00:00:00:04 - 00:00:01:22
Hey, a pleasure to be here.

00:00:01:22 - 00:00:07:06
And thanks to NIST for this opportunity
to come and present to the broader NIST community.

00:00:07:06 - 00:00:11:14
Today, I'm going to be talking
a little bit about this

00:00:11:14 - 00:00:13:17
topic at a general level.

00:00:13:17 - 00:00:15:19
And then passing the microphone

00:00:15:19 - 00:00:19:18
about halfway through our presentation
to my colleagues Anca and Vikas.

00:00:19:20 - 00:00:21:12
To do a little bit of a deeper

00:00:21:12 - 00:00:23:06
technical dive into the matter.

00:00:23:06 - 00:00:25:08
For my half of the presentation,

00:00:25:08 - 00:00:29:02
I hope that you leave this workshop today
feeling like

00:00:29:02 - 00:00:32:22
you understand how you might get involved
in an effort like this.

00:00:33:00 - 00:00:36:24
Whether it's at NIST, or anywhere else,
I hope you will understand a little bit

00:00:36:24 - 00:00:40:02
more about how this collaborative
standards process works.

00:00:40:05 - 00:00:44:03
Both in a general sense
and in a very specific sense

00:00:44:03 - 00:00:49:01
as we walk through how this process
has applied to the OSCAL mapping model.

00:00:50:07 - 00:00:50:24
Who am I?

00:00:50:24 - 00:00:52:06
My name is Stephen Banghart.

00:00:52:06 - 00:00:55:19
I am the technical coordinator
for the OSCAL Foundation.

00:00:56:00 - 00:00:58:23
This means that I lead
our technical efforts,

00:00:58:23 - 00:01:02:01
in developing,
maturing and extending OSCAL.

00:01:02:07 - 00:01:06:07
back when I was a member of the original
team at NIST that helped create OSCAL.

00:01:06:09 - 00:01:10:08
I was very lucky to be able
to work with Michaela at NIST back then.

00:01:10:08 - 00:01:13:10
On creating OSCAL and helping it be
what it is today.

00:01:13:14 - 00:01:16:12
I've spent much of my careers
working in standards development,

00:01:16:12 - 00:01:19:19
both in technical forums
and non-technical forums,

00:01:19:19 - 00:01:23:17
working on regulations, policy
standards, of all kinds,

00:01:23:17 - 00:01:25:19
all around the world
and in various bodies.

00:01:25:19 - 00:01:29:13
And in my day to day, I'm
joined by the rest of my foundation staff

00:01:29:16 - 00:01:33:08
and our wonderful foundation membership,
which includes

00:01:33:08 - 00:01:37:00
Anca and Vikas, continue working towards
OSCAL's continued success.

00:01:37:22 - 00:01:39:17
Briefly, the foundation.

00:01:39:17 - 00:01:43:00
We are a nonprofit
that was founded to help centralize

00:01:43:00 - 00:01:47:02
and coordinate the larger
private industry, OSCAL community.

00:01:47:02 - 00:01:51:04
And is our goal to cover our five
main pillars of our mission

00:01:51:06 - 00:01:55:03
adoption, education, development,
internationalization and extension.

00:01:56:01 - 00:02:00:22
And just briefly,
we encourage people to adopt OSCAL.

00:02:01:02 - 00:02:02:24
A lot of that is advocacy work.

00:02:02:24 - 00:02:05:14
Going out and talking to end users and vendors.

00:02:05:14 - 00:02:09:00
We do a lot of education,
including running webinars, providing

00:02:09:00 - 00:02:13:04
educational material, trying to get more
people onboarded into the OSCAL ecosystem.

00:02:13:04 - 00:02:17:21
We help lead the industry effort
to coalesce and collaboratively work

00:02:17:21 - 00:02:21:04
on OSCAL development, which is what
we're going to be talking about today.

00:02:21:06 - 00:02:22:13
We take an eye towards

00:02:22:13 - 00:02:26:02
how do we internationalize
the OSCAL work that has been until,

00:02:26:05 - 00:02:30:08
mostly US centric, all of that changes
every single day that goes by.

00:02:30:08 - 00:02:32:01
It's becoming
more popular internationally.

00:02:32:01 - 00:02:36:07
And we work on extending OSCAL.
To get into our topic today.

00:02:36:07 - 00:02:39:13
And what I want to talk about
is first, approaching this

00:02:39:13 - 00:02:43:11
at a very high level of talking about
what it means to collaboratively work

00:02:43:11 - 00:02:44:24
on a standard like this.

00:02:44:24 - 00:02:49:01
And fundamentally, I think the core of
this is that it's a team effort.

00:02:49:09 - 00:02:53:17
A standard
like OSCAL only exists in the first place

00:02:53:17 - 00:02:58:11
because one or more entities
or organizations want to talk

00:02:58:11 - 00:03:02:11
about or communicate about something,
and we need a shared language to do it.

00:03:02:13 - 00:03:06:05
The very need for standards
is collaborative in nature.

00:03:06:05 - 00:03:09:08
So it should be no surprise
that the way that we work on

00:03:09:08 - 00:03:12:08
them is inherently collaborative as well.

00:03:12:12 - 00:03:16:24
NIST has been an absolute champion
of this concept since day one of OSCAL.

00:03:16:24 - 00:03:20:06
They have led an open and community
driven efforts, years.

00:03:20:06 - 00:03:22:07
And personally, I think we can owe

00:03:22:07 - 00:03:26:00
a lot of OSCAL’s ongoing success,
to this collaborative approach.

00:03:26:00 - 00:03:27:09
And it's something that,

00:03:27:09 - 00:03:32:03
we have attempted to emulate
as we continue to work on maturing models.

00:03:32:03 - 00:03:35:01
Even in the OSCAL Foundation
and elsewhere.

00:03:35:01 - 00:03:40:04
What I want to impart
in my section of the presentation here is

00:03:40:04 - 00:03:43:08
what does this collaborative maturation
process look like?

00:03:43:08 - 00:03:45:00
How does it work? Who does it involve?

00:03:45:00 - 00:03:49:18
And I think most importantly, how
do you see yourself interacting with it?

00:03:49:21 - 00:03:54:13
And what are the different ways that one
could interact with a process like this?

00:03:55:08 - 00:03:58:12
And I think the biggest takeaway,
and this applies to OSCAL

00:03:58:12 - 00:03:59:20
this applies to all standards.

00:03:59:20 - 00:04:01:11
Getting involved is easier than you think,

00:04:01:11 - 00:04:04:03
and I hope to convince you of that
by the end of this.

00:04:04:03 - 00:04:08:21
Very quickly, as a general guide
to how this collaborative process

00:04:08:21 - 00:04:14:00
typically works is we have a use case
arise first.

00:04:14:03 - 00:04:15:13
Somebody identifies

00:04:15:13 - 00:04:20:06
a use case that the standard
does not, support out of the box today.

00:04:20:11 - 00:04:22:22
This is some problem they need to solve.

00:04:22:22 - 00:04:24:11
This is some new opportunity.

00:04:24:11 - 00:04:27:12
They have identified
some technological problem,

00:04:27:12 - 00:04:30:12
that does not yet
have a standardized solution.

00:04:31:05 - 00:04:34:01
This person will typically
they still need to solve their problem.

00:04:34:01 - 00:04:37:12
So typically
you will implement a custom solution.

00:04:37:15 - 00:04:40:15
Maybe this is an extension
to the existing models.

00:04:40:15 - 00:04:44:20
Maybe this is some custom behavior, but,
the person that identified this problem

00:04:44:20 - 00:04:48:23
will come up with a custom solution to it
because they need to solve their problem.

00:04:49:16 - 00:04:50:13
The way that this starts

00:04:50:13 - 00:04:54:11
to become standardized starts
here in this step three an introduction.

00:04:54:15 - 00:04:58:05
The person that identified this problem
and creates

00:04:58:05 - 00:05:02:03
this implementation goes
and introduces it to the wider community.

00:05:02:05 - 00:05:05:18
They say I have a problem
and I solved it this way.

00:05:05:20 - 00:05:09:04
And that starts a conversation that starts

00:05:09:04 - 00:05:13:04
a technical conversation
about the merits of the solution.

00:05:13:04 - 00:05:16:17
It starts a higher level,
slightly more abstract conversation about,

00:05:16:22 - 00:05:21:06
whether or not this solution
fits into the standard in general.

00:05:21:08 - 00:05:25:13
And typically,
if the community collaboratively

00:05:25:13 - 00:05:30:04
feels like this is a useful use case
that should be integrated.

00:05:30:06 - 00:05:32:16
It moves into a step
of collaborative development.

00:05:32:16 - 00:05:35:16
So we're going to be spending
most of our time talking about today.

00:05:35:16 - 00:05:37:16
Then we do prototyping and testing.

00:05:37:16 - 00:05:39:07
We make sure that this thing that we are

00:05:39:07 - 00:05:42:10
developing is going to function
and an interoperable way.

00:05:43:01 - 00:05:47:16
And finally, it gets officially published
as a formal part of the standard.

00:05:47:19 - 00:05:51:11
Now in the OSCAL context, this should be
pretty clear how this looks.

00:05:51:11 - 00:05:52:21
The maintainer is NIST.

00:05:52:21 - 00:05:57:13
And we are all users and implementers
of OSCAL that could potentially follow

00:05:57:13 - 00:05:59:00
this timeline.

00:05:59:00 - 00:06:00:12
Some quick notes.

00:06:00:12 - 00:06:03:12
Sometimes use cases are introduced
without an implementation.

00:06:03:14 - 00:06:07:23
This happens when somebody has an idea
or thinks of a solution to a problem.

00:06:08:01 - 00:06:09:01
And that's okay.

00:06:09:01 - 00:06:12:11
I don't want to make people feel like
there has to be

00:06:12:11 - 00:06:16:06
a code implementation of a use case
in order to make it useful to share.

00:06:16:06 - 00:06:17:21
It's still worth raising ideas

00:06:17:21 - 00:06:20:24
because this will often resonate
with other members of the community.

00:06:20:24 - 00:06:24:09
This will resonate, with other people
suffering from a similar problem.

00:06:24:12 - 00:06:28:02
that can evolve into something
that is more useful down the road.

00:06:28:07 - 00:06:29:15
Having an implementation

00:06:29:15 - 00:06:33:14
ahead of time, though, does often
make it easier and faster to move along.

00:06:33:14 - 00:06:35:20
This standardization process.

00:06:35:20 - 00:06:37:11
So there's your very general overview.

00:06:37:11 - 00:06:41:20
What I want to do is now talk specifically
about something that the OSCAL Foundation

00:06:41:20 - 00:06:43:00
has been working on.

00:06:43:00 - 00:06:48:03
Recently and something that, Anca
and Michaela and Vikas and others

00:06:48:03 - 00:06:52:22
have been working on for a long time,
and that is the OSCAL mapping model.

00:06:53:00 - 00:06:54:23
And I'm going to talk
about the mapping model

00:06:54:23 - 00:06:58:20
at a kind of high level in the context
of what I've just explained, which is this

00:06:58:20 - 00:07:02:24
process of collaborative standards
work and collaborative maturation.

00:07:04:04 - 00:07:06:12
So first let's look at the use case
for mapping model.

00:07:06:12 - 00:07:09:12
I think this is probably
the most important part to start in.

00:07:09:20 - 00:07:15:08
Apologies, Steve, I just wanted to add
that this is, mapping model,

00:07:15:08 - 00:07:18:23
not of the data to something else. It is controlled mapping model.

00:07:18:24 - 00:07:22:04
That's all for the audience
to have clear understanding.

00:07:23:10 - 00:07:23:21
Yeah.

00:07:23:21 - 00:07:27:20
Creating a mapping or a crosswalk
is something

00:07:27:20 - 00:07:32:03
that is a well-established activity when
we're talking about control frameworks.

00:07:32:06 - 00:07:33:08
This is something that you hear

00:07:33:08 - 00:07:37:09
pretty frequently if you're familiar
with any kind of, framework

00:07:37:09 - 00:07:41:13
or, compliance management
or risk management activity.

00:07:41:13 - 00:07:46:00
Outside of OSCAL, it is typical
for organizations to try and determine

00:07:46:00 - 00:07:49:23
to what extent a given framework
will map to a different framework.

00:07:50:10 - 00:07:55:09
As an example, perhaps an organization
has fully implemented

00:07:55:09 - 00:07:59:23
all the controls some NIST
800-53 baseline.

00:07:59:23 - 00:08:03:12
They have already gone through the process
of doing that in OSCAL.

00:08:03:15 - 00:08:05:21
They've fully implemented
all of these controls.

00:08:05:21 - 00:08:11:15
And now they have become regulatory
required to implement something.

00:08:11:15 - 00:08:14:17
Maybe let's say for this example PCI DSS.

00:08:14:21 - 00:08:18:00
The goal would be to be able to create

00:08:18:00 - 00:08:21:02
a mapping between 800-53

00:08:21:02 - 00:08:25:24
and this PCI framework to understand
where are their overlaps.

00:08:25:24 - 00:08:28:06
If I implement all of this 800-53,

00:08:28:06 - 00:08:32:01
to what extent have I already satisfied
this other framework?

00:08:32:01 - 00:08:33:12
And what pieces are missing?

00:08:33:12 - 00:08:34:15
What are the things that I'll need

00:08:34:15 - 00:08:37:21
to go out and buy or implement
in order to become compliant?

00:08:37:23 - 00:08:41:17
This is a use case
that we see repeated time and time again

00:08:42:03 - 00:08:43:23
in compliance and risk management world.

00:08:44:24 - 00:08:48:06
Also very common,
just at kind of an informational level

00:08:48:07 - 00:08:52:07
for various firms or organizations
to want to understand

00:08:52:09 - 00:08:55:16
how a framework relates
to a different framework,

00:08:55:18 - 00:08:59:19
understanding that complex web
of relationships between individual

00:08:59:19 - 00:09:04:14
controls, groups of controls,
the wording inside of those controls.

00:09:04:17 - 00:09:09:03
There is an intricate web of relationships
between those frameworks that,

00:09:09:03 - 00:09:12:03
if we were able to understand,
would allow us to,

00:09:12:05 - 00:09:15:17
ease the transition
between those frameworks or add new ones,

00:09:15:21 - 00:09:19:10
or continue to expand our understanding
of the compliance ecosystem in general.

00:09:19:24 - 00:09:25:09
So we ask how perhaps the use case arises
fairly naturally.

00:09:25:10 - 00:09:29:05
I think OSCAL exists
in this space of compliance

00:09:29:05 - 00:09:30:20
and risk management frameworks.

00:09:30:20 - 00:09:35:11
It's natural that we would want
to be able to do this mapping activity,

00:09:35:11 - 00:09:38:13
which is a known activity
in a non automated way.

00:09:38:15 - 00:09:40:07
We want to be able to do it in OSCAL.

00:09:40:07 - 00:09:41:23
Do it in an automated way.

00:09:41:23 - 00:09:45:07
Bring it into this world
of useful automation.

00:09:45:13 - 00:09:48:05
It means that all of the work
that we've spent setting up our

00:09:48:05 - 00:09:51:07
OSCAL infrastructure
to support a specific framework

00:09:51:07 - 00:09:54:15
could, more easily and automatically
be applied to other frameworks.

00:09:54:18 - 00:09:58:15
Once we provide that mapping document
to define the relationship between them,

00:09:58:21 - 00:10:01:22
OSCAL Compass and the team is an open

00:10:01:22 - 00:10:05:08
source project,
of which Anca and Vikas are involved.

00:10:05:08 - 00:10:06:20
As far as I'm aware.

00:10:06:20 - 00:10:10:18
Some of the first to recognize
this use case and to begin to,

00:10:10:18 - 00:10:14:09
really understand that this could bring
a lot of value when it's done in OSCAL.

00:10:15:03 - 00:10:18:04
And just to really make it clear
how useful

00:10:18:04 - 00:10:22:04
this mapping is in OSCAL in particular,
imagine

00:10:22:04 - 00:10:26:05
an organization constructs
a custom internal control framework.

00:10:26:05 - 00:10:28:04
This is an uncommon
at very large companies.

00:10:28:04 - 00:10:31:13
You see they will create a set of controls
that they maintain purely

00:10:31:13 - 00:10:35:04
for their internal use
and then map those out to each framework

00:10:35:04 - 00:10:36:11
that they are beholden to.

00:10:36:11 - 00:10:40:14
Being able to do this mapping and OSCAL, is
an excellent way to cover this use case.

00:10:41:00 - 00:10:45:24
Third party analysts and various firms
create guidance documents, mapping

00:10:45:24 - 00:10:50:15
documents, profiles, all of these things
can be enhanced by having in machine

00:10:50:15 - 00:10:54:16
readable and automation friendly OSCAL mapping format alongside it.

00:10:54:20 - 00:10:59:09
And in the most advanced use case
where we have an automated OSCAL system

00:10:59:13 - 00:11:02:20
fully integrated
with the enterprise posture management.

00:11:03:07 - 00:11:05:20
Being able to map allows us to,

00:11:05:20 - 00:11:09:15
remap that specific technical work
that we've done to a new framework.

00:11:10:14 - 00:11:13:02
So a use case was identified
for mapping model.

00:11:13:02 - 00:11:14:10
I think it's fairly self-evident.

00:11:14:10 - 00:11:16:21
It's a huge, huge part of this process.

00:11:16:21 - 00:11:19:21
And, it makes sense
that we would want to do it in OSCAL.

00:11:19:23 - 00:11:22:07
next step of the standardization process,
as I talked about

00:11:22:07 - 00:11:25:09
generically, is to go and create
an implementation of it.

00:11:25:13 - 00:11:28:23
The OSCAL Compass open
source project in partnership

00:11:28:23 - 00:11:31:23
with NIST,
started to work on a way of doing this.

00:11:32:01 - 00:11:35:11
They created a prototype mapping model,

00:11:35:16 - 00:11:39:02
that was then hosted on the NIST website
to make it easy to share with others.

00:11:39:04 - 00:11:40:18
And OSCAL Compass produced

00:11:40:18 - 00:11:44:24
an implementation that actually, in code
supported this work.

00:11:45:13 - 00:11:48:23
And it was developed as an extension
OSCAL, which I want to flag

00:11:48:23 - 00:11:51:16
as a particularly smart way
of doing things,

00:11:51:16 - 00:11:55:10
because it meant
that they were not changing or causing

00:11:55:10 - 00:11:59:20
any overt breaking changes
to previous existing OSCAL models.

00:11:59:20 - 00:12:02:10
This was something new
that they were bringing to the table.

00:12:02:10 - 00:12:06:16
And offering
that provided a new capability or behavior

00:12:06:16 - 00:12:08:03
to the OSCAL ecosystem.

00:12:08:03 - 00:12:11:10
This was worked on
over the course of many months.

00:12:11:11 - 00:12:13:05
You know, it's a software
engineering project

00:12:13:05 - 00:12:17:05
as well as working on developing
this prototype model itself.

00:12:17:05 - 00:12:21:15
But they made significant progress on it
and developed something that was,

00:12:21:18 - 00:12:22:11
really beginning

00:12:22:11 - 00:12:27:06
to be clearly, functional and useful
to others outside of just themselves.

00:12:28:05 - 00:12:31:05
that brings us here to, introduction.

00:12:31:17 - 00:12:34:17
Now, the OSCAL Compass team
has been socializing this work

00:12:34:17 - 00:12:38:08
for some time at various presentations,
discussion forums.

00:12:38:11 - 00:12:42:06
Maybe you've seen some of their
presentations about this at other places.

00:12:42:06 - 00:12:44:16
And that is a really important
part of the process.

00:12:44:16 - 00:12:47:16
OSCAL Compass team
recognized that this had value,

00:12:47:17 - 00:12:50:03
they wanted to share that with people.
They wanted to get more input.

00:12:50:03 - 00:12:51:10
They wanted to get more feedback.

00:12:51:10 - 00:12:54:10
They wanted to get eyes on it,
to make it the best that it can be.

00:12:54:16 - 00:12:58:14
At the OSCAL Foundation,
we have a technical working group.

00:12:58:14 - 00:13:02:12
Which is just a group of,
technically savvy OSCAL developers.

00:13:02:15 - 00:13:05:09
And this use case
really resonated with us.

00:13:05:09 - 00:13:08:12
when this first came across, our desks
and we had a chance

00:13:08:12 - 00:13:11:14
to hear from Anca about what it did
and what it could do.

00:13:11:18 - 00:13:15:12
And the technical working group, decided
that this would make perfect sense

00:13:15:12 - 00:13:17:10
and that we want to help produce it.

00:13:17:10 - 00:13:21:00
We want to help coordinate
input and feedback on it.

00:13:21:02 - 00:13:23:04
To mature that model.

00:13:23:04 - 00:13:28:01
The model, the prototype had been created
as part of a smaller effort,

00:13:28:01 - 00:13:32:00
a more concentrated effort to produce
the first prototype of this thing.

00:13:32:00 - 00:13:35:13
And next
we mature it using a larger group.

00:13:35:16 - 00:13:40:09
A group that has, more perspectives,
more use cases, more challenges,

00:13:40:09 - 00:13:41:13
potentially, and are able

00:13:41:13 - 00:13:44:24
to kind of wrap those together, and help
make this the best it can be.

00:13:45:10 - 00:13:49:12
We've been working with
the NIST prototype model to enhance it

00:13:49:12 - 00:13:51:03
and, mature it.

00:13:51:03 - 00:13:55:02
Our goal is to build community consensus,
not only just in the technical

00:13:55:02 - 00:13:58:20
working group,
but across the OSCAL community at large.

00:13:58:20 - 00:14:00:04
And this is part of,

00:14:00:04 - 00:14:03:23
why I'm really excited to be able
to come and talk to everyone here today

00:14:03:23 - 00:14:04:16
about this.

00:14:04:16 - 00:14:08:21
Because I hope
that we can loop you in to this,

00:14:08:21 - 00:14:12:08
get your feedback and input as well,
because it's part of this process.

00:14:14:13 - 00:14:16:21
What does that collaborative process
really mean?

00:14:16:21 - 00:14:17:19
What does this look like?

00:14:17:19 - 00:14:20:00
and it means a lot of different things
to a lot of different people.

00:14:20:00 - 00:14:23:00
Ultimately,
it comes down to a lot of conversations,

00:14:23:00 - 00:14:27:07
a lot of discussions, a lot of creating
and showing examples to each other.

00:14:27:07 - 00:14:30:10
And a lot of actually
doing technical work,

00:14:30:10 - 00:14:34:06
working in a GitHub or writing code,
but it includes all of those things.

00:14:34:08 - 00:14:37:19
And I think it's important to note
that it requires all of those things.

00:14:37:21 - 00:14:42:11
It takes the technical people
to sit down and discuss the intricacies

00:14:42:11 - 00:14:45:19
of the technical implementation,
but it also takes the non-technical people

00:14:45:19 - 00:14:50:21
to understand the requirements, use cases
and applications of this work.

00:14:50:21 - 00:14:54:08
Because maturing a model like
this is a holistic effort.

00:14:54:10 - 00:14:57:15
It's one that comes in many pieces
that we all have to help with.

00:14:58:02 - 00:14:59:17
And there's also a delicate balance.

00:14:59:17 - 00:15:00:01
You know,

00:15:00:01 - 00:15:05:01
we need to create something that is useful
for as many people as possible.

00:15:05:01 - 00:15:08:09
And supporting
as many related use cases as possible.

00:15:08:11 - 00:15:12:04
But we can't create something
that, is everything to everybody,

00:15:12:04 - 00:15:15:08
So in collaboration,
there's also compromise.

00:15:16:03 - 00:15:18:18
The details
of this collaborative development

00:15:18:18 - 00:15:22:00
I'm going to be leaving to,
my colleagues here in just a few minutes.

00:15:22:02 - 00:15:23:18
you have to, to, to wait.

00:15:23:18 - 00:15:25:07
To hear a little bit more about that.

00:15:25:07 - 00:15:29:12
But just to kind of close up this
discussion of what the process looks like.

00:15:29:12 - 00:15:32:03
We are in this collaborative development
phase right now

00:15:32:03 - 00:15:34:07
with the OSCAL mapping model.

00:15:34:07 - 00:15:38:03
And that means that in the future,
we have these other tasks coming up.

00:15:38:04 - 00:15:39:18
We need to do our prototype and Testing.

00:15:39:18 - 00:15:42:06
We need to finish building
consensus around this.

00:15:42:06 - 00:15:45:23
And then we need to move to this phase
where we push towards final publication.

00:15:46:02 - 00:15:48:00
And those things
are coming up in the future.

00:15:48:00 - 00:15:52:00
And even when we do eventually
finish this, work doesn't stop.

00:15:52:00 - 00:15:53:09
And I think that's a good thing.

00:15:53:09 - 00:15:56:12
We are going to continue
improving and iterating this model,

00:15:56:14 - 00:15:57:06
which means that

00:15:57:06 - 00:16:01:23
if there are any issues that come up,
if there are new use cases that arrive,

00:16:01:23 - 00:16:05:22
if maybe somebody on
this call is interested

00:16:05:22 - 00:16:09:17
in the use case of mapping model
and has thought of something

00:16:09:17 - 00:16:10:24
that we haven't thought of.

00:16:10:24 - 00:16:13:09
Maybe you come to our next meeting
and you tell us.

00:16:13:09 - 00:16:18:08
And that means there's a little bit more
tweaking and maturing that we need to do.

00:16:18:21 - 00:16:22:06
And even beyond that, once we get past

00:16:22:06 - 00:16:25:02
finishing this,
there's entirely new use cases.

00:16:25:02 - 00:16:28:03
Again,
maybe somebody on this call has an idea.

00:16:28:04 - 00:16:31:24
Just like somebody had an idea
to create the mapping model in OSCAL.

00:16:31:24 - 00:16:32:12
And that

00:16:32:12 - 00:16:36:07
can start entirely brand new projects
where we go through this entire process

00:16:36:07 - 00:16:37:23
again from the start to continue

00:16:37:23 - 00:16:41:24
making OSCAL as comprehensive
and as useful as it can be.

00:16:43:00 - 00:16:43:09
I want

00:16:43:09 - 00:16:47:12
to finish, my portion of the presentation
here with a call to action.

00:16:47:12 - 00:16:51:18
I think that if you are on this call
listening to this presentation,

00:16:51:18 - 00:16:55:09
then you at least care
a little bit about OSCAL,

00:16:55:10 - 00:16:59:24
how it works, how it functions, and
what the future of OSCAL looks like.

00:16:59:24 - 00:17:01:21
And I think that means that your opinion

00:17:01:21 - 00:17:04:09
is more valuable
than maybe you give yourself credit for.

00:17:04:09 - 00:17:06:18
I only say that because of my years
and standards.

00:17:06:18 - 00:17:09:05
Everyone always says, you know,
no one wants to hear what I think.

00:17:09:05 - 00:17:10:21
And I don't think that's true.

00:17:10:21 - 00:17:15:03
I think that the collaborative model
of working on these things

00:17:15:03 - 00:17:19:16
means that if you are a stakeholder
in OSCAL, then,

00:17:19:16 - 00:17:20:24
like I said in the beginning,

00:17:20:24 - 00:17:25:01
the inherent collaborative nature
of standards means that you do matter,

00:17:25:06 - 00:17:28:24
that your use case, your challenges,
your difficulties,

00:17:28:24 - 00:17:32:03
your lessons learned
or all things that could be useful,

00:17:32:03 - 00:17:35:22
either for other people working on it
or as part of continuing

00:17:35:23 - 00:17:37:13
to mature the model itself.

00:17:37:13 - 00:17:41:09
And, you know, want to emphasize this
with how starting with an idea

00:17:41:13 - 00:17:44:12
like use case identifying and ask
our use case is a

00:17:44:12 - 00:17:47:12
relatively small place to start,
but ends up having big impact.

00:17:47:12 - 00:17:48:23
I mean, here we are today.

00:17:48:23 - 00:17:53:14
Really closing in on being done with
an extension to OSCAL something new.

00:17:53:14 - 00:17:56:10
An entire new, real thing
that exists in the world

00:17:56:10 - 00:17:59:10
because of, people
starting with the ideas.

00:17:59:13 - 00:18:00:24
So please get involved.

00:18:00:24 - 00:18:03:23
The OSCAL Foundation,
has ways to get involved,

00:18:03:23 - 00:18:05:07
whether you want to get involved

00:18:05:07 - 00:18:08:12
in the technical working groups,
or just in a more general sense.

00:18:08:12 - 00:18:13:05
The OSCAL Compass project
is, open source, GitHub project.

00:18:13:07 - 00:18:15:09
Also a wonderful place to get involved.

00:18:15:09 - 00:18:19:17
And of course, here at NIST,
there's an extensive OSCAL community.

00:18:19:17 - 00:18:23:06
That you are a part of by virtue of,
of being here at this presentation.

00:18:23:09 - 00:18:25:16
And your involvement
is always appreciated.

00:18:25:16 - 00:18:30:12
With that, I would like to, pass things
over to my colleagues

00:18:30:12 - 00:18:33:14
and fellow members
of the OSCAL Foundation.

00:18:33:17 - 00:18:36:18
As Michaela introduced them
at the beginning of the presentation.

00:18:36:18 - 00:18:39:08
Anca Sailer and, Vikas Agarwal.

00:18:39:08 - 00:18:42:17
Very, very happy to have them here
and being able to present on this.

00:18:42:19 - 00:18:44:06
I do want to say that, Anca

00:18:44:06 - 00:18:47:07
and Vikas have really pioneered
this mapping model work.

00:18:47:10 - 00:18:51:04
And are really responsible
for much of the model as it exists today.

00:18:51:07 - 00:18:52:15
Anca being the person

00:18:52:15 - 00:18:56:14
that actually originally introduced
this to the OSCAL Foundation.

00:18:56:17 - 00:18:59:01
So they are really experts here

00:18:59:01 - 00:19:01:14
and really excited
to have them talk a little bit more

00:19:01:14 - 00:19:04:03
about the technical nature
of the collaborative work

00:19:04:03 - 00:19:06:23
that we've been doing, covering
a little bit of the changes we've made.

00:19:06:23 - 00:19:11:00
And taking a look at the,
actual model of the mapping model itself.

00:19:11:18 - 00:19:13:13
that I will relinquish sharing.

00:19:13:13 - 00:19:16:02
While Anca is taking over.

00:19:16:02 - 00:19:21:03
I would like to publicly answer a question
that I received on direct messages.

00:19:21:03 - 00:19:27:01
NIST is still the owner of the OSCAL
standard, and NIST is still going to be

00:19:27:01 - 00:19:31:04
the one that releases the model
when this is polished

00:19:31:04 - 00:19:34:14
and done, and will host different versions
of the prototypes.

00:19:34:14 - 00:19:38:20
The importance of the work that the OSCAL
Foundation is doing is instrumental

00:19:39:00 - 00:19:43:15
to maturing those, because is gathering
and helps with those parallels

00:19:43:15 - 00:19:48:09
that we were guiding earlier
during the initial phases of the program.

00:19:48:09 - 00:19:53:00
Mapping, model development,
including the second prototype model

00:19:53:00 - 00:19:57:18
that we have, on our website
and going to come next on being reaching

00:19:57:18 - 00:20:02:12
the maturity. When the work done by
the foundation is coming to NIST.

00:20:02:13 - 00:20:07:10
We'll need to also have a cycle, similar
on approving with the other entities

00:20:07:10 - 00:20:12:06
that are involved, which are not
part of this time to the OSCAL Foundation.

00:20:12:08 - 00:20:16:09
the stronger
the voice, has, the stronger OSCAL Foundation

00:20:16:17 - 00:20:20:07
voice has, the better it is
because it's very important

00:20:20:10 - 00:20:25:08
through cycles and spirals
to adopt the model, the core OSCAL models

00:20:25:08 - 00:20:29:18
to not be opinionated,
but satisfy as many use cases as possible,

00:20:29:18 - 00:20:31:13
where it's very important
for the foundation

00:20:31:13 - 00:20:34:09
and the fact that knowledge
is there and gets involved

00:20:34:09 - 00:20:37:02
as if you have a use case
and you think that you need something

00:20:37:02 - 00:20:39:13
completely new,
sometimes it might not be the case.

00:20:39:13 - 00:20:44:08
Sometimes, OSCAL models give you
enough flexibility to address that.

00:20:44:10 - 00:20:45:10
I just don't see it.

00:20:45:10 - 00:20:48:06
So please come forward and work with OSCAL Foundation

00:20:48:06 - 00:20:53:05
and work with NIST community members
within this team, because we want you

00:20:53:05 - 00:20:57:04
to be able to use all OSCAL,
in a way that satisfies your needs.

00:20:57:05 - 00:20:59:03
And with that, I'll pass
back to the Anca

00:20:59:03 - 00:21:03:20
since she is already ready to share. With my
thanks for all the, contributions

00:21:03:20 - 00:21:09:01
of the all OSCAL Compass team
that join our review of the product models

00:21:09:04 - 00:21:12:22
long ago before even and also
our foundation was established.

00:21:12:22 - 00:21:13:22
So thank you.

00:21:13:22 - 00:21:15:05
Thank you, Michaela.

00:21:15:05 - 00:21:21:05
And thank you, Stephen, for, doing an
awesome job on introducing, OSCAL mapping.

00:21:21:08 - 00:21:26:05
you can all feel almost experts
after such a good presentation.

00:21:26:05 - 00:21:27:09
Very sound foundation.

00:21:27:09 - 00:21:29:20
So it's very easy for me now
to move forward.

00:21:29:20 - 00:21:34:06
We will go into the details of the schema,
the elements within the schema,

00:21:34:08 - 00:21:37:23
that are, making that, artifact
very useful.

00:21:37:23 - 00:21:39:21
And, the additional artifacts

00:21:39:21 - 00:21:43:05
that are currently in discussion
to better the models.

00:21:43:05 - 00:21:48:08
So, to position
the value of all OSCAL mapping, as a, user

00:21:48:08 - 00:21:53:05
of, OSCAL for the automation
in my, appliance automation in my day job.

00:21:53:08 - 00:21:57:23
We, adopted OSCAL starting,
and of course, the overall goal

00:21:57:23 - 00:22:02:23
being always to, reduce the risk
of our system, of our environments

00:22:03:02 - 00:22:08:18
and be able to manage, the response
to change to complexity, to issues,

00:22:08:21 - 00:22:12:17
to the, new technologies
that are, coming upon us,

00:22:12:17 - 00:22:16:10
especially now with AI
and also the expectation

00:22:16:12 - 00:22:20:12
of compliance, moving and audit
moving from an early and quarterly,

00:22:20:14 - 00:22:25:00
activity to, continuous compliance
audit on a continuous basis.

00:22:25:00 - 00:22:29:23
So, we started looking
first at the OSCAL catalog and SSP

00:22:29:23 - 00:22:35:05
and of course, the assessments to digitize
our artifacts to reduce time and cost.

00:22:35:08 - 00:22:38:11
So these standardization, brought already

00:22:38:11 - 00:22:41:15
benefits for us to be able to manage
those artifacts as code.

00:22:41:17 - 00:22:44:16
Next we looked at, leveraging

00:22:44:16 - 00:22:48:04
the component definition in association
with the assessment.

00:22:48:04 - 00:22:52:20
So using the, policy engines
and having the results, from the CSV

00:22:53:08 - 00:22:56:00
file format, being a standard,
we are able to now,

00:22:56:00 - 00:22:59:12
aggregate
across, the various tools that we have.

00:22:59:12 - 00:23:03:09
But being able to associate with
the component definition that allows you

00:23:03:09 - 00:23:08:12
to declare how the products, the software,
the hardware, the services, processes

00:23:08:12 - 00:23:12:10
are actually implementing the controls
with the policies,

00:23:12:10 - 00:23:17:01
with the checks in the assessment results
fosters, puts the basis for automation.

00:23:17:01 - 00:23:20:15
So we are able then to augment
the manual processes with this automation,

00:23:20:15 - 00:23:24:12
or simply move, from the manual processes
to automated processes,

00:23:24:12 - 00:23:30:09
and also allows to bring the policy
engines of choice of the customer.

00:23:30:09 - 00:23:34:11
So this increased for us
the flexibility on top of what the

00:23:34:11 - 00:23:37:14
digitization with the standard-as-code
provided

00:23:37:14 - 00:23:39:03
we are moving into actually

00:23:39:03 - 00:23:42:20
bridging compliance as code to policy
as code in an automated fashion.

00:23:42:22 - 00:23:47:05
And this is great for,
one standard for two staff or one program.

00:23:47:07 - 00:23:48:04
Regulatory program.

00:23:48:04 - 00:23:48:21
2 or 3.

00:23:48:21 - 00:23:52:01
Now, when we are talking about tens
and hundreds and all the new ones

00:23:52:01 - 00:23:56:18
that are coming with the operational,
resiliency with AI and so on,

00:23:56:24 - 00:24:02:12
we, as a, industry are not able to OSCAL
with the type of traditional processes.

00:24:02:12 - 00:24:05:14
So we want to leverage
is, Stephen, explained earlier,

00:24:05:14 - 00:24:09:08
we want to leverage what we have already,
in our, evidence,

00:24:09:10 - 00:24:13:14
storage and, the,
posture to bootstrap the new programs.

00:24:13:14 - 00:24:16:05
And this is where the OSCAL
mapping, comes into the, picture

00:24:16:05 - 00:24:20:08
with the crossroad between [] program
and their posture and evidence reuse.

00:24:20:17 - 00:24:25:06
So the, effectiveness of this model,
of this artifact, the OSCAL

00:24:25:18 - 00:24:29:24
mapping is very, much dependent
on the type of,

00:24:30:03 - 00:24:33:08
properties on the type of qualifiers
for the mapping

00:24:33:08 - 00:24:36:10
between the controls,
between the two catalogs or the two.

00:24:36:14 - 00:24:38:04
Baselines, profiles.

00:24:38:04 - 00:24:42:13
And so a lot of the work that we have done
with the team was to make sure

00:24:42:13 - 00:24:47:01
that we cover both the mapping
and the gaps where we have no mapping.

00:24:47:01 - 00:24:51:05
So to cover in entirety
the source and the target of this mapping,

00:24:51:05 - 00:24:55:14
and we will see we are looking at,
different qualifiers to help represent

00:24:55:14 - 00:25:01:02
in different dimensions the relationships
between those to help the discussion.

00:25:01:02 - 00:25:01:11
Right.

00:25:01:11 - 00:25:05:09
The negotiation between a compliance team
that thinks and operates

00:25:05:09 - 00:25:10:24
at the high level of the control
and the technical teams, the systems,

00:25:10:24 - 00:25:14:09
the services,
the software teams that operate more

00:25:14:09 - 00:25:17:18
at the level of the actual checks
and validation

00:25:17:18 - 00:25:22:04
within the technology and the, elements
that Vikas is going to share next.

00:25:22:04 - 00:25:26:09
are meant to help in that discussion
allow one to express the mapping

00:25:26:09 - 00:25:30:19
and the other is to say, well, actually,
this is not as it seems because of

00:25:30:19 - 00:25:34:03
the way that the evidence is required
or because the technology works.

00:25:34:03 - 00:25:39:03
so this is how those elements are going
to be, used to help this communication.

00:25:39:07 - 00:25:42:14
So with that, let me stop here
and, give the mic to Vikas.

00:25:43:06 - 00:25:46:15
Thanks, Anca and Stephen, for,
introducing the mapping model.

00:25:46:17 - 00:25:49:19
Now I'll go into the more technical
details here.

00:25:49:19 - 00:25:55:06
So what I'm showing here
is the current NIST prototype mapping model.

00:25:55:11 - 00:25:59:00
And below is the link where you could find
the outline of JSON outline

00:25:59:00 - 00:26:01:14
for this mapping model at a high level,
if you look at it.

00:26:01:14 - 00:26:04:20
the mapping collection
includes a provenance, at the top,

00:26:04:20 - 00:26:08:07
which, capture some of the common fields
across different mappings.

00:26:08:07 - 00:26:09:23
Such as what was the method used?

00:26:09:23 - 00:26:11:21
What was the matching rationale?

00:26:11:21 - 00:26:13:19
if we are using some, AI based tool

00:26:13:19 - 00:26:17:17
to compute the mapping, those tools
generally provide some confidence

00:26:17:17 - 00:26:21:17
score for how confident they are about this
mapping that they are giving, and so on.

00:26:21:17 - 00:26:22:02
Right.

00:26:22:02 - 00:26:26:00
And then, this schema
basically goes into the, specific mapping.

00:26:26:00 - 00:26:30:24
So you capture the source and the target,
catalogs here or the profiles here.

00:26:31:01 - 00:26:33:14
what is your source catalog
or the target catalog here?

00:26:33:14 - 00:26:37:20
And then for each of this,
you provide, an array of map structure

00:26:37:20 - 00:26:42:00
where you specify your source control,
from the source catalog

00:26:42:00 - 00:26:45:11
and the target controls to which it is
being matched from the target catalog.

00:26:45:11 - 00:26:50:07
And with that, you also capture
relationship like whether your source is

00:26:50:08 - 00:26:51:18
equivalent to the target

00:26:51:18 - 00:26:55:02
in terms of the requirement,
whether it's a superset, subset and so on.

00:26:55:02 - 00:26:55:08
Right.

00:26:55:08 - 00:26:59:05
And then, towards the end,
we have the source gap summary and target

00:26:59:05 - 00:26:59:22
gap summary,

00:26:59:22 - 00:27:03:10
which captures, if there are controls
which are not mapped at all in the source

00:27:03:10 - 00:27:07:19
and the target, then we captured it here
to explicitly state, that these controls

00:27:07:19 - 00:27:11:01
have no mapping, equivalent mapping
or at least partial mapping

00:27:11:09 - 00:27:12:24
in the source of the target schema.

00:27:12:24 - 00:27:14:10
so there is no equivalent over there.

00:27:14:10 - 00:27:17:14
So this is the high level, schema,
the current schema that exists.

00:27:17:14 - 00:27:22:01
And what I am going to do next is quickly
share a very simple example

00:27:22:01 - 00:27:25:03
with couple of controls
convey how the schema can be used.

00:27:25:03 - 00:27:28:20
And as part of this example,
I have also used some of the extensions

00:27:28:20 - 00:27:32:09
that, are being discussed
as part of the OSCAL Foundation.

00:27:32:15 - 00:27:36:06
And I will, explicitly capture
those, extensions, towards the later

00:27:36:06 - 00:27:38:12
part of the discussion, highlight
what those are.

00:27:38:12 - 00:27:40:16
So as I said, right,
there is a provenance field,

00:27:40:16 - 00:27:43:18
where you can have a method which capture
whether it was manual effort

00:27:43:18 - 00:27:46:06
to do the mapping,
whether it was automated

00:27:46:06 - 00:27:49:07
or it was a hybrid
or semi automated kind of a thing.

00:27:49:07 - 00:27:52:24
So that is what the method field actually
captures that this, mapping was arrived

00:27:52:24 - 00:27:56:23
at, the matching rationale gives you
whether you are doing a, syntactic

00:27:56:23 - 00:28:00:04
mapping or a semantic level
mapping or a functional level mapping.

00:28:00:04 - 00:28:00:12
Right.

00:28:00:12 - 00:28:02:15
You specify
what is the thought process behind

00:28:02:15 - 00:28:05:03
matching the source
and the target control set.

00:28:05:03 - 00:28:08:00
And then, there can be a confidence score
which specify

00:28:08:00 - 00:28:11:09
how confident are you or the AI tool.

00:28:11:09 - 00:28:13:22
If you have used the AI tool about this
mapping. Right.

00:28:13:22 - 00:28:17:02
Whether that or how accurate these mapping
are in terms of how confident you are

00:28:17:02 - 00:28:20:23
about this and so on,
and then a coverage value captures

00:28:20:23 - 00:28:24:09
like what is the percentage
coverage of the control.

00:28:24:09 - 00:28:28:12
So if you have X percentage then you say
okay x percentage of my source

00:28:28:12 - 00:28:32:12
controls are getting covered
by the target regulation and so on.

00:28:32:15 - 00:28:35:15
So you can also compute,
or at a high level, you can get an idea,

00:28:35:16 - 00:28:36:18
how much is being covered

00:28:36:18 - 00:28:39:18
and how much is not being covered
by your target calculation.

00:28:39:24 - 00:28:41:22
And if we look at the specific mapping,

00:28:41:22 - 00:28:45:17
so as I mentioned, you can in the source
and the target resource you compute.

00:28:45:17 - 00:28:46:22
What is your source catalog.

00:28:46:22 - 00:28:49:24
In this case we are seeing PCI-4.0

00:28:50:03 - 00:28:53:12
and the target here
with the NIST 800-53 revision 5.

00:28:53:15 - 00:28:56:03
And we are trying to map the PCI controls
within the NIST

00:28:56:03 - 00:28:59:15
800-53 controls,
and in the each of the map element,

00:28:59:15 - 00:29:03:08
we can again capture
those four fields that I showed above.

00:29:03:08 - 00:29:03:15
Right.

00:29:03:15 - 00:29:07:05
The method, the matching rationale,
the confidence score and coverage.

00:29:07:05 - 00:29:11:04
They can be at the top level,
which is applicable or average values

00:29:11:04 - 00:29:13:18
across all your maps
and at the individual level.

00:29:13:18 - 00:29:16:15
You can also capture it. Again
these are optional values.

00:29:16:15 - 00:29:19:12
So if you want to override it
then you need to specify it here.

00:29:19:12 - 00:29:20:23
If you don't you do not need to specify.

00:29:20:23 - 00:29:24:01
So for example if it is the same method
which is there in the provenance,

00:29:24:01 - 00:29:26:17
you do not need to capture it. Here again
the matching rationale.

00:29:26:17 - 00:29:29:11
You can override it,
if you are using the same rationale,

00:29:29:11 - 00:29:33:13
for example semantic that was there above,
then you do not need to specify it here again.

00:29:33:13 - 00:29:37:11
And because if you do not specify then
the one in the provenance would be taken.

00:29:37:12 - 00:29:40:11
Then this confidence score
gives the confidence

00:29:40:11 - 00:29:43:21
for this specific mapping between
the source and the target set of controls.

00:29:43:21 - 00:29:48:04
So here we have
PCI 1.1.1 and SC1, from the NIST 800-53.

00:29:48:04 - 00:29:51:11
So this confidence score says, okay, data
or the person who has done

00:29:51:11 - 00:29:55:00
this mapping is 95% confident
that my mapping is correct.

00:29:55:00 - 00:29:57:20
Whatever mapping and providing is correct.
We have our coverage.

00:29:57:20 - 00:30:02:01
We are saying one, 100% coverage
the relationship is equivalent to.

00:30:02:01 - 00:30:06:24
So, we are saying here that,
okay, PCI 1.1.1 and SC-1 are equivalent.

00:30:06:24 - 00:30:10:10
And since they are equal and this means
both the requirements are, similar.

00:30:10:10 - 00:30:12:22
So the coverage is also, 100% here.

00:30:12:22 - 00:30:16:09
The source and target
here are not just a single control.

00:30:16:09 - 00:30:18:11
So you could have, multiple controls here.

00:30:18:11 - 00:30:20:14
So if you look at the second mapping here,

00:30:20:14 - 00:30:23:20
we have one source control,
which is the PCI 1.1.2.

00:30:24:05 - 00:30:29:15
And then we see that this control maps
to say two target controls AC-1 and SC-1.

00:30:29:15 - 00:30:35:02
So we are saying the requirements
of PCI 1.1.2 maps to two controls

00:30:35:08 - 00:30:39:03
In the NIST 800-53 and I’ve just put
a relationship here intersect-with

00:30:39:07 - 00:30:40:02
So what it is say

00:30:40:02 - 00:30:44:02
this, that these two the source
and the target set of controls overlap.

00:30:44:02 - 00:30:46:03
So there are some requirements
in the source controls

00:30:46:03 - 00:30:48:12
that are not being met
by the target set of controls.

00:30:48:12 - 00:30:51:06
And similarly there are some requirements
in the target set of controls

00:30:51:06 - 00:30:54:05
which are not being met
by the source control and the coverage here

00:30:54:05 - 00:30:57:01
for example, if it 80%, it says okay,
the overlap is 80%,

00:30:57:01 - 00:30:59:06
but then they are 20%
different in each of them,

00:30:59:06 - 00:31:00:24
which are not being covered
by the other set.

00:31:00:24 - 00:31:04:03
and then we also have the source
and the target gap summary.

00:31:04:03 - 00:31:06:23
So in this example I am just
showing the source gap summary, which.

00:31:06:23 - 00:31:09:21
So these are the unmapped controls
from the source regulation.

00:31:09:21 - 00:31:12:22
And the idea to pull this is
because if I do not have this here.

00:31:12:22 - 00:31:13:07
Right.

00:31:13:07 - 00:31:16:07
And if I do not capture this control
as part of my mapping also.

00:31:16:07 - 00:31:19:15
one would not be very clear
whether, there is no mapping that exist

00:31:19:15 - 00:31:21:21
for these controls or,
the user who is doing

00:31:21:21 - 00:31:23:13
the mapping has not yet created. Right.

00:31:23:13 - 00:31:26:19
So explicitly
putting that as part of the gap summary

00:31:27:01 - 00:31:30:13
clearly say that these controls from
the source, are not getting covered

00:31:30:13 - 00:31:32:14
at all, in the target regulation.

00:31:32:14 - 00:31:36:01
And similarly for the target gap summary
we can say that these controls from

00:31:36:01 - 00:31:38:12
The target are not getting covered
in the source at all. Right.

00:31:38:12 - 00:31:40:02
So that's the idea over here.

00:31:40:02 - 00:31:41:16
the idea of having this mapping is.

00:31:41:16 - 00:31:44:20
So for example,
if I have already implemented this data

00:31:44:21 - 00:31:46:09
typically in my organization,

00:31:46:09 - 00:31:50:18
and I want to use the posture that I am
creating for that, framework or regulation

00:31:50:20 - 00:31:54:19
for a new incoming regulation,
which in this case is PCI DSS 4.0

00:31:54:22 - 00:31:59:07
I want to see how much of the existing
portion, posture I can reuse for my PCI

00:31:59:07 - 00:32:02:15
and what Delta I need to implement
which is not getting covered.

00:32:02:15 - 00:32:04:21
Right. So that's the idea of using this
mapping model.

00:32:04:21 - 00:32:07:15
I have something already
implemented in my organization.

00:32:07:15 - 00:32:10:23
And if I map a new regulation
to already implemented framework

00:32:11:00 - 00:32:14:11
and figure out much I am getting covered,
how much additional work I need to do,

00:32:14:11 - 00:32:16:13
and what are the additional controls

00:32:16:13 - 00:32:18:17
that I need to implement
which are not getting covered. Right.

00:32:18:17 - 00:32:20:07
So that's the overall idea here.

00:32:20:07 - 00:32:23:22
So now let me go, to the extensions

00:32:23:22 - 00:32:26:22
that we are discussing
as part of the OSCAL Foundation.

00:32:26:22 - 00:32:29:07
And again,
these are still under discussions.

00:32:29:07 - 00:32:30:04
These are not final.

00:32:30:04 - 00:32:33:06
So just going to talk
about what those extensions are

00:32:33:06 - 00:32:35:08
and the final version
may be slightly different,

00:32:35:08 - 00:32:37:01
but this is what we have as of now.

00:32:37:01 - 00:32:41:07
So, one thing that we discussed
was, the current set of values,

00:32:41:07 - 00:32:42:10
if you see method. Right.

00:32:42:10 - 00:32:45:15
It's a simple string, which is,
automated or manual or something.

00:32:45:15 - 00:32:49:07
And, we discussed that, potentially
we can, expand the method scope

00:32:49:07 - 00:32:53:11
to allow, user defined value so we can
have a namespace also with the value.

00:32:53:13 - 00:32:56:04
and that namespace would define
what that value means. Right.

00:32:56:04 - 00:32:59:06
So, that user can extend the values
that are coming

00:32:59:07 - 00:33:02:21
from OSCAL, with their own value
and provide a meaning to that.

00:33:02:21 - 00:33:02:24
Right.

00:33:02:24 - 00:33:06:07
So that's one of the extensions
or enhancement that we are discussing.

00:33:06:11 - 00:33:10:02
Second thing, there is a confidence
score, which is a simple string.

00:33:10:02 - 00:33:15:02
And, what we are, proposing is to
extend it to have a numeric score value.

00:33:15:02 - 00:33:19:03
And the reason for that is,
if you are using AI tools to do this

00:33:19:03 - 00:33:22:06
automated mapping, most of the tools
do provide some confidence score.

00:33:22:06 - 00:33:23:05
How confident

00:33:23:05 - 00:33:26:07
AI tool was this mapping
so we can put that score

00:33:26:07 - 00:33:29:02
and then we can also have
a string to describe that.

00:33:29:02 - 00:33:30:10
And we are also discussing

00:33:30:10 - 00:33:33:14
if we can have categorical values,
Instead of purely numeric.

00:33:33:14 - 00:33:36:08
We can also discuss
to have categorical values over here.

00:33:36:08 - 00:33:37:13
And the third extension,

00:33:37:13 - 00:33:40:13
or enhancement that we are looking at
is putting a coverage,

00:33:40:13 - 00:33:44:17
This will say how much of my regulation
is getting covered.

00:33:44:17 - 00:33:48:10
so that it gives an overall idea
of what is the overlap

00:33:48:10 - 00:33:50:11
and how much additional effort or work

00:33:50:11 - 00:33:54:00
is needed to support this, new framework
or the regulation that will work.

00:33:54:13 - 00:33:55:18
Going to the mapping.

00:33:55:18 - 00:33:59:06
So again here,
we have extension, as I said, right.

00:33:59:07 - 00:34:01:17
method that we define here,
we have an extension here.

00:34:01:17 - 00:34:04:24
if the method is same, we do not need
to put it here because this is optional.

00:34:04:24 - 00:34:06:13
Otherwise this would override it

00:34:06:13 - 00:34:09:18
For the confidence score,
we can have at both the places.

00:34:09:18 - 00:34:11:05
And both the places are optional.

00:34:11:05 - 00:34:14:00
If we have a confidence
score at individual map level,

00:34:14:00 - 00:34:17:00
then it would signify
how confident we are for

00:34:17:00 - 00:34:20:00
this specific mapping between the source
and the target set of control.

00:34:20:00 - 00:34:20:09
Right.

00:34:20:09 - 00:34:23:11
Whereas the confidence score
at the provenance level would specify,

00:34:23:13 - 00:34:26:21
the overall confidence
across all the mappings control mappings.

00:34:26:22 - 00:34:29:01
And this is for the specific control
mapping.

00:34:29:01 - 00:34:31:10
Again
the coverage here, it's an optional field

00:34:31:10 - 00:34:34:11
which would specify what is the coverage
between these two source

00:34:34:11 - 00:34:35:21
and the target set of controls.

00:34:35:21 - 00:34:39:14
Whereas the coverage at the provenance
level would, capture the overall coverage

00:34:39:19 - 00:34:41:04
across the two regulations.

00:34:41:04 - 00:34:41:22
so these are

00:34:41:22 - 00:34:45:20
some of the extensions that are discussing
as part of the OSCAL Foundation.

00:34:46:00 - 00:34:47:11
these are not yet final.

00:34:47:11 - 00:34:50:11
And based on the input from,
the members of what they have,

00:34:50:18 - 00:34:53:18
we will take a call to decide
whether we want to keep it this way

00:34:53:18 - 00:34:56:21
or there are some additional things
that we what we need to capture here.

00:34:57:11 - 00:35:01:14
I would just quickly go through
how this whole mapping model

00:35:01:16 - 00:35:05:17
can be used to basically simplify
or scale adoption

00:35:05:17 - 00:35:09:08
of new regulations if you already have,
one framework implemented.

00:35:09:11 - 00:35:13:20
for example, suppose the first framework
that you implement is the NIST 800-53 catalog.

00:35:13:20 - 00:35:17:10
we can create a profile out of it
based on the organizational requirements.

00:35:17:10 - 00:35:21:22
Then we create a component definition
for how those controls are implemented.

00:35:21:22 - 00:35:25:04
We can also capture specific
technical rules for those controls

00:35:25:04 - 00:35:28:11
that organization and different software
and services are implemented.

00:35:28:11 - 00:35:32:10
And based on that we create an assessment
plan only for that NIST 800-53

00:35:32:10 - 00:35:34:14
and create the posture. Now suppose

00:35:34:14 - 00:35:37:24
I need to support a new regulation,
which in this case is PCI catalog.

00:35:38:03 - 00:35:39:07
How do I do that? Right.

00:35:39:07 - 00:35:43:14
How can I make, most use of my already
existing implementation?

00:35:43:14 - 00:35:46:13
And I only need to tell
That it is not getting covered. Right.

00:35:46:13 - 00:35:50:05
so the whole idea is basically
I would try to map the PCI controls to the

00:35:50:06 - 00:35:51:00
NIST control. Right.

00:35:51:00 - 00:35:55:04
And we use the mapping model
that this has created to actually capture

00:35:55:04 - 00:35:56:04
that information. Right.

00:35:56:04 - 00:35:59:20
And then we will identify which controls
as part of that mapping, identify

00:35:59:20 - 00:36:01:12
which controls are getting fully covered,

00:36:01:12 - 00:36:03:19
which are partially covered,
or which are not covered at all.

00:36:03:19 - 00:36:06:21
and then for those partially covered
and not covered controls,

00:36:06:21 - 00:36:10:07
we will, create new rules,
and map them to the controls, to identify

00:36:10:07 - 00:36:14:08
what needs to be done for those,
partially or uncovered controls and add

00:36:14:08 - 00:36:18:17
these, information to the, Delta
PCI component definition that we create.

00:36:18:17 - 00:36:19:03
Right. Okay.

00:36:19:03 - 00:36:20:24
So these are the additional things
that I need

00:36:20:24 - 00:36:23:05
for PCI controls
that are not getting covered. Right.

00:36:23:05 - 00:36:25:23
And once I create this Delta PCI component
definition,

00:36:25:23 - 00:36:29:09
I can then create an assessment plan
which is the union of my original,

00:36:29:09 - 00:36:31:20
component definition,
which are for only NIST 800-53

00:36:31:20 - 00:36:35:22
plus this Delta and perform the assessment
based on this union of these two.

00:36:36:00 - 00:36:39:03
And once I get the,
posture results assessment results

00:36:39:03 - 00:36:42:03
for this,
using this one common assessment result,

00:36:42:05 - 00:36:47:09
I can create posture for both NIST 800-53
and for the PCI DSS.

00:36:47:09 - 00:36:47:21
Right.

00:36:47:21 - 00:36:48:17
So you see.

00:36:48:17 - 00:36:50:16
Right. The idea is, once I do the mapping,

00:36:50:16 - 00:36:52:16
I identify what the Delta needs to be
done.

00:36:52:16 - 00:36:54:23
I create the component definition
for those Delta.

00:36:54:23 - 00:36:58:05
I do the implementation and perform
additional assessment for those Delta

00:36:58:07 - 00:37:01:12
and then reuse the posture
that was earlier available earlier

00:37:01:12 - 00:37:04:03
with this Delta and create the posture
for my new regulation. Right.

00:37:04:03 - 00:37:05:22
So this would help, quickly scale up,

00:37:05:22 - 00:37:09:01
adding new regulations, supporting
new regulations in the organization.

00:37:09:16 - 00:37:11:00
So what are the next steps?

00:37:11:00 - 00:37:11:08
Okay.

00:37:11:08 - 00:37:14:20
So, we are in discussions
in the OSCAL Foundation.

00:37:14:21 - 00:37:17:24
We are discussing all these use cases
that different members bring,

00:37:17:24 - 00:37:21:15
and we are in the process
of discussing those, stretching it out

00:37:21:15 - 00:37:24:02
and finalizing the changes
to the mapping model.

00:37:24:02 - 00:37:26:22
As part of the OSCAL Foundation
Technical Working Group.

00:37:26:22 - 00:37:30:06
Once we identify the extensions
or enhancements,

00:37:30:06 - 00:37:33:09
we will also create examples
based on those proposed changes

00:37:33:16 - 00:37:36:16
to explain how those enhancements
are going to be used

00:37:36:16 - 00:37:39:16
so that, the usage of those enhancements
become clear.

00:37:39:19 - 00:37:44:10
And once that happens, we will update the
OSCAL Schema with those enhancements.

00:37:44:10 - 00:37:47:21
And then we will,
push it to the NIST OSCAL GitHub so that,

00:37:47:23 - 00:37:50:22
NIST team can go ahead and review
those enhancements,

00:37:50:22 - 00:37:54:18
discuss it internally and then merge it
into the core OSCAL schema.

00:37:54:20 - 00:37:57:21
And once that gets updated,
obviously the next step would be to create

00:37:57:21 - 00:38:01:12
a new release, of the OSCAL model
with this new mapping model included.

00:38:01:14 - 00:38:04:20
so this is a process,
we are in the middle of this process

00:38:04:20 - 00:38:08:14
where we have discussed the current use
cases that, members have brought,

00:38:08:16 - 00:38:12:10
and try to, come up with a solution
for those various requirements.

00:38:12:10 - 00:38:14:19
And use cases can be supported.

00:38:14:19 - 00:38:17:11
so if you want to contribute,
can you start?

00:38:17:11 - 00:38:18:19
As Stephen already mentioned, right.

00:38:18:19 - 00:38:21:23
Please get involved in the OSCAL
Foundation Technical working Group.

00:38:22:01 - 00:38:23:13
Please join the calls.

00:38:23:13 - 00:38:25:17
Bring your use cases in example.

00:38:25:17 - 00:38:30:06
Share your needs, explain them to
other members so that we also understand.

00:38:30:06 - 00:38:32:23
And then let us collectively mature
the mapping model. Right.

00:38:32:23 - 00:38:36:21
So based on, everyone's requirement
and the discussions that we have

00:38:36:21 - 00:38:40:00
in the OSCAL, OSCAL Foundation,
we can probably

00:38:40:00 - 00:38:43:23
mature this model quickly
and then propose the enhancement on this

00:38:43:24 - 00:38:47:18
so that we can have a release
of new OSCAL version with the OSCAL

00:38:47:18 - 00:38:49:01
mapping model included.

00:38:49:01 - 00:38:49:17
Thank you.

00:38:49:17 - 00:38:50:11
That's all I had.

00:38:50:11 - 00:38:52:15
We can take questions now. Yes. Thank you.

00:38:52:15 - 00:38:53:06
I don't know

00:38:53:06 - 00:38:57:15
if the audience is interested on
being on the record with the questions,

00:38:57:24 - 00:39:01:13
but I think that I would like at least,
some of mine

00:39:01:20 - 00:39:05:23
that reflect the conversation
we are having in the chat to be on record

00:39:06:01 - 00:39:10:10
for audience to later
be able to review or better understand.

00:39:10:12 - 00:39:14:01
So we are talking here
at Source and Target,

00:39:14:05 - 00:39:17:05
and I think that,
the example says my source is

00:39:17:05 - 00:39:20:08
PCI and my target is 800-53.

00:39:20:10 - 00:39:23:03
When NIST design, the model
and this is crucial

00:39:23:03 - 00:39:25:15
we had in mind based on our polling

00:39:25:15 - 00:39:28:22
around the world, actually the communities
what do you want to do.

00:39:28:22 - 00:39:33:10
So you want to assess
once and report multiple times.

00:39:33:10 - 00:39:38:22
So in our mind, the source is the one that
for your technical controls.

00:39:38:22 - 00:39:42:07
If you think in terms of hyperscale
or those custom controls

00:39:42:07 - 00:39:46:24
that your organization are implementing,
and those are mapped to targets,

00:39:46:24 - 00:39:50:01
and you can have
those mapped to multiple targets.

00:39:50:01 - 00:39:54:03
And then when you are doing
your assessment on your source,

00:39:54:09 - 00:39:58:17
then based on the results on your source,
you can project on the target

00:39:58:17 - 00:39:59:19
that you are covered.

00:39:59:19 - 00:40:02:04
The particular percentage, some control,

00:40:02:04 - 00:40:06:06
some are a gap or some of them
you need to do some extra.

00:40:06:06 - 00:40:07:09
So this was the,

00:40:07:09 - 00:40:09:12
thought that we had based
on this presentation,

00:40:09:12 - 00:40:13:07
in the conversation, the chat, I think
that the projection is on the opposite.

00:40:13:07 - 00:40:16:24
So you assess on the target and project
on that source.

00:40:17:04 - 00:40:20:24
This is very important
for the entire world to use the model

00:40:20:24 - 00:40:22:19
in a consistent way.

00:40:22:19 - 00:40:26:11
Because when you have a coverage there,
what is the coverage going to represent

00:40:26:13 - 00:40:29:17
the metadata
or a coverage of the, relation?

00:40:30:00 - 00:40:32:21
If I have AC-2 an I implemented

00:40:32:21 - 00:40:37:22
AC-2 A to H or
those are on scope for me, for my system.

00:40:38:00 - 00:40:40:22
And then those are mapped
to, let's say as a target

00:40:40:22 - 00:40:45:21
PCI or as a target,
talk to and I can only map

00:40:46:04 - 00:40:50:00
AC-2 A and AC-2 B to those target.

00:40:50:06 - 00:40:52:17
I do have a gap also on my source.

00:40:52:17 - 00:40:56:13
Is that important to not run
all the other tests, to not provide

00:40:56:13 - 00:40:58:08
more information that is needed?

00:40:58:08 - 00:41:01:18
Is it important to know, that
there are some

00:41:01:20 - 00:41:06:05
maybe my targets are 100% covered,
so when we have a coverage

00:41:06:05 - 00:41:10:19
there as a percentage,
do I know that A and B were covered?

00:41:10:19 - 00:41:13:16
Do I know that A and B were covered
that were mapped?

00:41:13:16 - 00:41:17:23
Those are details that the community needs
to help us come forward

00:41:18:04 - 00:41:23:04
and create a model that allows to be used
consistently the machine to understand,

00:41:23:09 - 00:41:25:02
and that allows to,

00:41:25:02 - 00:41:28:18
polish the model to meet your requirements
and your understandings.

00:41:28:22 - 00:41:32:08
If one want to use a relation
and you determine that relation.

00:41:32:08 - 00:41:34:16
And I gave that example at length.

00:41:34:16 - 00:41:37:21
If I have a source
that that says implement TLS,

00:41:38:03 - 00:41:43:02
and I have then a target
that says implement TLS 1.2 and above

00:41:43:02 - 00:41:47:08
or 1.3 and above, how do you put that
relation in there in set theory,

00:41:47:11 - 00:41:51:06
which one is subset
or superset of the other one?

00:41:51:06 - 00:41:54:06
So if you just look at the information
as we perceive it

00:41:54:08 - 00:41:55:20
is that this should be used.

00:41:55:20 - 00:41:58:20
But the information
that is in front of you, not of how

00:41:58:20 - 00:42:04:08
you can satisfy that requirement,
break your requirement into teeny tiny

00:42:04:08 - 00:42:08:04
things of what is ask you to do,
because you'll have to have a test

00:42:08:04 - 00:42:09:18
for every single one and see,

00:42:09:18 - 00:42:13:14
do you have more or less on the source versus
the target?

00:42:13:18 - 00:42:18:07
So to me, and the way I think that this is
should be used is implement

00:42:18:07 - 00:42:26:00
TLS is a subset of implement TLS 1.2 or above,
because when I need to assess implement

00:42:26:00 - 00:42:30:24
TLS 1.2 and above,
I have multiple things to test and do.

00:42:31:04 - 00:42:33:19
So if I just test for implement TLS,

00:42:33:19 - 00:42:37:08
my target is only tested
for half of the requirement.

00:42:37:11 - 00:42:40:20
of course
this might be a reversible relation.

00:42:40:20 - 00:42:45:21
But to simplify, we are thinking that
we only use this process in one direction

00:42:45:21 - 00:42:47:03
because reverting it,

00:42:47:03 - 00:42:51:05
you just flip the data and you can do that
and you have those relations with you

00:42:51:05 - 00:42:55:13
because they are not always easily
to revert them for more complex situation.

00:42:55:17 - 00:42:59:02
So all those sort of things
that I wanted to capture on the record,

00:42:59:04 - 00:43:02:10
I want us to think as a community to come

00:43:02:10 - 00:43:07:11
with, best approach to providing a model
that is not opinionated,

00:43:07:11 - 00:43:11:04
that allows you to use it
in any situations that you have.

00:43:11:08 - 00:43:14:08
But to be consistent
because you could come and say

00:43:14:08 - 00:43:18:12
implement
TLS is a superset of implement TLS 1.2.

00:43:18:12 - 00:43:21:12
Just because you can have
more technical solutions,

00:43:21:15 - 00:43:22:22
then it's a completely different

00:43:22:22 - 00:43:26:22
state of mind and tools
that are implemented to make judgments,

00:43:26:24 - 00:43:31:10
and the reporting automatically will
just not be able to use it consistently.

00:43:31:17 - 00:43:36:11
And that's all I had say, I will probably
stop the recording for the community

00:43:36:11 - 00:43:40:14
to feel more comfortable, to come forward
and discuss, the mapping model.

00:43:40:14 - 00:43:42:04
Thank you to our presenters.