

00:17:35:05 - 00:17:38:06
testing or manual implementation
testing from the assessment plan

00:17:38:06 - 00:17:41:16
to then go and collect evidence
for the specific implementations.

00:17:41:18 - 00:17:43:06
So in our case, what we're saying is

00:17:43:06 - 00:17:46:09
we collect all of the data of compliance
across the organization.

00:17:46:09 - 00:17:47:16
Bring that into one place.

00:17:47:16 - 00:17:51:13
So by the time you get to your assessment
plan, your assessment results, rather

00:17:51:13 - 00:17:55:13
than having to go into systems to go
and test things or go into these pieces.

00:17:55:14 - 00:17:58:00
assessment
result will essentially use the data

00:17:58:00 - 00:18:01:06
that's been collected to say these are
continuously monitored over time.

00:18:01:06 - 00:18:04:10
This is the evidence we've gathered
for the specific implementation.

00:18:04:10 - 00:18:06:07
And those are linked with the assessment
plan.

00:18:06:07 - 00:18:10:11
Your assessment plan is going to be flexed
along that to say, right.

00:18:10:17 - 00:18:11:17
It's not a screenshot.

00:18:11:17 - 00:18:16:03
It's continuously collected evidence of X,
Y and Z or continuously collected

00:18:16:03 - 00:18:19:23
information about, policies or procedures
in the business, however, that might be,

00:18:19:23 - 00:18:21:02
implemented in the business.

00:18:21:02 - 00:18:26:01
And when mentioned collecting the
evidence, is that also aligned with what,

00:18:26:02 - 00:18:29:06
regulatory framework might ask,
because you might have controls

00:18:29:06 - 00:18:32:07
that are identical
in terms of the requirements

00:18:32:07 - 00:18:36:13
but have, discrepancies when it comes
to the evidence that needs to be provided

00:18:36:15 - 00:18:40:14
and also depends on the technology
where those controls are implemented.

00:18:40:14 - 00:18:42:04
So it's very complex.

00:18:42:04 - 00:18:46:02
And I think that my colleague also
from NIST, just to take you in the right

00:18:46:02 - 00:18:52:19
direction, was trying to, ask,
how do you do that today with, IA5?

00:18:52:19 - 00:18:56:11
If you do not have those decisions
that have to be made upfront

00:18:56:11 - 00:19:00:07
in terms of the implementation
and then, planning to assessment.

00:19:00:09 - 00:19:01:04
Yeah, absolutely.

00:19:01:04 - 00:19:03:06
And this is where the editors step in

00:19:03:06 - 00:19:06:20
where we've put this automatic evidence
collection, through the agents.

00:19:07:00 - 00:19:10:15
But the one piece we've missed
is giving people the tools needed to build

00:19:10:15 - 00:19:14:05
out a system security plan, an assessment
plan, and an assessment results,

00:19:14:15 - 00:19:17:09
even if that means the traditional,
normal fashion,

00:19:17:09 - 00:19:20:18
building out just entire
report, the editors necessary for that.

00:19:20:19 - 00:19:23:20
So that's where we really want
help with SSPs

00:19:23:20 - 00:19:27:05
and next APs
and ARs to build out that editor.

00:19:27:05 - 00:19:28:14
So you could build an entire

00:19:28:14 - 00:19:32:16
compliance report and then have this data
help you fill that compliance report.

00:19:32:16 - 00:19:35:00
From evidence gathered
and from different places.

00:19:35:00 - 00:19:37:02
You are correct in that
the context matters

00:19:37:02 - 00:19:39:00
and there's
going to be different implementations.

00:19:39:00 - 00:19:42:06
So what we try and do is collect
as much information into a central place,

00:19:42:06 - 00:19:45:20
about configurations across the business
or introspecting policies

00:19:45:20 - 00:19:46:17
across the business,

00:19:46:17 - 00:19:50:14
that you can then more easily fill out
that report and do that continuously.

00:19:50:16 - 00:19:50:22
Yeah.

00:19:50:22 - 00:19:52:14
I think it's worth saying that
we come at this

00:19:52:14 - 00:19:55:03
from a completely different angle
to most people.

00:19:55:03 - 00:19:56:13
I think maybe on this call.

00:19:56:13 - 00:19:59:00
So we're coming at this
as software engineers

00:19:59:00 - 00:20:03:09
who've had to work on Excel spreadsheets
and confluence pages

00:20:03:11 - 00:20:07:04
around mapping our work to controls
in order to get the compliance

00:20:07:04 - 00:20:08:12
part of our work out the way.

00:20:08:12 - 00:20:10:23
And we saw OSCAL as a great opportunity

00:20:10:23 - 00:20:14:24
for us to codify this in a, industry
standard way.

00:20:14:24 - 00:20:19:12
And so now that we're building this tool,
we're having to sort of shortcut our way

00:20:19:12 - 00:20:23:10
through the OSCAL, hierarchy a little bit
to be useful to certain people.

00:20:23:10 - 00:20:26:18
But our goal is to ultimately represent
the whole OSCAL schema.

00:20:26:18 - 00:20:30:00
And so there will be a little bit of this,
might call it hacking.

00:20:30:00 - 00:20:31:15
For example, by mapping,

00:20:31:15 - 00:20:35:16
from catalog to, what we call finding,
but it's actually just evidence gathering.

00:20:35:19 - 00:20:39:15
That's way of getting, people
to use this system and then move towards

00:20:39:15 - 00:20:40:23
the complete picture.

00:20:40:23 - 00:20:43:14
Chris, there's another question, which,

00:20:43:14 - 00:20:45:00
I know you could answer,
but I could as well.

00:20:45:00 - 00:20:48:16
But how do agents collect
and analyze control implementation?

00:20:48:20 - 00:20:50:23
They don't necessarily

00:20:50:23 - 00:20:55:04
look at control implementation
because controls can be quite subjective.

00:20:55:07 - 00:21:00:11
What they do do is map to relevant
controls that they are checking for.

00:21:00:11 - 00:21:02:02
For example, if we're collecting,

00:21:02:02 - 00:21:06:00
evidence of multifactor authentication
being enabled in different tools,

00:21:06:04 - 00:21:10:06
we can relate those back to multifactor
controls listed in catalogs.

00:21:10:08 - 00:21:13:20
That gives us some signal
of what that evidence is for

00:21:13:20 - 00:21:15:15
and what that evidence
has been gathered for.

00:21:15:15 - 00:21:19:06
And then at the end of the day,
that needs to be mapped into your actual

00:21:19:06 - 00:21:22:24
implementations of the business, to say
this is holistically what that looks like

00:21:23:03 - 00:21:25:12
is that sort of along the lines
which we're going to answer as well Ian,

00:21:26:11 - 00:21:27:17
Yes, it was. Yes.

00:21:27:17 - 00:21:31:16
I think that this last question is,
in a way, duplication

00:21:31:20 - 00:21:35:23
of what I was trying to allude earlier,
but what I wanted to state for all the,

00:21:35:23 - 00:21:40:04
participants
today is this is work in progress, right?

00:21:40:09 - 00:21:44:19
This is, fantastic work in progress and,
not a product.

00:21:44:19 - 00:21:48:17
So, Christian and Ian are not here
to promote a product,

00:21:48:17 - 00:21:54:01
They’re here to collaborate and
demonstrate, how they are adopting.

00:21:54:01 - 00:21:57:01
OSCAL technically and in stages.

00:21:57:04 - 00:22:00:18
So the question I was saying,
are your agents looking,

00:22:00:18 - 00:22:04:22
receiving information
about the, implementation of the controls?

00:22:04:22 - 00:22:09:22
Maybe the agents will receive, 
information about the or will be triggered

00:22:09:22 - 00:22:14:01
or customized by, assessment plan,
because the assessment plan

00:22:14:01 - 00:22:15:10
is the one that needs to plan

00:22:15:10 - 00:22:19:08
how those, implementation
so the controls will be satisfied.

00:22:19:08 - 00:22:22:18
So I think there is
a world of opportunities here.

00:22:22:18 - 00:22:27:12
And as, in my opinion,
based on what I see is, very nicely

00:22:27:15 - 00:22:30:22
done, it’s missing part it’s missing steps.

00:22:31:06 - 00:22:34:12
The potential
is there and it's open source.

00:22:34:17 - 00:22:36:06
That's what I want to.

00:22:36:06 - 00:22:38:13
Yeah, absolutely not pitching a product.

00:22:38:13 - 00:22:40:04
It is an open source project.

00:22:40:04 - 00:22:42:03
You are welcome to run it on your own.

00:22:42:03 - 00:22:43:24
we're not selling you
anything at this point.

00:22:43:24 - 00:22:46:22
So if your presentation is ended,

00:22:46:22 - 00:22:50:16
I can stop the recording,
maybe you know, have an open dialogue.

00:22:50:16 - 00:22:51:02
Perfect.