00:00:00:00 - 00:00:04:20
So as Michaela mentioned, I'm Travis,
Howerton. I’m the Co-founder CEO here at RegOSCAL

00:00:04:22 - 00:00:09:07
With me, I've got Dave Waltermire, who many of
you know in the community as well.

00:00:09:08 - 00:00:12:13
We're going to show you a little bit of
what we've been up to at

00:00:12:13 - 00:00:15:18
RegOSCAL with OSCAL, specifically OSCAL Hub.

00:00:15:18 - 00:00:16:22
So I'll share my desktop

00:00:19:19 - 00:00:22:10
And so today we're going to talk
a little bit about OSCAL Hub.

00:00:22:10 - 00:00:23:23
see RegOSCAL at the top.

00:00:23:23 - 00:00:26:13
This would probably be the first and
last time we'll talk about RegOSCAL.

00:00:26:13 - 00:00:29:05
So we're a commercial company,
venture backed.

00:00:29:05 - 00:00:31:11
We do a lot of different work
in this space,

00:00:31:11 - 00:00:33:23
but we're not going to talk about
any of our commercial products.

00:00:33:23 - 00:00:37:09
All we're going to talk about
today are open source contributions

00:00:37:09 - 00:00:41:14
by RegOSCALrs to the community
and specifically, OSCAL Hub

00:00:41:14 - 00:00:46:15
and some of the related OSCAL things
that we have put out here recently.

00:00:46:18 - 00:00:48:05
What is OSCAL Hub?

00:00:48:05 - 00:00:50:22
We are members of the OSCAL Foundation.

00:00:50:22 - 00:00:54:01
What we want to do there is provide
easy tools

00:00:54:01 - 00:00:57:24
that sort of lower the learning curve
for interacting with OSCAL content.

00:00:57:24 - 00:01:01:15
And so that's what we're fundamentally
trying to do with OSCAL Hub

00:01:01:15 - 00:01:04:21
is create sort of a shared resource
that the community can use.

00:01:04:21 - 00:01:07:02
That solves really a couple of problems.

00:01:07:02 - 00:01:09:04
One is we hear from a lot of folks

00:01:09:04 - 00:01:12:05
that they want an easier ability
to share OSCAL content.

00:01:12:05 - 00:01:15:11
So finding content can be tricky
other than some of the stuff

00:01:15:11 - 00:01:17:22
that NIST and FedRAMP
and others have put out.

00:01:17:22 - 00:01:21:05
So we thought we would create
sort of a hub for sharing content

00:01:21:05 - 00:01:24:08
catalogs,
profiles, component definitions, etc..

00:01:24:12 - 00:01:28:11
Also, the technical excellence of
OSCAL is great,

00:01:28:11 - 00:01:31:15
but it can be a little daunting
if you're not an engineer,

00:01:31:15 - 00:01:35:12
if you don't have a data background,
if you're not used to working in that way.

00:01:35:12 - 00:01:37:21
And so what we wanted to do
was give some GUI base tools.

00:01:37:21 - 00:01:39:24
And so we're going to demonstrate
some of that, things

00:01:39:24 - 00:01:42:18
that you could be able to do forever
in the CLI.

00:01:42:18 - 00:01:46:09
We've wrapped a visual experience
over the top of it so you can do things

00:01:46:09 - 00:01:50:16
like see what's in an OSCAL document,
validate, convert formats, things

00:01:50:16 - 00:01:53:16
that, you can do with the CLI,
you can now do in the GUI.

00:01:53:22 - 00:01:55:06
At the end of the day,
we want you to be able

00:01:55:06 - 00:01:59:05
to interact with OSCAL
in whatever way makes sense for you.

00:01:59:06 - 00:02:01:10
So we want to improve the
tooling ecosystem.

00:02:01:10 - 00:02:03:19
So the CLIs existed for a while.

00:02:03:19 - 00:02:07:13
Dave is going to talk a little bit
about some things he's doing there.

00:02:07:18 - 00:02:10:03
But also we've wrapped that in an API.

00:02:10:03 - 00:02:14:02
So if you have sort of,
application use case

00:02:14:02 - 00:02:17:21
and you'd like to be able to call it
programmatically via API versus CLI,

00:02:18:01 - 00:02:21:13
can support that now and OSCAL hub
and then the web interface

00:02:21:13 - 00:02:24:22
as well for the lowest barrier
to entry to adoption.

00:02:25:02 - 00:02:26:11
So why did we build it?

00:02:26:11 - 00:02:28:24
This is free open source set of things.

00:02:28:24 - 00:02:32:04
Basically, we want to lower the learning
curve, as part of our work

00:02:32:04 - 00:02:35:21
supporting the foundation and anything
we can do to get broader adoption.

00:02:35:24 - 00:02:39:20
Adoption comes with great tooling
and sort of a simple user experience.

00:02:39:20 - 00:02:42:23
And so we're trying to help contribute
to that in a meaningful way.

00:02:43:00 - 00:02:46:18
We're also actively recruiting people
who, we're looking for groups.

00:02:46:18 - 00:02:48:06
So if you want to go on a quest with us

00:02:48:06 - 00:02:51:06
to help contribute to these things,
we'd be happy to collaborate with you.

00:02:51:07 - 00:02:54:04
We also want to make it easy to host,
OSCAL content.

00:02:54:04 - 00:02:57:06
Like, I'm very used to working
in a package manager world

00:02:57:06 - 00:03:00:03
where if I need a Python library,
I can pip install it.

00:03:00:03 - 00:03:03:07
If I need, TypeScript library,
I can npm install it.

00:03:03:10 - 00:03:07:12
We want sort of the same ease of use
to grab OSCAL content wherever it may be.

00:03:07:16 - 00:03:09:14
And we want no barriers to entry here.

00:03:09:14 - 00:03:13:08
So everything we're going to show
you is open source and completely free.

00:03:14:01 - 00:03:16:03
And there are four things
we're going to go into.

00:03:16:03 - 00:03:19:05
One is
there's a hosted version of OSCAL Hub.

00:03:19:05 - 00:03:21:05
I'm going to demo a version of that.

00:03:21:05 - 00:03:22:24
You'll get to see it first hand.

00:03:22:24 - 00:03:23:22
How it works.

00:03:23:22 - 00:03:26:21
We host a version of that
that you can sign up for.

00:03:26:21 - 00:03:28:22
If you don't want to sign up,

00:03:28:22 - 00:03:30:23
I know that is a barrier with some people.

00:03:30:23 - 00:03:34:00
There's also the OSCAL GitHub
repo here on the right.

00:03:34:02 - 00:03:37:18
You can go download it directly, spin up
containers, run it yourself.

00:03:37:18 - 00:03:40:19
So there's nothing that requires you
to use our hosted version

00:03:40:19 - 00:03:42:06
or give us any information.

00:03:42:06 - 00:03:43:11
But if you just want to be able

00:03:43:11 - 00:03:47:06
to log in and play around,
we do host a version for the community.

00:03:47:10 - 00:03:49:10
There's OSCAL Hub CLI.

00:03:49:10 - 00:03:52:14
Dave will talk a little bit about some
enhancements he's been working on there.

00:03:52:18 - 00:03:57:02
And then recently they've put out
some capabilities around Claude,

00:03:57:05 - 00:04:01:01
to sort of superpower it
for working with OSCAL content.

00:04:01:01 - 00:04:02:20
And so he'll demo some of that as well.

00:04:02:20 - 00:04:05:06
So those will be sort of the four things
you're going to see

00:04:05:06 - 00:04:06:23
throughout this session
together

00:04:07:16 - 00:04:09:06
With that I'm going to switch here

00:04:11:01 - 00:04:12:24
And hop into OSCAL Hub.

00:04:12:24 - 00:04:15:04
So here's
sort of the version of OSCAL Hub

00:04:15:04 - 00:04:18:06
that's running you land on marketing page
that tells you

00:04:18:06 - 00:04:22:05
what it is, why you'd want to use it,
gives you some links to documentation.

00:04:22:10 - 00:04:26:18
If you want to get started,
you can go to OSCALHub.com, sign up now

00:04:26:18 - 00:04:28:20
get an account and start playing around.

00:04:29:02 - 00:04:32:24
I'm going to go log in as sort of,
a regular user here.

00:04:36:15 - 00:04:40:15
We’ve also in this release
improved security across the platform.

00:04:40:15 - 00:04:43:15
So MFA is fully implemented here.

00:04:46:22 - 00:04:47:06
All right.

00:04:47:06 - 00:04:50:06
And so the first thing you'll do
when you log in to OSCAL Hub

00:04:50:06 - 00:04:52:24
is you can say there's one
or many organizations.

00:04:52:24 - 00:04:55:24
So, you can build your own organizations.

00:04:55:24 - 00:04:57:20
You can, assign people to it.

00:04:57:20 - 00:05:01:05
You can share content across
organizations, or you can keep content

00:05:01:05 - 00:05:03:20
just private to the organization
that you're working in.

00:05:03:20 - 00:05:05:22
And when you click it,
it's going to take you into sort

00:05:05:22 - 00:05:08:22
of an interactive experience
that you see here.

00:05:09:00 - 00:05:12:08
There's some quick tiles
that let you do a variety of things,

00:05:12:15 - 00:05:15:15
starting with the library,
which is the core of OSCAL Hub.

00:05:15:23 - 00:05:19:12
If what I want to do is share content,
we give you an easy way to do that.

00:05:19:16 - 00:05:21:09
So you can go in and browse.

00:05:21:09 - 00:05:24:12
You can see any different OSCAL files
that are available.

00:05:24:20 - 00:05:27:05
I can search, I can upload new ones.

00:05:27:05 - 00:05:32:05
I can get a feel for the most popular ones, who's using it, downloading it, etc..

00:05:33:07 - 00:05:36:13
If I go into one,
I have the ability to rate the content.

00:05:36:13 - 00:05:38:14
I have the ability to comment on it.

00:05:38:14 - 00:05:43:00
If there are flaws I find in it,
feedback I want to give to the content

00:05:43:00 - 00:05:43:16
owner.

00:05:43:16 - 00:05:47:03
If you own this content,
I can upload new versions over time.

00:05:47:10 - 00:05:49:24
All the history of the versions
are maintained here,

00:05:49:24 - 00:05:52:24
but it gives you sort of a central library
for managing

00:05:52:24 - 00:05:56:11
all of your OSCAL content
and sharing it with the community.

00:05:56:13 - 00:05:59:11
So anything you're working
on, whether there are test files,

00:05:59:11 - 00:06:02:11
they are things that you want to share
with others.

00:06:02:11 - 00:06:04:12
Maybe you're a vendor
and you want to build

00:06:04:12 - 00:06:07:14
a component definition for your technology
and share it.

00:06:07:14 - 00:06:10:05
It gives you
sort of an easy way to do that.

00:06:10:05 - 00:06:14:07
And so that's the main part here
that you see in the OSCAL library.

00:06:14:19 - 00:06:17:03
I will say this is very much alpha code.

00:06:17:03 - 00:06:21:04
So we are just getting this out
in the spirit of getting feedback.

00:06:21:06 - 00:06:24:07
we are open to feedback
on new features, things you want to see.

00:06:24:07 - 00:06:27:20
But basically we view this to sort of,
maybe just behind proof

00:06:27:20 - 00:06:30:13
of concept level of sort
of what we can do here.

00:06:30:13 - 00:06:32:23
I also got some feedback
that, people want to be able

00:06:32:23 - 00:06:34:15
to manage their authorizations.

00:06:34:15 - 00:06:37:15
So maybe I get an ATO package in OSCAL,

00:06:37:16 - 00:06:40:22
can I put that through, an ATO
type workflow?

00:06:40:24 - 00:06:44:08
So here I can see a variety of packages
that I've built.

00:06:44:08 - 00:06:46:01
I can see a calendar of

00:06:46:01 - 00:06:50:24
which ones were recently authorized,
overdue, expiring soon, etc..

00:06:51:04 - 00:06:54:07
But we want to give you a sort of an easy way
to take an OSCAL package

00:06:54:07 - 00:06:55:19
and put it through a workflow.

00:06:55:19 - 00:06:57:11
Again, proof of concept level.

00:06:57:11 - 00:07:01:22
But here I can see the different OSCAL SSP files

00:07:01:22 - 00:07:05:17
that I've uploaded, so I can pick
one that I want to work with that one.

00:07:06:10 - 00:07:10:20
I can also go grab a SAR package
as well for my assessment.

00:07:11:04 - 00:07:14:04
Fill out some details. So,

00:07:14:07 - 00:07:17:22
Put the date authorized,
date I want it to expire.

00:07:21:09 - 00:07:22:24
Here's some basic info.

00:07:26:07 - 00:07:27:13
Put the data here.

00:07:29:20 - 00:07:32:24
Now it's going to visualize a bit of
what's in that package.

00:07:32:24 - 00:07:37:23
So I can see some information around
the categorization, information types.

00:07:38:04 - 00:07:42:10
Some of the people described in there,
which families

00:07:42:10 - 00:07:45:24
and controls are in that package,
sort of the status of them.

00:07:46:08 - 00:07:47:22
My asset inventory.

00:07:48:17 - 00:07:54:18
My audit, I can see by family how the audit went,
which sort of controls were assessed,

00:07:55:00 - 00:07:58:19
My distribution
of compliance of those controls,

00:07:59:11 - 00:08:02:01
and then a list of findings
that came out of the audit

00:08:02:01 - 00:08:05:19
for the various issues,
all just by loading OSCAL files.

00:08:05:19 - 00:08:07:19
So it's just reading this end
and giving you

00:08:07:19 - 00:08:10:02
sort of a high level
dashboard of what's in it.

00:08:10:02 - 00:08:12:02
Next I can use a template.

00:08:12:02 - 00:08:14:23
You can build your own template,
use one out of the box.

00:08:14:23 - 00:08:18:05
But the idea here is now
I went to go authorize this.

00:08:18:05 - 00:08:20:04
So I take my authorization template.

00:08:21:22 - 00:08:23:15
And I just fill in the parameters.

00:08:23:15 - 00:08:26:02
So I'm going to issue it 2...

00:08:27:13 - 00:08:28:02
6

00:08:37:07 - 00:08:40:01
You can see sort of the progress bar completing.

00:08:42:03 - 00:08:43:17
And now it fills out our letter.

00:08:46:08 - 00:08:48:12
I can add any conditions of approval.

00:08:48:12 - 00:08:50:22
Maybe there were things I want fixed.

00:08:50:22 - 00:08:52:03
So I'll say I want.

00:09:08:02 - 00:09:08:14
Add it.

00:09:09:12 - 00:09:11:08
So now I've got my conditions,

00:09:11:21 - 00:09:13:04
I can review my package.

00:09:13:19 - 00:09:14:18
And then at the end,

00:09:15:09 - 00:09:16:02
sign it.

00:09:28:10 - 00:09:28:20
Complete

00:09:29:15 - 00:09:33:12
And now I've got a new package
here in my inventory.

00:09:33:15 - 00:09:37:14
So again, proof of concept of
just taking OSCAL files, running them

00:09:37:14 - 00:09:38:15
through the process.

00:09:38:15 - 00:09:41:14
We have a fair amount more
we want to do to add to this.

00:09:41:14 - 00:09:44:14
But it gives you sort of,
a feeling of what you can do there.

00:09:44:19 - 00:09:48:17
Also got, some feedback
on what I call related things.

00:09:48:18 - 00:09:53:23
Maybe I need an ISSM letter, or
I need an ISSO letter or a privacy impact

00:09:53:23 - 00:09:57:19
assessment or some other artifact
that I want to attach to that package.

00:09:57:22 - 00:10:01:01
You can now build your artifacts here
in markdown.

00:10:01:07 - 00:10:02:02
Fill them out.

00:10:02:02 - 00:10:06:15
Same sharing, rating, searching system
that you saw in the other side.

00:10:06:23 - 00:10:09:08
Now, I can attach those artifacts here.

00:10:09:08 - 00:10:12:15
Soon we'll be able to attach those
artifacts to an authorization package

00:10:12:18 - 00:10:15:06
and keep all that stuff
sort of bundled together.

00:10:15:06 - 00:10:16:10
But those are some of that.

00:10:16:10 - 00:10:17:17
core features inside.

00:10:18:03 - 00:10:20:24
Maybe what I want to do,
though, is visualize some data.

00:10:20:24 - 00:10:23:22
So I've got a OSCAL file, an SSP here.

00:10:23:22 - 00:10:25:13
It's going to show me whatever's in that.

00:10:25:13 - 00:10:27:14
It's aware of the content type.

00:10:27:22 - 00:10:30:03
It supports all the various ones.

00:10:30:03 - 00:10:32:10
So it tells you what's in your SSP.

00:10:32:10 - 00:10:36:15
If you gave it a SAP SAR, it'll visualize
that, it'll visualize your component,

00:10:36:15 - 00:10:40:16
etc., but just sort of a sneak
peek of what's inside that package.

00:10:42:08 - 00:10:44:18
We also
have the ability to validate your OSCAL.

00:10:44:18 - 00:10:46:01
So super handy.

00:10:46:01 - 00:10:49:11
You take your document, you upload
a new one or pick one you already have.

00:10:49:14 - 00:10:53:08
I'm just going to pick the Awesome
Cloud one here, run it

00:10:53:09 - 00:10:56:09
through validation
it tells me whether it passes or fails.

00:10:56:09 - 00:10:58:10
So zero errors, zero warnings.

00:10:58:10 - 00:10:59:18
This document is valid.

00:10:59:18 - 00:11:01:24
Just using the CLI under the hood.

00:11:01:24 - 00:11:05:11
So this is just a user interface
for people who don't want to live

00:11:05:11 - 00:11:08:15
in a command line
or may be a little scared of that world.

00:11:08:15 - 00:11:11:18
Here's a simple way to do it in a GUI
to get the same thing.

00:11:13:11 - 00:11:15:18
I can also convert formats,

00:11:15:18 - 00:11:20:12
so maybe I have, an Awesome
Cloud one here, an XML doc.

00:11:20:15 - 00:11:23:12
I want to take that XML
and convert it to Json

00:11:24:05 - 00:11:25:23
Again using the CLI

00:11:25:24 - 00:11:27:00
does the same thing.

00:11:27:00 - 00:11:29:20
I can now download that .json file.

00:11:29:20 - 00:11:32:22
got my conversion done super easy,
super quick.

00:11:33:00 - 00:11:36:00
No need to mess with command lines,
just all drag

00:11:36:00 - 00:11:39:00
and drop GUI based interface.

00:11:39:04 - 00:11:43:11
Also, we've taken the validation rules
so you can see here

00:11:43:11 - 00:11:47:04
these are the all the ones
that are sort of built into the CLI today.

00:11:47:06 - 00:11:48:22
About the things it's checking.

00:11:48:22 - 00:11:50:03
You can add your own rules.

00:11:50:03 - 00:11:51:14
So when it validates it

00:11:51:14 - 00:11:55:14
validates against your specific rules
that you want to apply.

00:11:55:23 - 00:11:57:16
So again, trying to make it easier,

00:11:57:16 - 00:12:01:14
I like the concept of thinking of it
like a software compiler.

00:12:01:14 - 00:12:04:12
I'm going to go give my compiler
all the rules of things

00:12:04:12 - 00:12:05:10
I want it to check.

00:12:05:10 - 00:12:08:10
And then it's going to validate
your packages against it.

00:12:08:14 - 00:12:11:17
The stuff I showed you before,
you can also do in batch.

00:12:11:19 - 00:12:14:17
So if I want to do multiple files
at a time, I can do that.

00:12:16:00 - 00:12:16:18
And you've

00:12:16:18 - 00:12:20:13
got a nice sort of history
log of everything that was tried.

00:12:20:13 - 00:12:22:05
Did it work, did it fail?

00:12:22:05 - 00:12:23:21
Here's one that was invalid.

00:12:23:21 - 00:12:26:00
You can see why it failed, etc.

00:12:26:00 - 00:12:28:13
all within sort of the main dashboard.

00:12:28:13 - 00:12:33:02
So that's the simple user
experience of OSCAL Hub

00:12:34:12 - 00:12:35:21
That's the GUI piece.

00:12:35:21 - 00:12:38:02
Also, I'll note there's an API here.

00:12:38:02 - 00:12:42:03
So maybe I want to do these same things,
but I don't want to do it GUI based.

00:12:42:03 - 00:12:45:17
I want to take my tool
that I'm building or my GRC

00:12:45:17 - 00:12:49:02
in my agency or whatever it is,
and I want to be able to send it OSCAL

00:12:49:02 - 00:12:52:21
get that same feedback,
but I want to do it programmatically.

00:12:53:01 - 00:12:55:03
Rich APIs you can use.

00:12:55:03 - 00:12:57:15
So everything that is available in OSCAL

00:12:57:15 - 00:13:00:24
Hub, there's a nice API interface
for it as well.

00:13:01:05 - 00:13:03:06
So you can use that out of the box.

00:13:04:22 - 00:13:07:22
And then
there's also if you are hosting your own.

00:13:07:22 - 00:13:11:06
One last thing I'll show you before
I turn this over to Dave.

00:13:13:00 - 00:13:13:18
Just a second

00:13:13:18 - 00:13:16:06
to get through this security,

00:13:16:06 - 00:13:18:23
it's for folks
who want to run this themselves.

00:13:18:23 - 00:13:20:23
They don't want to use a hosted version.

00:13:20:23 - 00:13:23:23
We want to give you some better tools for

00:13:24:23 - 00:13:26:23
seeing
what's happening in your environment.

00:13:26:23 - 00:13:30:11
So now there's a back end, admin panel.

00:13:30:11 - 00:13:32:14
I can create new organization.

00:13:32:14 - 00:13:33:19
So maybe you're an agency

00:13:33:19 - 00:13:36:23
and you have different components
that you want to create orgs for.

00:13:36:23 - 00:13:39:05
So they have their own sandboxes.

00:13:39:05 - 00:13:40:18
I can add users.

00:13:40:18 - 00:13:46:18
I can look at analytics of sort of what's
happening inside of my OSCAL hub instance overall

00:13:48:10 - 00:13:49:14
Get raw logs.

00:13:49:14 - 00:13:51:04
These are also shippable to a sims

00:13:51:04 - 00:13:54:07
And so if you wanted to run it
and be able to monitor this continuously,

00:13:54:07 - 00:13:55:02
there's some nice logging.

00:13:55:02 - 00:13:58:10
Now if you're having trouble,
you can see what's up or down.

00:13:58:11 - 00:14:01:22
So for remote observability monitoring
you can see the various

00:14:01:22 - 00:14:04:22
pieces enabled in OSCAL hub here.

00:14:04:24 - 00:14:07:16
Also, we've been working on sort of hardening

00:14:07:16 - 00:14:11:01
the environment so you can see
kind of where we're at for SOC 2 today.

00:14:11:01 - 00:14:12:19
There's more work to be done here.

00:14:12:19 - 00:14:13:07
But it gives you

00:14:13:07 - 00:14:17:10
some of the basic controls
that are implemented inside the OSCAL hub.

00:14:17:10 - 00:14:20:15
So if you want to review the documentation,
that's available.

00:14:20:22 - 00:14:22:15
And finally, we've added some ability

00:14:22:15 - 00:14:26:19
to set your security policies
so you can turn on MFA.

00:14:27:00 - 00:14:29:14
You can set your password
complexity, rotation,

00:14:29:14 - 00:14:32:03
how long you want to keep your audit
logs, etc.

00:14:32:03 - 00:14:34:13
so slowly adding some more enterprise

00:14:34:13 - 00:14:38:01
grade supportability features,
as part of OSCAL Hub.

00:14:38:14 - 00:14:42:06
we'll stop there for my presentation

00:14:42:12 - 00:14:45:11
and turn it over to
Dave is going to show you

00:14:45:11 - 00:14:49:02
some of what's happening
under the hood in the CLI and talk to you

00:14:49:02 - 00:14:52:16
about some cool stuff
we are doing with AI and OSCAL

00:14:52:16 - 00:14:56:13
And then, you have any questions,
we'll take them at the end here, but,

00:14:56:14 - 00:14:58:02
floor is yours. Dave.

00:14:58:02 - 00:14:59:11
Great! Thank you. Travis.

00:14:59:11 - 00:15:03:07
So, Travis mentioned earlier,
that OSCAL CLI is

00:15:03:07 - 00:15:05:10
kind of used at the core of OSCAL hub.

00:15:05:10 - 00:15:10:07
What I'm going to be talking about
centers around what OSCAL CLI provides

00:15:10:07 - 00:15:14:23
So essentially OSCAL CLI is a Java based command line tool.

00:15:14:23 - 00:15:19:23
It allows you to do some basic operations
with OSCAL content.

00:15:19:23 - 00:15:21:18
It allows you to do things like,

00:15:21:18 - 00:15:25:16
convert OSCAL content between,
the various supported formats

00:15:25:16 - 00:15:29:18
that OSCAL supports, including XML,
Json and Yaml.

00:15:29:18 - 00:15:31:08
It allows you to validate,

00:15:31:11 - 00:15:35:20
OSCAL content in any of those formats
using a rules based engine.

00:15:35:20 - 00:15:37:24
Which, Travis also touched on.

00:15:37:24 - 00:15:40:24
This allows you to both evaluate
the rules that exist within

00:15:40:24 - 00:15:44:14
OSCAL, as well as to define your own rules
for validation.

00:15:45:00 - 00:15:48:04
It allows you to do things
like resolve OSCAL profiles.

00:15:48:04 - 00:15:51:21
you know, profiles are a way for you
to declare what controls are being used

00:15:51:21 - 00:15:56:24
in OSCAL, and profile resolution
involves evaluating that to produce

00:15:56:24 - 00:16:00:03
a streamlined catalog
that contains only those controls,

00:16:00:05 - 00:16:02:22
as well as any tailoring
that you're including.

00:16:02:22 - 00:16:06:22
And then it supports a variety of other
features generally working with OSCAL,

00:16:06:23 - 00:16:12:10
like generating XML and Json schemas
from the underlying OSCAL meta schemas.

00:16:12:10 - 00:16:14:03
Meta schema is the language

00:16:14:03 - 00:16:17:15
that is used in OSCAL
to define the OSCAL models.

00:16:17:23 - 00:16:21:00
So in a way, this, OSCAL CLI
is kind of the plumbing

00:16:21:00 - 00:16:24:10
that makes, a lot of the core
OSCAL operations work.

00:16:24:21 - 00:16:26:23
So this is a command line tool.

00:16:26:23 - 00:16:29:14
You basically
you run it in your favorite shell,

00:16:29:14 - 00:16:32:18
and it also can be used
in continuous integration,

00:16:32:18 - 00:16:36:11
continuous deployment pipelines,
which I'll talk about in a little bit.

00:16:36:17 - 00:16:41:03
But what if you wanted to just chat,
and have a conversation

00:16:41:03 - 00:16:45:11
with an AI and,
be able to use something like OSCAL CLI?

00:16:45:15 - 00:16:48:16
Well, the recent work that we've done
with developing some cloud

00:16:48:21 - 00:16:52:24
plugins, basically supports
that kind of capability.

00:16:53:07 - 00:16:55:16
So let me switch my screen

00:16:57:01 - 00:16:59:03
So I'm going to switch to,

00:16:59:03 - 00:17:01:12
My Claude chat

00:17:02:00 - 00:17:06:09
So this is a typical Claude Code chat interface.

00:17:06:11 - 00:17:09:04
Basically, streamlines the Claude models.

00:17:09:04 - 00:17:11:13
In this case, I'm using Claude Opus.

00:17:11:13 - 00:17:12:12
But you can use this

00:17:12:12 - 00:17:15:09
with any of the available, Claude models.

00:17:15:09 - 00:17:16:24
What this effectively allows you to do

00:17:16:24 - 00:17:21:17
is have a conversation with the Claude AI,
and we'll carry out various activities.

00:17:21:21 - 00:17:24:17
Now, it's important to point out
that like Claude code is often

00:17:24:17 - 00:17:27:21
used for programing,
but it can also be used for, writing

00:17:27:21 - 00:17:31:12
documents, editing content
and that and a variety of other things.

00:17:31:12 - 00:17:33:22
And that's how I intend to use it today.

00:17:33:22 - 00:17:38:20
So within, my environment,
I have an invalid OSCAL profile.

00:17:38:23 - 00:17:41:23
And so I'm going to have, Claude,

00:17:42:10 - 00:17:45:15
perform a validation using the OSCAL CLI.

00:17:45:15 - 00:17:48:06
So, I've already loaded the plugins
into Claude.

00:17:48:06 - 00:17:51:12
It's already aware of,
how to use OSCAL CLI

00:17:51:21 - 00:17:54:22
through something
that Claude code uses called skill.

00:17:54:24 - 00:17:59:14
And so it's going to start to apply
this skill, when I'm chatting with it.

00:17:59:19 - 00:18:05:23
So is an example of Claude driving a 
validation of an OSCAL file

00:18:05:23 - 00:18:09:22
So you'll see here that
it knows that it can use OSCAL CLI.

00:18:09:22 - 00:18:15:13
Based on the plugin that I've configured,
it is effectively executing OSCAL

00:18:15:13 - 00:18:21:02
CLI against that content, it will soon
provide the results back to us.

00:18:21:10 - 00:18:25:24
Then, once Claude generates those results, it's
going to interpret what those results mean

00:18:25:24 - 00:18:30:15
and basically summarize to us,
like what the the underlying problem is.

00:18:32:05 - 00:18:34:10
And Claude takes a little bit of time

00:18:34:10 - 00:18:38:07
to do this evaluation,
which it's doing right now.

00:18:38:07 - 00:18:42:09
So, give it just a few more moments
to complete this.

00:18:43:23 - 00:18:46:08
So it's, executing the command.

00:18:48:19 - 00:18:50:09
And it will be producing.

00:18:50:10 - 00:18:53:04
So now it's processing the results
of running that command.

00:18:53:04 - 00:18:56:06
As you can see,
the OSCAL CLI produced a variety

00:18:56:06 - 00:18:59:07
of different orders,
of a variety of different results.

00:18:59:07 - 00:19:03:05
And here is Claude providing
a nice summary of what actually failed.

00:19:03:15 - 00:19:07:18
So one of the things we can have,
Claude do is actually fix these errors.

00:19:07:21 - 00:19:11:08
So I'm going to have Claude fix
underlying errors in the content.

00:19:11:15 - 00:19:15:07
So this is basically telling it
generally like, you know, fix the errors in

00:19:15:07 - 00:19:16:21
the profile, make it valid.

00:19:20:04 - 00:19:22:06
And so now it's analyzing the profile.

00:19:22:06 - 00:19:29:09
It's seeing what is broken
and is going to generating a new UUID for-

00:19:30:19 - 00:19:35:10
It’s generating a new UUID to use
at the document level since that is

00:19:35:14 - 00:19:39:16
one of the core rules in
OSCAL for making a change.

00:19:40:14 - 00:19:43:16
And then it should make
the necessary change.

00:19:43:16 - 00:19:47:23
So what it's doing here
is, it’s replacing the invalid role

00:19:47:23 - 00:19:51:02
that we have with, the creator responsible
party.

00:19:51:05 - 00:19:52:10
creating a

00:19:52:20 - 00:19:54:16
a valid entry for that.

00:19:54:16 - 00:19:59:14
It's going to then also,
remove any controls that are invalid,

00:19:59:24 - 00:20:04:10
and will bring this
profile into alignment.

00:20:04:10 - 00:20:09:06
So now that it's fix those errors, it's
re validating the profile.

00:20:09:09 - 00:20:13:09
And as you can see the,
the profile is seen as being valid.

00:20:13:09 - 00:20:16:21
And it's giving you a quick summary
of all of the changes that it made.

00:20:17:01 - 00:20:21:15
So next I want to demonstrate how Claude
could be used creating a new profile.

00:20:21:19 - 00:20:25:22
So, in this case,
we have, a local copy of the 800-53 catalog.

00:20:25:22 - 00:20:30:09
I want to create a new profile
that contains only the access controls.

00:20:30:11 - 00:20:33:03
within the 800-53 catalog.

00:20:33:03 - 00:20:44:13
And just a refinement to this,
I would like to have it add all of the control enhancements explicitly

00:20:49:02 - 00:20:53:04
By giving this a simple human language
instruction, Claude, using the

00:20:53:10 - 00:20:58:06
Claude plug in to gain knowledge
about how an OSCAL profile works.

00:20:58:06 - 00:21:01:08
It's going to author a new profile.

00:21:01:18 - 00:21:04:16
And so it's writing a quick script
to basically do some quick

00:21:04:16 - 00:21:07:21
analysis of the OSCAL catalog.

00:21:07:21 - 00:21:11:20
It's using that to identify the 147 access

00:21:11:20 - 00:21:14:04
controls and control enhancements.

00:21:16:21 - 00:21:17:24
And now,

00:21:19:03 - 00:21:20:13
it's looking to see,

00:21:21:17 - 00:21:24:17
how to produce the new OSCAL profile.

00:21:26:22 - 00:21:28:17
And I think this is it.

00:21:31:08 - 00:21:35:13
And again, Claude working with an AI
is a non-deterministic process.

00:21:35:13 - 00:21:38:14
So, every time you run
Claude, you're kind of

00:21:38:14 - 00:21:41:15
seeing it try to solve the problem
in a slightly different way.

00:21:41:20 - 00:21:45:10
So I'm kind of interpreting
what Claude is doing as we go here.

00:21:45:14 - 00:21:48:13
Now, it's actually, just generated the,

00:21:48:13 - 00:21:52:09
AC controls
profile, that contains all of those

00:21:55:18 - 00:21:57:11
Those controls.

00:21:57:11 - 00:21:59:08
Let me go there.

00:21:59:08 - 00:22:01:11
To go to, OSCAL-

00:22:06:06 - 00:22:09:06
So, it just produced the

00:22:10:11 - 00:22:12:04
Catalog here.

00:22:13:21 - 00:22:15:17
So let's go look at that.

00:22:16:24 - 00:22:19:16
So here's
the profile that it just generated.

00:22:19:16 - 00:22:22:18
And you can see each of the AC controls

00:22:22:18 - 00:22:25:18
underlying control enhancements.

00:22:25:18 - 00:22:27:15
You can also, let's have it

00:22:28:15 - 00:22:29:24
validate this profile.

00:22:33:07 - 00:22:34:10
Now you'll see it

00:22:34:10 - 00:22:38:14
run, OSCAL CLI, to validate
the new profile.

00:22:38:19 - 00:22:43:08
Claude was able to completely build a profile
that is 100% valid.

00:22:44:02 - 00:22:46:22
And so this is an example
of how you can use Claude to

00:22:46:22 - 00:22:50:18
do things like select controls and,
and build an OSCAL profile.

00:22:51:00 - 00:22:53:09
You can also have cloud
do things like,

00:22:55:00 - 00:23:00:17
Convert this profile to Yaml
that was produced originally.

00:23:00:17 - 00:23:03:13
in I believe an XML.

00:23:03:13 - 00:23:06:06
So we can have it run OSCAL CLI

00:23:06:06 - 00:23:09:10
to to convert it from XML to Yaml.

00:23:09:21 - 00:23:14:21
It made a mistake running, OSCAL CLI
the first time it saw that it did that

00:23:14:21 - 00:23:18:03
and it corrected its syntax run
it correctly the second time.

00:23:18:15 - 00:23:23:21
now I should be able to look at it
and Yaml.

00:23:24:03 - 00:23:27:13
And so here's the same profile
in Yaml.

00:23:28:03 - 00:23:31:13
So we can also use Claude to do more advanced
things.

00:23:31:18 - 00:23:34:04
As a scenario,
what if we wanted to have it write

00:23:34:04 - 00:23:39:19
an SP based on the capabilities
that exist currently in the repo.

00:23:39:19 - 00:23:44:21
So the repo has a CICD it's
got a GitHub actions workflow

00:23:44:21 - 00:23:48:13
that it runs that does things like,
the validate, OSCAL content.

00:23:48:18 - 00:23:51:22
So what if we wanted to document
a set of controls for this

00:23:51:22 - 00:23:54:22
repo, based on that basic implementation.

00:23:54:24 - 00:23:57:17
So I wrote a quick prompt for this.

00:23:57:17 - 00:24:01:02
So this is create a Yaml based OSCAL SSP

00:24:01:02 - 00:24:05:17
for this repository based on 800-53.
Provide control, implement statements

00:24:05:17 - 00:24:09:04
based on all controls
implemented in this repository.

00:24:09:12 - 00:24:13:18
We wanted to analyze the repository files
to determine what is implemented.

00:24:13:21 - 00:24:15:05
And for time I'm going to have it

00:24:15:05 - 00:24:18:23
focus on 2 or 3 controls
that are implemented within repository.

00:24:19:05 - 00:24:21:13
That way
it will complete this fairly quickly.

00:24:21:23 - 00:24:24:01
So I'm going to have it. Do this.

00:24:25:01 - 00:24:29:09
So you’re going to see that Claude is accessing the OSCAL
SSP skill

00:24:29:15 - 00:24:34:00
It's starting to analyze
the structure of the repository.

00:24:35:20 - 00:24:37:00
So it's doing things

00:24:37:00 - 00:24:40:15
like looking at the CI workflow
that exists there.

00:24:40:15 - 00:24:45:12
It's looking at, various files
that, content files that exist here.

00:24:45:15 - 00:24:51:03
It's really trying to explore all of the
content that exist within the repository.

00:24:51:13 - 00:24:54:12
So this is basically running some git

00:24:54:12 - 00:24:59:08
commands to see what is committed
against the GitHub repository.

00:24:59:20 - 00:25:04:05
This is it looking at analyzing
some of the content files

00:25:04:05 - 00:25:07:05
that exist within the repo.

00:25:08:24 - 00:25:11:11
It's probably trying to determine
what might be security

00:25:11:11 - 00:25:14:11
relevant versus just OSCAL content.

00:25:15:08 - 00:25:19:01
It's analyzing the 800-53 catalog.

00:25:27:19 - 00:25:29:08
So it's still continuing

00:25:29:08 - 00:25:33:20
to gather information
about how to produce an SSP.

00:25:33:24 - 00:25:37:04
So while let it continue to do that,
I wanted to actually switch

00:25:37:06 - 00:25:40:06
and show you, one other thing.

00:25:40:10 - 00:25:44:03
So I mentioned that, 
Claude also can be used in a mode

00:25:44:03 - 00:25:49:02
that, allows it to work in a CI/CD environment.

00:25:49:02 - 00:25:52:17
So, this is the repo
that we're using for this demo.

00:25:52:19 - 00:25:57:23
It has a CI/CD workflow that basically is used to it

00:25:57:23 - 00:26:01:24
runs OSCAL CLI against all the content
that exists in the repo.

00:26:02:05 - 00:26:06:05
And then, one of the things
that GitHub supports is the ability

00:26:06:05 - 00:26:10:11
to upload, validation
results, static analysis results.

00:26:10:14 - 00:26:11:16
as sarif files.

00:26:11:16 - 00:26:15:06
Sarif is a standard for static analysis tools.

00:26:15:17 - 00:26:19:11
And when you do that, it allows
GitHub to become aware of errors

00:26:19:14 - 00:26:22:05
that appear within those sarif results.

00:26:22:05 - 00:26:27:19
And it can do things like annotate files,
and log and track issues within content.

00:26:27:19 - 00:26:33:15
So I'm using that sarif support
and GitHub to essentially catalog the

00:26:33:15 - 00:26:38:18
validation errors that are found in
content files that are published to this repo.

00:26:38:18 - 00:26:42:22
And, so this workflow will run every time
I make a commit against the repo,

00:26:42:22 - 00:26:46:02
it will validate
all of the content and post issues.

00:26:46:06 - 00:26:49:07
so what that ends up resulting in
is issues

00:26:49:07 - 00:26:52:19
being logged, inside
code scanning, results.

00:26:52:19 - 00:26:56:13
And so these issues can represent
security issues or just, you know, content

00:26:56:13 - 00:26:57:14
validation issues.

00:26:57:14 - 00:27:00:06
In this case, it's
a content validation issue.

00:27:00:06 - 00:27:05:09
But, because of the context that, OSCAL
CLI includes in the sarif results,

00:27:05:09 - 00:27:10:09
it can do some pretty advanced things, like identify
where exactly inside the content

00:27:10:09 - 00:27:13:04
there are errors and point
you directly to that.

00:27:13:04 - 00:27:16:02
here there's a way to effectively track

00:27:16:02 - 00:27:19:11
resolution of these 
content issues over time.

00:27:19:22 - 00:27:21:16
So I just wanted to show that off.

00:27:21:16 - 00:27:24:18
while Claude was finishing up
doing it's analysis.

00:27:25:10 - 00:27:29:16
So let me switch back to Claude,
which is close to wrapping up.

00:27:30:13 - 00:27:32:02
All right, here we are.

00:27:32:02 - 00:27:37:12
So Claude’s been doing some analysis
of structure of controls.

00:27:38:21 - 00:27:41:11
And it's close to, building out

00:27:41:11 - 00:27:44:12
the correct control statements
and the article content.

00:27:52:17 - 00:27:58:00
Again, sometimes AIs make errors,
and so it's working on correcting its error.

00:28:07:12 - 00:28:10:17
It's working to try to work out
how to-

00:28:11:05 - 00:28:13:22
I apologize Claude just.

00:28:13:22 - 00:28:15:03
Just crashed on me.

00:28:15:23 - 00:28:19:10
Let's start again, and I'll have it
do something simple.

00:28:20:00 - 00:28:23:11
Always a challenge
with producing live demos with an AI.

00:28:23:24 - 00:28:26:11
Just repeating the original prompt.

00:28:26:11 - 00:28:28:18
I'm telling it to approach it,
a simpler way.

00:28:28:18 - 00:28:30:02
And so.

00:28:30:02 - 00:28:33:13
It should be able to finish this up real quick.

00:28:46:00 - 00:28:47:21
And I think what happened in my previous,

00:28:47:21 - 00:28:50:17
I was talking about the site
that actually produced it, but there were

00:28:50:17 - 00:28:53:20
some validation errors,
and I was working to try to fix that.

00:28:54:03 - 00:28:55:13
So here, I'm going to stop this.

00:28:55:13 - 00:28:59:03
I'll just show you the SSP that it produced so far.

00:29:03:06 - 00:29:04:17
In contact

00:29:06:02 - 00:29:09:17
with the sample SSP in json

00:29:11:01 - 00:29:15:10
So, here is the
the basic SSP that it produced.

00:29:15:10 - 00:29:16:14
As you can see, it has

00:29:16:14 - 00:29:20:14
all of the typical things
that would be included in an SSP.

00:29:20:14 - 00:29:24:13
So there is,
a characterization of impact,

00:29:24:16 - 00:29:30:08
there are roles, user roles
within the system.

00:29:30:14 - 00:29:33:18
There's a component that represents
the system.

00:29:33:22 - 00:29:35:17
There's a control implementation.

00:29:35:17 - 00:29:40:03
So it built a single control
implementation around AC1

00:29:40:06 - 00:29:43:09
And provided a narrative around that.

00:29:43:22 - 00:29:46:23
Basically describing, the

00:29:48:04 - 00:29:51:04
you know, how AC1 is being implemented here,

00:29:51:18 - 00:29:54:18
So I think I will stop there,
for this demo

00:29:54:21 - 00:29:57:21
then we can talk about any questions
that you have.

00:29:57:21 - 00:29:58:20
Real quick.

00:29:59:04 - 00:30:00:06
Let me share here.

00:30:01:11 - 00:30:03:13
I think we just had two quick

00:30:03:13 - 00:30:06:24
wrap up slides, so
you kind of know who we are, what we do.

00:30:07:02 - 00:30:10:06
One, there's a QR code,
you want to learn more about RegScale,

00:30:10:06 - 00:30:13:09
interact with our team,
do deeper dives on these things.

00:30:13:09 - 00:30:14:04
We're happy to.

00:30:14:04 - 00:30:16:19
And again
I'm Travis Howerton with this Dave Waltermire

00:30:16:19 - 00:30:20:00
very happy to answer any questions
that you guys have.

00:30:20:00 - 00:30:23:16
And there were several questions
that I saw going in around licensing.

00:30:23:16 - 00:30:26:09
When the slides go out,
each of these is a link.

00:30:26:09 - 00:30:27:04
When you click on them,

00:30:27:04 - 00:30:31:00
you'll be able to go see the GitHub repo
and all the information

00:30:31:03 - 00:30:34:03
pull down the code,
see the license info, etc..

00:30:34:03 - 00:30:37:04
I think the first question for you, Dave,
was, for the OSCAL

00:30:37:04 - 00:30:40:15
Claude AI, how is that licensed in GitHub?

00:30:40:24 - 00:30:41:18
Yes.

00:30:41:24 - 00:30:46:03
So all of that work
is licensed using Creative Commons Zero.

00:30:46:05 - 00:30:48:13
So it's completely in the public domain.

00:30:48:13 - 00:30:54:16
Anyone can use the capabilities
that exist there for any purpose.

00:30:54:16 - 00:30:57:12
You know,
without the permission of the authors.

00:30:57:12 - 00:30:58:05
Awesome.

00:30:58:05 - 00:31:00:21
And I think with that,
you can probably stop the recording.

00:31:00:21 - 00:31:03:01
Michaela. And we'll get into Q and A.