00:00:00:00 - 00:00:01:20
Thank you, everybody, for joining

00:00:01:20 - 00:00:04:12
and coming to check out my solution for OSCAL.

00:00:04:18 - 00:00:06:00
My name is Tevin Harris.

00:00:06:00 - 00:00:08:10
As, Michaela said, I'm a federal employee.

00:00:08:10 - 00:00:11:16
Not able to share which agency
that I work for, but, that's

00:00:11:19 - 00:00:15:07
a lot of the reason behind
why I actually created this application.

00:00:15:08 - 00:00:18:12
So the application is called
the OSCAL Pocket Guide.

00:00:18:13 - 00:00:20:20
It was formerly called
the NIST Pocket Guide.

00:00:20:20 - 00:00:24:19
And so on the app stores, it will be the NIST Pocket
Guide at this moment.

00:00:24:19 - 00:00:27:19
Pending an update coming very shortly.

00:00:27:21 - 00:00:31:09
So the OSCAL Pocket Guide is a mobile
first OSCAL based application

00:00:31:14 - 00:00:36:12
that provides the different frameworks
that are in the OSCAL catalog

00:00:36:12 - 00:00:39:15
and even includes one has not yet
introduced into the OSCAL catalog.

00:00:39:21 - 00:00:43:14
So start off with problem that I found:
there's a lot of PDFs and,

00:00:43:17 - 00:00:45:16
you know, going through pages
and searching documents.

00:00:45:16 - 00:00:48:16
There's some web
solutions like CSF.tools.

00:00:48:16 - 00:00:52:18
But the issue that I identify was that
it was really hard to keep track

00:00:52:18 - 00:00:54:19
of the different documents,
different standards,

00:00:54:19 - 00:00:57:19
different versions of the documentation
you have correct version of the document

00:00:57:23 - 00:00:59:07
and also searching them.

00:00:59:08 - 00:01:01:12
I think 800-53 is 500 pages.

00:01:01:12 - 00:01:05:06
So you can have a hard time searching
through all the different references for,

00:01:05:10 - 00:01:11:05
AC-2, for example, there might be 100
instances of AC-2 in the 800-53 document.

00:01:11:07 - 00:01:14:07
So I found it to be a little cumbersome
at times when I was trying to quickly

00:01:14:07 - 00:01:18:11
find controls during an assessment
or during my research and my independent study.

00:01:18:14 - 00:01:20:23
So I was like, you know, I wonder
if there's a better way to do this.

00:01:20:23 - 00:01:24:08
And so I tried to create one,
Which is what this application does.

00:01:24:08 - 00:01:28:21
1,100 controls, including the enhancements
across PDFs and spreadsheets,

00:01:29:06 - 00:01:30:20
baseline selection are done manually.

00:01:30:20 - 00:01:35:08
It can be not necessarily in line
with what the NIST documentation outlines.

00:01:35:16 - 00:01:38:16
SSPs are word documents, that are,

00:01:38:16 - 00:01:41:14
different versions spread across different
people -was hard to keep track of them.

00:01:41:14 - 00:01:44:21
And then going to cross
frameworks is also not a necessarily

00:01:44:21 - 00:01:47:03
straightforward process,
although there are some documents

00:01:47:03 - 00:01:49:14
that help with the cross
framework mappings.

00:01:49:14 - 00:01:51:21
So what if OSCAL was the database
powering a tool, right

00:01:51:21 - 00:01:54:19
in this kind of where we're going,
where we have been trying to go

00:01:54:19 - 00:01:58:03
in the last couple of years,
is automating the compliance process.

00:01:58:12 - 00:02:01:12
in NIST documentation, compliance
documentation, with OSCAL.

00:02:01:14 - 00:02:02:12
So the solution:

00:02:02:12 - 00:02:03:24
What is the OSCAL Pocket Guide?

00:02:03:24 - 00:02:06:18
It's a cross
framework app based in the Flutter.

00:02:06:18 - 00:02:09:15
With Flutter and Dart are frameworks
that I used to build it.

00:02:09:15 - 00:02:12:09
I created it for iOS and Android.

00:02:12:09 - 00:02:14:01
You can use it on Mac OS.

00:02:14:01 - 00:02:15:22
I don't have a Windows or Linux version yet,

00:02:15:22 - 00:02:18:07
probably going to be a web version
coming soon as well.

00:02:18:07 - 00:02:21:16
All of the frameworks are based off
of the OSCAL.

00:02:21:16 - 00:02:25:15
Json documents, another reason why I built
this was because I wanted something

00:02:25:15 - 00:02:27:06
that was offline ready.

00:02:27:06 - 00:02:29:02
With the app,
if you don't have an internet connection,

00:02:29:02 - 00:02:32:23
you can still use the app, you don't have to be
connected to the internet to have it.

00:02:32:23 - 00:02:34:03
It's not a cloud based or anything.

00:02:34:03 - 00:02:37:01
Everything is downloaded directly
to your device and you can use it offline.

00:02:37:01 - 00:02:38:19
In the future,
we're going to have authentication

00:02:38:19 - 00:02:40:17
and sync
that's not currently available yet,

00:02:40:17 - 00:02:42:17
that will be, coming in a future update.

00:02:42:17 - 00:02:47:13
And so there are six frameworks,
in this one application is 800-53 Rev 5

00:02:47:13 - 00:02:50:19
We've got the NIST CSF,
Cybersecurity Framework 2.0.

00:02:50:19 - 00:02:54:16
We got 800-171, for handling control
and classified information.

00:02:54:20 - 00:02:59:11
We have 218, which is the secure software
engineering framework,

00:02:59:11 - 00:03:04:02
the 800-60, which is a custom one
that I developed for the application

00:03:04:02 - 00:03:06:08
and the SSP building,
which we'll talk about a little bit later.

00:03:06:08 - 00:03:10:14
Because I didn't want to hard
code all 171 information types.

00:03:10:14 - 00:03:13:17
And I thought that it would useful
to have that as a OSCAL framework

00:03:13:17 - 00:03:17:00
instead of having to
manually hardcode it into applications.

00:03:17:08 - 00:03:20:08
And then last but not least,
we have the AI RMF Playbook.

00:03:21:02 - 00:03:23:10
So we'll kind of go
more deeper into modules

00:03:23:10 - 00:03:24:22
and we'll have a demo
a little bit later.

00:03:24:22 - 00:03:28:18
So for 800-53 module, there's a family view, 
there's actually a baseline filter.

00:03:28:18 - 00:03:31:12
And there's actually a way
that do a custom baseline.

00:03:31:12 - 00:03:35:06
based off of maybe, for an example,
if you have an AI specific baseline

00:03:35:06 - 00:03:38:22
or some other reason
why you need to have a custom baseline

00:03:38:22 - 00:03:41:14
that deviates from the four
that NIST provides.

00:03:41:14 - 00:03:45:01
The control list obviously can see all
the controls as they are in the list.

00:03:45:07 - 00:03:49:09
There's a control detail view
that goes into the control

00:03:49:09 - 00:03:52:12
requirements
and also the assessment objectives.

00:03:52:23 - 00:03:56:00
And then as a pro feature,
you can do search and favorite.

00:03:56:00 - 00:03:57:19
So if there's a control that you visit a lot.

00:03:57:19 - 00:04:01:00
You can go back and there's a start button
you can tap the star.

00:04:01:00 - 00:04:03:14
And that will allow you to add
that to your favorites list,

00:04:03:14 - 00:04:06:14
which you can come back to
the frequent ones you visit pretty easily,

00:04:06:22 - 00:04:09:17
and then a parameter display
and so all of the parameters are,

00:04:09:17 - 00:04:11:20
automatically,
replaced with the NIST values.

00:04:11:20 - 00:04:14:01
So we know what the ODPs are
replaced inline.

00:04:14:01 - 00:04:17:03
So you don't see like in OSCAL
there's a bracketed label

00:04:17:04 - 00:04:20:22
that references a certain value
like events and things like that.

00:04:21:08 - 00:04:23:24
So in the NIST CSF
we've got the govern, identify,

00:04:23:24 - 00:04:27:02
protect, detect, respond
and recover modules

00:04:27:06 - 00:04:30:03
in each of the categories
that are within those modules.

00:04:30:03 - 00:04:33:01
And then actually
CSF has there's a control

00:04:33:03 - 00:04:34:21
been incorporated into the application.

00:04:34:21 - 00:04:38:04
So when we see the demo, you'll see
when you go into one of the categories,

00:04:38:04 - 00:04:41:15
you can see which NIST control
or which 171 control that it maps to.

00:04:41:20 - 00:04:44:14
You can tap that and it'll take you
to that specific control.

00:04:44:14 - 00:04:48:00
And 800-218, which is the secure
software development framework.

00:04:48:00 - 00:04:50:15
got the different practices
and the tasks.

00:04:50:15 - 00:04:52:00
each practice has each task.

00:04:52:00 - 00:04:56:06
And then also as a pro feature,
there is a self-assessment module in there

00:04:56:06 - 00:04:59:21
where you can assess yourself on
how many of those practices and tasks

00:04:59:21 - 00:05:03:21
and how you've implemented AI RMF Playbook
through summative, all the rest of us

00:05:03:21 - 00:05:06:00
got the govern, map,
measure, and manage functions.

00:05:06:00 - 00:05:09:11
And then it goes into the detailed views
of the information

00:05:09:11 - 00:05:11:01
that each of those contains.

00:05:11:01 - 00:05:14:05
So you can it's a quick reference for,
when you're trying to look something up

00:05:14:05 - 00:05:14:17
really quickly.

00:05:14:17 - 00:05:16:22
Oh, what's Govern 2.1?

00:05:16:22 - 00:05:18:20
You can go and quickly find that.

00:05:18:20 - 00:05:20:07
And then 800-60 information types.

00:05:20:07 - 00:05:23:17
It includes the FIPS 199 Categorization,
a description of the information type,

00:05:23:19 - 00:05:27:15
and then that is what will help you later
in a module to

00:05:27:15 - 00:05:31:06
fill out the SSP and the SSP builder,
which is a beta feature at the moment.

00:05:31:09 - 00:05:34:13
Still working through that, making sure
that everything works properly.

00:05:34:13 - 00:05:38:10
that's where some feedback from
the community will be appreciated as well.

00:05:39:00 - 00:05:41:07
so right now
the pro feature is a paid feature.

00:05:41:07 - 00:05:43:02
But like if you'd like to be a tester,

00:05:43:02 - 00:05:45:12
you can send me an email
and I'll add you to the list

00:05:45:12 - 00:05:48:11
so that you can have the pro features
without having to pay the $10.

00:05:48:11 - 00:05:50:11
But if you want to pay
the $10 to support, that'd be awesome.

00:05:50:11 - 00:05:51:06
Appreciate it.

00:05:51:06 - 00:05:54:23
So, the framework mappings that, like
I mentioned earlier, the CSF 2.0, maps

00:05:54:23 - 00:06:00:20
back to 800-53 controls and 800-171 controls,
right there inside of the module.

00:06:00:20 - 00:06:03:05
So it's really easy
to click into the module

00:06:03:05 - 00:06:06:10
and see the actual control
that's referenced in the mappings.

00:06:07:02 - 00:06:09:14
So the OSCAL architecture
that we use for the app,

00:06:09:14 - 00:06:13:01
so like I stated, each of the catalogs
or profile

00:06:13:04 - 00:06:15:01
so we've got each one of those Json
that are

00:06:15:01 - 00:06:18:01
all packaged into the application,
and that's how it's able to be

00:06:18:03 - 00:06:21:20
utilized offline, because within the app,
it's all packed together.

00:06:21:20 - 00:06:24:07
And so I use the OSCAL
as a runtime pipeline.

00:06:24:07 - 00:06:25:23
So the Json is loaded.

00:06:25:23 - 00:06:28:23
From the app bundle,
the catalogs are parsed using Dart models.

00:06:29:01 - 00:06:32:02
The baseline profiles are associated
with the control ID sets.

00:06:32:05 - 00:06:34:19
Parameter placeholders are extracted
automatically within the app

00:06:34:19 - 00:06:38:05
so that you don't ever see
anything like a label or in the raw OSCAL,

00:06:38:06 - 00:06:40:21
there's a bracketed notation
that says, okay,

00:06:40:21 - 00:06:43:01
this is where you need to go
and find this value.

00:06:43:01 - 00:06:45:17
That's already taken care of automatically
in the application.

00:06:45:17 - 00:06:49:08
Assessment objectives are in there as well with the requirements.

00:06:49:08 - 00:06:52:18
So this is good for assessors
to be able to say, hey, okay, I understand

00:06:52:18 - 00:06:55:18
what the control requirements are,
but what does 800-53 A say

00:06:55:18 - 00:06:58:05
about this control that's in there as well.

00:06:58:18 - 00:07:02:02
So the architecture is Flutter UI,
the modules is

00:07:02:03 - 00:07:05:17
the models are grouped in a specific way,
if that makes sense.

00:07:05:17 - 00:07:08:17
And then this core services
that I created to help with, like

00:07:08:17 - 00:07:12:13
the baseline loader is an assessment
service that tracks the assessment

00:07:12:13 - 00:07:15:13
posture or progress that you make
when you do a self assessment.

00:07:15:13 - 00:07:19:04
There's OSCAL service that handles
the OSCAL loading and parsing,

00:07:19:04 - 00:07:22:19
in the SSP builder, there's a way for you
to set your own parameter, I believe

00:07:22:19 - 00:07:26:14
is also on the setting page as you can set
the parameters for your organization.

00:07:26:14 - 00:07:30:14
And then there's also a lot
of predefined parameters that I created

00:07:30:19 - 00:07:34:21
that you can kind of search to customize
to your own agency or your own work.

00:07:35:00 - 00:07:38:01
And then the data models that are out
there, we use your OSCAL catalog model.

00:07:38:01 - 00:07:41:05
There's OSCAL control model,
parameter model, profile model.

00:07:41:05 - 00:07:44:20
And these are just the models that I use
in the application architecture,

00:07:44:20 - 00:07:47:23
not necessarily mentioning anything
about the OSCAL models.

00:07:48:07 - 00:07:52:01
And then there are going to be
some additional, cloud based offerings

00:07:52:01 - 00:07:56:01
that I want to offer in the future,
such as a RAG chat bot.

00:07:56:04 - 00:07:59:04
And so what I wanted to create
was couple of things.

00:07:59:10 - 00:08:01:13
I want to have a chat bot
that has a RAG database

00:08:01:13 - 00:08:05:06
that can answer questions
related to NIST catalog items.

00:08:05:06 - 00:08:08:22
And then also I wanted to have
a contextual AI implementation

00:08:08:22 - 00:08:11:07
on where there's going to be a button
on a specific control

00:08:11:07 - 00:08:14:14
and then it'll ingest the information
about the controls,

00:08:14:15 - 00:08:17:13
the requirements, the objectives,
and also the discussion dialog.

00:08:17:13 - 00:08:21:05
And then using that along
with the training data to answer questions

00:08:21:05 - 00:08:24:07
about the control
that you're currently looking at.

00:08:25:02 - 00:08:28:10
So let's talk a little bit about the SSP
and the assessment portion.

00:08:28:22 - 00:08:30:01
There's a SSP builder.

00:08:30:01 - 00:08:34:16
It's in beta at the moment because again,
I have to continue to refine it and go

00:08:34:16 - 00:08:38:11
through and test different scenarios
to make sure that everything is proper.

00:08:38:14 - 00:08:40:09
I don't want to, you know, overstate
anything.

00:08:40:09 - 00:08:43:08
And so there's actually two different ways
to do the SSP builder.

00:08:43:08 - 00:08:46:08
There's a classic view,
and then there's a SSP wizard.

00:08:46:11 - 00:08:49:11
I wanted to create a way that will make it
easy to kind of get started.

00:08:49:11 - 00:08:52:12
And so you kind of go through a ten
step process, which entering the system

00:08:52:12 - 00:08:55:15
information, select your information,
but essentially the RMF.

00:08:55:15 - 00:08:57:00
So prepare for your assessment.

00:08:57:00 - 00:08:59:10
You document a system description
authorization type.

00:08:59:10 - 00:09:01:20
You document
the information types that are in there.

00:09:01:20 - 00:09:03:17
You do a categorization,

00:09:03:17 - 00:09:07:05
based off of the information types
and the impact level of the system.

00:09:07:11 - 00:09:11:14
You determine the authorization
boundary, diagrams work data flow.

00:09:11:14 - 00:09:14:04
You determine the roles: who the owner is, the AO...

00:09:14:04 - 00:09:19:21
SO, the security officer, any custom roles
ISSE or whatever it is that,

00:09:20:02 - 00:09:24:18
a particular agency may have
that may not necessarily be in NIST.

00:09:24:23 - 00:09:26:16
then you can also document your system

00:09:26:16 - 00:09:28:20
components, hardware,
software and services.

00:09:28:20 - 00:09:32:01
then you can select your controls
baseline, then you can do implementation.

00:09:32:01 - 00:09:36:05
And so there is a implementation
I'll call it implementation

00:09:36:05 - 00:09:37:10
engine where I went through

00:09:37:10 - 00:09:41:07
and I created three example implementation
statements for each control.

00:09:41:10 - 00:09:43:20
And then you can either take that
and use that.

00:09:43:20 - 00:09:46:02
Then it's also parameterized

00:09:46:02 - 00:09:48:10
And so each
statement has like the information system

00:09:48:10 - 00:09:52:02
implements, with this tool
or with this, role or this document.

00:09:52:02 - 00:09:55:00
So try to make it a little bit easier
for implementation statement

00:09:55:00 - 00:09:56:21
writing to standardize
standardizing that format

00:09:56:21 - 00:10:00:19
so that it, takes a lot of guesswork
and like English out of process

00:10:00:19 - 00:10:03:18
of documenting systems.
And then we have, an assessment.

00:10:03:18 - 00:10:05:19
And so you can kind of go through
and do a checklist

00:10:05:19 - 00:10:08:18
of which controls have been implemented,
which controls have not been implemented.

00:10:08:18 - 00:10:12:12
And then also your intended to be able
to export your OSCAL

00:10:12:12 - 00:10:15:12
SSP after that process has been completed.

00:10:16:18 - 00:10:18:03
a little bit more about that.

00:10:18:03 - 00:10:19:16
Browse controls, you can select the

00:10:19:16 - 00:10:22:12
the objectives, read the guidance,
and you can mark the status and add notes.

00:10:22:12 - 00:10:25:05
So this can be a 800-53 assessment.
So you look at the control.

00:10:25:05 - 00:10:27:09
You can look at your objectives
you review it right.

00:10:27:09 - 00:10:28:06
And then you say okay

00:10:28:06 - 00:10:31:08
Does my implementation
fully cover this control does it not.

00:10:31:16 - 00:10:34:12
And then you add “No”, so
maybe come back and review that later

00:10:34:12 - 00:10:37:12
or what you need to implement
and things of that nature.

00:10:37:16 - 00:10:40:16
And then also this is where you can,
customize the placeholders

00:10:40:17 - 00:10:42:14
for the implementation field.

00:10:42:14 - 00:10:44:19
And I'll show you that briefly when I do
the demo A little bit more about the,

00:10:45:11 - 00:10:47:01
A little bit more about the AI

00:10:47:01 - 00:10:50:21
so I built a lot of the features in there,
but I have been doing

00:10:50:21 - 00:10:52:06
some things on the back end.

00:10:52:06 - 00:10:55:14
I was training a model I wanted to create
a custom model for the application,

00:10:55:14 - 00:10:59:05
and this a little while ago, actually,
I was using ChatGPT and I asked about it

00:10:59:05 - 00:11:02:05
control
and it gave me hallucinated the answer

00:11:02:11 - 00:11:04:13
and I was like,
I can't have that really happening.

00:11:04:13 - 00:11:08:14
And so I embarked on a journey
to train a model,

00:11:08:18 - 00:11:10:04
specifically for this application.

00:11:10:04 - 00:11:10:17
And unfortunately,

00:11:10:17 - 00:11:13:17
that process is still going,
has some, roadblocks and hitches there.

00:11:13:21 - 00:11:18:09
But we are on track to complete that
hopefully by like the next update,

00:11:18:09 - 00:11:19:20
which will be a 2.0 update.

00:11:19:20 - 00:11:22:22
But, I will keep you guys posted on that
if you're interested.

00:11:23:00 - 00:11:24:06
So a lot of it's already built,

00:11:24:06 - 00:11:28:04
but it just needs to be implemented,
integrated with the LLM a certain point.

00:11:29:06 - 00:11:31:13
So why this matters?

00:11:31:13 - 00:11:33:22
Every user of the OSCAL Pocket Guide
is consuming OSCAL,

00:11:33:22 - 00:11:35:00
even though they don't know it,

00:11:35:00 - 00:11:38:02
I think that's really interesting
because it, in a way, speeds up

00:11:38:02 - 00:11:41:11
adoption of OSCAL, although you may not
necessarily know that you're using OSCAL.

00:11:41:20 - 00:11:45:12
But I think that it's really cool
that the standard that NIST created

00:11:45:12 - 00:11:48:22
in OSCAL is able to be something
that anybody can have in their pocket.

00:11:49:00 - 00:11:51:01
OSCAL catalogs
conservative runtime innovations.

00:11:51:01 - 00:11:53:19
You can use it to power your applications
and your builds.

00:11:53:19 - 00:11:55:23
something that I've actually done
is implement

00:11:55:23 - 00:11:57:17
OSCAL and other things in our build.

00:11:57:17 - 00:11:59:04
So a lot of times I use AI.

00:11:59:04 - 00:12:02:00
So to build different like tools
help with FedRAMP assessments.

00:12:02:00 - 00:12:04:21
And at the end of that it exports into
OSCAL document.

00:12:04:21 - 00:12:05:03
Right.

00:12:05:03 - 00:12:08:09
And so it's really easy
now to be able to implement OSCAL

00:12:08:09 - 00:12:11:09
into your compliance workflows
and your compliance tooling.

00:12:11:09 - 00:12:14:03
Custom tooling. If you want to use
AI to build something, you can build it.

00:12:14:03 - 00:12:17:23
Hey make sure that I can export an 
OSCAL valid document as well.

00:12:17:23 - 00:12:20:12
And so that's really shows
the power of OSCAL.

00:12:20:16 - 00:12:22:07
And I really a appreciate that.

00:12:22:07 - 00:12:24:02
And appreciate the standard
I've been following it

00:12:24:02 - 00:12:26:01
for about a year and a half now.

00:12:26:01 - 00:12:29:18
And I really enjoy working with it
because it's really easy.

00:12:29:20 - 00:12:34:00
And also it makes the compliance
documentation portion just a lot faster.

00:12:34:00 - 00:12:36:17
And then you can upload that
into whatever GRC tool you have,

00:12:36:17 - 00:12:39:18
whatever GRC tool
you may have that has OSCAL integration,

00:12:41:00 - 00:12:42:17
A little bit more technical details.

00:12:42:17 - 00:12:44:12
Like I mentioned earlier,
the parameter resolution,

00:12:44:12 - 00:12:47:14
you will see something like what
we have here, insert param,

00:12:47:14 - 00:12:50:21
AC-2 that's all handled
automatically in the application.

00:12:50:21 - 00:12:52:10
You don't ever see that in the app.

00:12:52:10 - 00:12:54:13
That was something
that was really important to me

00:12:54:13 - 00:12:57:18
because, like that kind of breaks
the flow of the application of any,

00:12:57:18 - 00:13:01:19
any application to see this random tag
that you don't really know what it means.

00:13:01:19 - 00:13:04:02
And to have to go and look that up
makes it a little bit more,

00:13:04:02 - 00:13:05:21
difficult
to kind of get through the process.

00:13:05:21 - 00:13:08:14
And then we've got OSCAL models
REv 5 is at 1.1.2,

00:13:08:14 - 00:13:09:22
and I'm going to be updating these
as well.

00:13:09:22 - 00:13:13:18
171 is 1.2.0 which is not the latest
version, but the last latest version.

00:13:13:20 - 00:13:14:24
And then I don't necessarily

00:13:14:24 - 00:13:19:09
See a need update 218 to the newer spec,
if there is a reason to do so, I will

00:13:21:00 - 00:13:22:00
so yeah.

00:13:22:00 - 00:13:25:00
see, there's six frameworks,
roughly about 1,200 controls.

00:13:25:06 - 00:13:28:13
this is talking about the RAG 6000
documents.

00:13:28:16 - 00:13:32:16
in the database, there's 6000 documents
based off of completeness catalog,

00:13:32:16 - 00:13:35:04
and then we've got
about 50,000 lines of code.

00:13:36:00 - 00:13:37:22
And so next is the road map.

00:13:37:22 - 00:13:40:17
the Supabase authentication
has been coded into it.

00:13:40:17 - 00:13:43:09
It just hasn't been activated yet.
So that's why we have that here.

00:13:43:09 - 00:13:44:14
You won't see it in the app.

00:13:44:14 - 00:13:47:02
It's in the underlying code.

00:13:47:02 - 00:13:50:20
But I haven't actually implemented
the Supabase authentication yet.

00:13:50:20 - 00:13:52:24
So that's
why you'll see that there is more of a,

00:13:52:24 - 00:13:54:21
probably a yellow circle,
instead of a green check.

00:13:54:21 - 00:13:55:24
But, that's why that's there.

00:13:55:24 - 00:13:59:10
The SSP builder is complete
in terms of implementation.

00:13:59:10 - 00:14:01:04
I just have to make sure that there's
no bugs

00:14:01:04 - 00:14:03:13
in the OSCAL export
and everything works properly.

00:14:03:13 - 00:14:07:20
And then assessment tracking is also in that
same state where it's built.

00:14:07:20 - 00:14:08:21
And it works,

00:14:08:21 - 00:14:11:22
I think, but I just have to test it
to make sure that all the edge cases

00:14:11:22 - 00:14:13:02
and things of that nature work.

00:14:13:02 - 00:14:16:17
kind of see some of the priorities
is trying to get the NIST bot and the TIMA RAG

00:14:16:17 - 00:14:18:04
TIMA is a system that I built.

00:14:18:04 - 00:14:20:08
It's threat intelligence management agent.

00:14:20:08 - 00:14:22:00
I actually have a couple of different
names for this.

00:14:22:00 - 00:14:24:16
is kind of my agentic system
that I have at home that I built,

00:14:24:16 - 00:14:26:21
I've got a couple of different names
for based off of the persona

00:14:26:21 - 00:14:30:02
that it takes on as so it’s like a telegram
integration management agent as well.

00:14:30:04 - 00:14:31:20
I can talk to it through telegram, similar

00:14:31:20 - 00:14:35:15
to open cloud, but I created this way
before open cloud was even thought of.

00:14:35:21 - 00:14:40:11
it's also threat intelligence management
agent which is OSCAL app integration

00:14:40:11 - 00:14:43:04
portion of it.
And so I want to add a reverse mapping.

00:14:43:04 - 00:14:48:02
So like for the 800-53 controls,
171 reverse mapping.

00:14:48:02 - 00:14:53:04
So it'll tell you what 800-171 control relates to
a NIST control in 800-53 module.

00:14:53:04 - 00:14:57:09
And then it'll tell you also what
CSF a module it relates to as well.

00:14:57:11 - 00:14:59:00
And then we want to get a web

00:14:59:00 - 00:15:02:21
app out there at some point
then add in OSCAL component definitions.

00:15:03:01 - 00:15:06:07
And so,
yeah, you can leave a review on the app.

00:15:06:07 - 00:15:08:01
You can send me an email inside the app.

00:15:08:01 - 00:15:10:02
there's a spot where you can, email
the developer

00:15:10:02 - 00:15:12:11
and you can send me an email
if you find something wrong, if you find

00:15:12:11 - 00:15:16:15
a bug, happy to take those contributions,
and fix them in future updates.

00:15:16:15 - 00:15:18:22
So far, it's really been just myself,

00:15:18:22 - 00:15:22:08
And some of the people that I work with
have actually tested the app and provided

00:15:22:08 - 00:15:23:00
some feedback.

00:15:23:00 - 00:15:24:00
And a lot of their feedback’s

00:15:24:00 - 00:15:27:09
been implemented, like, for example,
very early on, one of my coworkers said,

00:15:27:21 - 00:15:31:04
hey, why don't you implement,
think it's appendix J in 800-53.

00:15:31:07 - 00:15:34:08
I hadn't even seen an appendix J in
I think it's the appendix J or appendix

00:15:34:08 - 00:15:36:10
C, I can't remember the name off
the top of my head,

00:15:36:10 - 00:15:38:10
but it's the one where it tells you

00:15:38:10 - 00:15:40:08
what the implementation
level of the control is.

00:15:40:08 - 00:15:43:18
So you'll see,
you know, system or organization.

00:15:43:18 - 00:15:45:12
And I actually implemented that
into the control

00:15:45:12 - 00:15:46:17
and one of the earlier updates.

00:15:46:17 - 00:15:49:19
we go into the demo you'll see that
it has the implementation level.

00:15:50:13 - 00:15:52:14
And so there are, there are some questions
I see.

00:15:52:14 - 00:15:53:22
15 comments.

00:15:53:22 - 00:15:56:18
Hopefully none of those comments
are about not being able to hear,

00:15:56:18 - 00:16:01:13
So I will go ahead and stop my share,
and then I'm going to restart with the,

00:16:01:16 - 00:16:03:06
iPhone simulator here.

00:16:03:06 - 00:16:05:07
Can you guys all see that?

00:16:05:07 - 00:16:06:24
So when the new update comes out,

00:16:06:24 - 00:16:08:14
this is the new update
that I'm going to show you.

00:16:08:14 - 00:16:12:12
So the current version,
I believe only has in NIST 53 module,

00:16:12:12 - 00:16:16:16
the SSP builder module
and the AI, RMF module, I believe.

00:16:16:16 - 00:16:18:11
there's a little welcome guide.

00:16:18:11 - 00:16:21:08
We go through this, it kind of outlines
what's here.

00:16:21:08 - 00:16:22:08
What's included.

00:16:22:08 - 00:16:24:20
You got the free
and you get the complete OSCAL catalog.

00:16:24:20 - 00:16:27:04
You get, control descriptions
assessment objectives.

00:16:27:04 - 00:16:29:00
You can browse by family,
baseline implementation.

00:16:29:00 - 00:16:32:06
And the only thing that companies paid in
any of these modules

00:16:32:06 - 00:16:35:08
will be in, assessment
functionality, search and favorites.

00:16:35:09 - 00:16:38:02
Everything else is free.
All of the documents are free to view.

00:16:38:02 - 00:16:42:05
It’s just the search portion, the notes and
favorites and assessment functionality.

00:16:42:05 - 00:16:44:20
There's an error here,
and I actually I ended up fixing this.

00:16:44:20 - 00:16:48:20
It says that the AI RMF module is pro,
but that's wrong.

00:16:48:20 - 00:16:51:09
That should not have been
there. It’s oversight on my end.

00:16:51:09 - 00:16:52:20
AI RMF is free to view

00:16:53:22 - 00:16:56:17
And I'll make sure
that the new update addresses that.

00:16:56:17 - 00:16:58:06
So you can see just kind of where
to find everything.

00:16:58:06 - 00:17:00:14
A little bit of a tour.
Because initially I didn't have anything.

00:17:00:14 - 00:17:02:12
It was just like, straight drops you into the app.

00:17:02:12 - 00:17:04:08
It didn't have any onboarding process.

00:17:04:08 - 00:17:05:22
And so I wanted

00:17:05:22 - 00:17:08:22
to change that, to make sure that people
kind of knew what they were getting into.

00:17:10:00 - 00:17:12:08
And so now we're in the app
and,

00:17:12:08 - 00:17:13:19
so this is the free version of the app.

00:17:13:19 - 00:17:16:19
So, just to make sure
Upgrade Pro to unlock.

00:17:17:00 - 00:17:17:08
Right.

00:17:17:08 - 00:17:18:14
So this is the free version of the app.

00:17:19:24 - 00:17:23:03
As you see,
you can go into the AI RMF playbook.

00:17:23:03 - 00:17:26:03
I'll push a small update to update
that welcome page.

00:17:26:07 - 00:17:29:20
So let's start from the top
so you can click into that 800-53 module.

00:17:29:20 - 00:17:33:07
You can browse by family, control
by baseline, implementation level.

00:17:33:10 - 00:17:36:16
you see organization, system,
and then your organization and system,

00:17:36:22 - 00:17:39:12
that was a feature
that was requested by one of my coworkers.

00:17:39:12 - 00:17:40:11
then you also have recent.

00:17:40:11 - 00:17:42:19
So you can see the recent controls
that you go to.

00:17:42:19 - 00:17:44:17
So if you just control you go to a lot.

00:17:44:17 - 00:17:46:21
You can keep it in your recent so
then you don't necessarily

00:17:46:21 - 00:17:49:08
need to have favorites,
but favorites is nice.

00:17:49:08 - 00:17:51:18
You go by family
and then let's just go to AC-2.

00:17:51:18 - 00:17:54:22
And so also we have a baseline badges
here as what I call them.

00:17:55:04 - 00:17:56:16
And so you can see which baseline.

00:17:56:16 - 00:17:57:11
Any given control is

00:17:57:11 - 00:18:00:13
 a part of right from the control list
or from the family list.

00:18:00:19 - 00:18:03:06
And then you can also see
the implementation level.

00:18:03:06 - 00:18:06:07
So the always going to be organization,
the s is going to be system.

00:18:06:10 - 00:18:09:10
And then O and S is, you know, both.

00:18:09:18 - 00:18:11:17
So then we go AC-2.

00:18:11:17 - 00:18:13:23
You can see the control statement.

00:18:13:23 - 00:18:16:01
You can see the related enhancements.

00:18:16:01 - 00:18:19:01
If you click down here
there's a list of all of the enhancements.

00:18:19:19 - 00:18:23:16
You can see if you go down...

00:18:23:16 - 00:18:24:22
Also see the NIST guidance.

00:18:24:22 - 00:18:28:10
Also the guidance is
there as well for any particular control.

00:18:28:10 - 00:18:30:09
You can also see related controls.

00:18:30:09 - 00:18:34:08
So in the 800-53 document
there's a little thing that says,

00:18:34:08 - 00:18:36:10
you know, these are the controls
that kind of relate to this one.

00:18:36:10 - 00:18:38:13
And so I implement that as well
thought that would be useful.

00:18:39:04 - 00:18:42:15
And then also we can see you have to click

00:18:44:19 - 00:18:45:23
The assessment objectives.

00:18:46:06 - 00:18:49:21
So you can see what the assessment
objectives are for each control.

00:18:50:05 - 00:18:53:19
So AC-2 objective A1 account types

00:18:53:20 - 00:18:56:03
allow for use within the system
or define the documented.

00:18:56:03 - 00:18:58:24
So as an assessor
you can see you know quickly okay.

00:18:58:24 - 00:19:00:14
What are the assessment
objectives that I need

00:19:00:14 - 00:19:02:17
to look at for these controls and assess.

00:19:02:17 - 00:19:03:05
All right.

00:19:03:05 - 00:19:05:17
And that's the 800-53 module in a nutshell.

00:19:05:17 - 00:19:08:03
If you get the Pro version
there's actually a separate view.

00:19:08:03 - 00:19:11:03
There’s a Grid view,
kind of makes it a little slightly easier

00:19:11:03 - 00:19:12:22
to kind of scroll
through the control families.

00:19:12:22 - 00:19:16:04
Not much, but a little bit,
a little bit of a quality of life upgrade.

00:19:16:04 - 00:19:18:05
And then you can search
and then also sorry,

00:19:18:05 - 00:19:21:20
from the control this you can actually click the star there

00:19:21:20 - 00:19:25:03
and you can favorite that one
or you can do it here as well.

00:19:25:20 - 00:19:26:21
And then, you know, anytime

00:19:26:21 - 00:19:30:04
you click on a feature that's
paid, it'll pop up with that little,

00:19:30:18 - 00:19:32:19
this is everything
you get with the paid system.

00:19:33:12 - 00:19:34:15
So yeah, there's that,

00:19:35:23 - 00:19:38:22
Forgot
that the SSP builder is a paid feature.

00:19:38:22 - 00:19:42:01
don't know if I have time
to go into that and update the code.

00:19:42:01 - 00:19:43:14
Here's CSF 2.0.

00:19:43:14 - 00:19:46:03
You've got the different functions.

00:19:46:03 - 00:19:48:14
And you can go into it

00:19:48:14 - 00:19:51:14
and you can see the categories.

00:19:51:20 - 00:19:54:05
And like I said, here is the mapping.

00:19:54:05 - 00:19:56:00
So you go to PM 11.

00:19:56:00 - 00:19:57:21
Oh that's a pro feature.

00:19:57:21 - 00:20:00:20
So the Mapping is a pro feature.
I may update that

00:20:00:20 - 00:20:02:10
and make that not a pro feature.

00:20:02:10 - 00:20:04:15
I don't think I want that to be a pro feature.

00:20:04:15 - 00:20:07:09
But ideally what would happened
is you would click here

00:20:07:09 - 00:20:10:15
and then it would pull up
that specific control, or

00:20:10:15 - 00:20:14:11
you would click here and then will pull up
that specific 800-171 control.

00:20:14:21 - 00:20:17:10
Feel like I was a little overzealous
on the pro there.

00:20:17:10 - 00:20:20:17
May considered make another,
offering feature in a hotfix.

00:20:22:19 - 00:20:23:20
Let's see.

00:20:23:20 - 00:20:29:04
So one 800-171 you go through
similar to the 800-53 you get the control

00:20:29:04 - 00:20:32:13
requirements and then you got the assessment
objectives here.

00:20:33:07 - 00:20:34:17
Pretty straightforward stuff.

00:20:36:05 - 00:20:40:22
And then 218,
you've got, the different functions

00:20:41:05 - 00:20:43:12
very similar to the CSF.

00:20:44:02 - 00:20:47:00
See the practice statement
and implementation tasks.

00:20:47:00 - 00:20:48:21
there's some examples for implementation.

00:20:49:15 - 00:20:53:19
So there is no option to upload
OSCAL into the app.

00:20:53:19 - 00:20:55:21
You can only export out of the app.

00:20:55:21 - 00:20:57:12
I will consider, making it

00:20:57:12 - 00:21:01:07
so that you can upload a OSCAL
into the app because that does make sense.

00:21:01:07 - 00:21:03:20
Like if you want to export
from a system and work on it

00:21:03:20 - 00:21:05:11
on your mobile phone, that makes sense.

00:21:05:11 - 00:21:07:14
Or we got to go out into the field
and you got something

00:21:07:14 - 00:21:09:17
started already,
and you don't want to start from scratch.

00:21:09:17 - 00:21:10:08
That makes sense.

00:21:10:08 - 00:21:13:02
So I will probably actually add it
into the next update.

00:21:13:02 - 00:21:16:24
The abilities uploading OSCAL file into
the application that makes a lot of sense.

00:21:17:06 - 00:21:18:13
Thank you for that suggestion.

00:21:19:16 - 00:21:22:05
And then the AI RMF framework, you know,
pretty simple stuff.

00:21:22:05 - 00:21:25:05
Pretty much pretty similar
to the other modules.

00:21:25:18 - 00:21:27:22
You know, you got the description, about section

00:21:27:22 - 00:21:32:02
and then the actions you can take
to implement this particular subcategory

00:21:32:11 - 00:21:34:12
and then documentation guidance.

00:21:36:16 - 00:21:37:21
And references.

00:21:38:12 - 00:21:40:08
From the actual catalog,

00:21:40:24 - 00:21:45:01
And there are questions,
I'll take questions.

00:21:45:01 - 00:21:48:01
And I will really quickly try to,

00:21:48:07 - 00:21:51:13
update the app to show the pro version
so that I can show you guys

00:21:51:13 - 00:21:53:10
what the SSP builder looks like.

00:21:53:10 - 00:21:54:08
All right.

00:21:54:08 - 00:21:57:08
So, Well, firstly, we got,

00:21:57:23 - 00:22:00:23
you know, controls
search, let’s just say “authorization”.

00:22:02:09 - 00:22:04:09
And you can, you know, the search works.

00:22:04:09 - 00:22:05:22
You can star it.

00:22:06:18 - 00:22:08:04
These are my favorite controls
I love them. 

00:22:08:04 - 00:22:11:14
AC-2, AC-3 Enhancement 2, and AC-17

00:22:11:14 - 00:22:14:06
These are my most favorite controls
in the whole wide world.

00:22:14:06 - 00:22:17:03
And I always have access to them
in my favorites tab.

00:22:17:03 - 00:22:19:18
And then also. Let’s see...

00:22:22:02 - 00:22:26:06
I love AC-2

00:22:27:05 - 00:22:28:24
And you go out.

00:22:28:24 - 00:22:30:22
You go out, you go to your notes

00:22:30:24 - 00:22:32:05
I love AC-2

00:22:32:05 - 00:22:34:09
Because AC-2 is the best control

00:22:36:20 - 00:22:39:13
It’s the one that we use most often
because access control.

00:22:39:13 - 00:22:41:11
So that's one of the pro features.

00:22:41:11 - 00:22:45:03
And then the biggest pro feature I think
oh before we go there

00:22:45:03 - 00:22:46:09
one more thing.

00:22:46:09 - 00:22:49:12
Click this button in
the Secure Software Development Framework.

00:22:49:18 - 00:22:52:13
And we have a
you can rate your maturity level.

00:22:52:13 - 00:22:54:04
So you can go and prepare okay.

00:22:54:04 - 00:22:57:08
We're implementing this,
you know at what level.

00:22:57:08 - 00:22:58:09
Alright we’re level four.

00:22:58:15 - 00:23:00:01
I should probably make
the button clickable.

00:23:00:01 - 00:23:03:21
But this is kind of the whole thing
with pro kind of giving people,

00:23:03:21 - 00:23:05:23
advanced features,
above and beyond the app.

00:23:05:23 - 00:23:08:06
this is a bug that I hadn't,
tested to this point.

00:23:08:06 - 00:23:09:11
And so now I know

00:23:09:11 - 00:23:12:11
I'll have to go in and figure out
why these aren't working properly.

00:23:12:13 - 00:23:16:01
try to make sure everything up to date
and working, but, you know, I'm

00:23:16:01 - 00:23:17:24
developing this app on my own.
I don't have a team.

00:23:17:24 - 00:23:21:14
It's just me, myself, and, my GitHub
copilot occasionally.

00:23:21:17 - 00:23:24:17
but the SSP builder is a bit more robust.

00:23:24:24 - 00:23:29:19
So you can start here, we say, okay,
we got the OSCAL pocket guide.

00:23:31:13 - 00:23:33:21
And then it's just an app.

00:23:36:16 - 00:23:39:12
It's operational.

00:23:39:12 - 00:23:41:16
We got a low baseline.

00:23:41:16 - 00:23:44:16
It's for DevDude.

00:23:45:17 - 00:23:47:19
And it's just an app.

00:23:50:08 - 00:23:51:01
Save the system.

00:23:51:01 - 00:23:53:17
And then you can either go
in the classic view or the modern wizard

00:23:53:17 - 00:23:54:20
the classic view.

00:23:54:20 - 00:23:56:06
You can kind of go in.

00:23:56:06 - 00:23:57:08
Alright, so we got the system

00:23:57:08 - 00:24:00:08
details here where you can go
and you can edit the system details.

00:24:00:23 - 00:24:04:11
You have the control objective parameters
where you can go

00:24:04:11 - 00:24:07:11
and select fill
in the objective parameters.

00:24:07:17 - 00:24:08:11
It's like I mentioned

00:24:08:11 - 00:24:11:05
I have a draft implementation statement
and it's parameterized

00:24:11:05 - 00:24:13:04
where you got the policy document
names. Right.

00:24:13:04 - 00:24:17:20
And so you go enter policy frequency review
and then when you start typing

00:24:17:20 - 00:24:22:06
there will be values that kind of come up
that can help you. Alright it's annually.

00:24:22:06 - 00:24:24:03
So we'll select annually.

00:24:25:07 - 00:24:28:08
And then this button right here
allows you to save that value.

00:24:28:08 - 00:24:30:19
If it's not already saved,
this was already in there.

00:24:30:19 - 00:24:32:01
So we don't need to do that.

00:24:32:01 - 00:24:35:01
But let's just say “Annually, every 30 days.”

00:24:35:05 - 00:24:36:11
Obviously that doesn't make sense.

00:24:36:11 - 00:24:39:12
But just for just because I know
that won't be in there,

00:24:40:01 - 00:24:42:14
you can tap that and it's saved for reuse.

00:24:42:14 - 00:24:45:08
So then now when I or a computer.

00:24:45:08 - 00:24:47:11
So then I go annually.

00:24:54:13 - 00:24:55:23
Annually.

00:24:55:23 - 00:24:57:21
There's a lot in here.

00:25:02:15 - 00:25:06:02
Alright, that's not working so well, but,
it's in there somewhere.

00:25:06:07 - 00:25:07:10
I assure you.

00:25:07:11 - 00:25:09:12
“Apply Value” doesn't have to be clicked?

00:25:09:17 - 00:25:10:20
Apply value?

00:25:11:21 - 00:25:15:16
No. So it didn't have to be clicked
when you when you first save it.

00:25:16:16 - 00:25:20:22
And I think it’s probably misbehaving
because this is a simulator on my computer.

00:25:20:22 - 00:25:22:14
And like, I can't even,

00:25:22:14 - 00:25:24:09
So it doesn't have to be clicked.

00:25:24:09 - 00:25:27:09
I think this will probably behave better
if it were actually on my phone,

00:25:27:10 - 00:25:28:08
but it’s a simulator.

00:25:30:14 - 00:25:32:01
Because usually as supposed to like

00:25:32:01 - 00:25:34:12
filter the ones out
based off of what you're typing in.

00:25:34:12 - 00:25:37:01
But I believe
that this is just not working.

00:25:37:01 - 00:25:38:23
Probably
because it's it's in the simulator.

00:25:38:23 - 00:25:41:17
And those kind of act funny
a little bit sometimes.

00:25:41:17 - 00:25:42:22
So we'll just kind of ignore that.

00:25:42:22 - 00:25:46:24
And so when you put the a value in here,
it replaces the value

00:25:46:24 - 00:25:48:17
in the implementation statement.
So you might not have seen that.

00:25:48:17 - 00:25:51:10
So pay attention to this one
“policy document names”. Right.

00:25:51:10 - 00:25:52:15
And then we'll go

00:25:52:21 - 00:25:54:00
accounts.

00:25:55:14 - 00:25:56:24
Let's find something.

00:25:58:01 - 00:26:00:00
I wish it wasn't so hard to.

00:26:00:00 - 00:26:00:11
All right.

00:26:01:01 - 00:26:01:22
That one’s fine.

00:26:01:22 - 00:26:04:02
AC Procedure Revision Tracker Spreadsheet.

00:26:04:21 - 00:26:07:13
And then it updates right there
in the implementation field

00:26:07:13 - 00:26:09:02
And the policy members.

00:26:09:02 - 00:26:10:04
Policy.

00:26:11:10 - 00:26:11:24
Team.

00:26:13:04 - 00:26:16:13
And so it automatically updates that
and then you can save that.

00:26:16:15 - 00:26:21:08
And then you go back
and you have a checklist where you can.

00:26:21:12 - 00:26:23:22
So this is kind of an assessment
kind of checklist.

00:26:23:22 - 00:26:26:14
And I think this probably needs
to be moved into either

00:26:26:14 - 00:26:29:05
probably another module
or somewhere else in the value,

00:26:29:05 - 00:26:31:10
because you have to go through the SSP
to get here.

00:26:31:10 - 00:26:34:20
And I don't think that that's 
And that's why this is beta.

00:26:34:23 - 00:26:36:21
And this is where I look forward
for additional feedback

00:26:36:21 - 00:26:37:19
because, you know, now

00:26:37:19 - 00:26:39:08
that I'm thinking about it,
it doesn't really make sense

00:26:39:08 - 00:26:41:20
for the checklist
in terms of, for assessment to be here.

00:26:41:20 - 00:26:42:19
It makes sense for it to be

00:26:42:19 - 00:26:46:18
maybe in another module or maybe, outside
here, maybe in this screen.

00:26:47:06 - 00:26:49:06
so you have your control implementations,

00:26:49:13 - 00:26:52:23
you can go and then you've got the actual
overall implementation statement.

00:26:52:24 - 00:26:55:24
So this will be the entire implementation
statement for AC-1.

00:26:56:14 - 00:27:00:06
So it'll include everything
that you put in the AC-1.

00:27:00:15 - 00:27:02:14
and put everything that you put in
AC-1 parameter.

00:27:02:14 - 00:27:05:14
So once you fill out
all of these objective statements

00:27:05:17 - 00:27:07:20
these go by the objectives
not the requirements.

00:27:07:20 - 00:27:12:14
And so once you fill all those out
and then you go out into the control

00:27:12:14 - 00:27:15:24
implementation statements, this statement
will be filled out completely.

00:27:15:24 - 00:27:17:18
And you can copy and paste it
out of there.

00:27:17:18 - 00:27:21:24
Or it'll go into the SSP
Once you select the output button

00:27:21:24 - 00:27:23:04
or the export button right there.

00:27:23:04 - 00:27:27:09
And then, there's your SSP,
you can copy it, you can download it.

00:27:27:15 - 00:27:29:05
There's some error
I have to look into that.

00:27:29:05 - 00:27:32:05
I'm not sure if that's
a similar issue or if it's just a,

00:27:32:09 - 00:27:35:22
it's actual issue, again, that's
why this whole thing is beta because

00:27:35:22 - 00:27:39:09
I have to go through and make sure that
everything works out for that, for the SSP

00:27:39:16 - 00:27:41:16
to make sure that it all works
and you've got different formats.

00:27:41:16 - 00:27:43:11
You can do the XML, you can do the Yaml.

00:27:43:11 - 00:27:44:09
And then also you can copy

00:27:44:09 - 00:27:47:09
and paste it in email it to yourself
if you want to do it that way.

00:27:47:16 - 00:27:51:08
And so yeah, that's a quick overview
of the implementation.

00:27:51:08 - 00:27:52:06
that was a classic view.

00:27:52:06 - 00:27:54:01
But the modern view
is a little bit different.

00:27:54:01 - 00:27:57:02
So you kind of have your outlined in the
presentation

00:27:57:02 - 00:28:00:09
these are different steps
that you can go through to classify

00:28:00:09 - 00:28:03:11
your system and fill out the different parts
of the wizard.

00:28:04:06 - 00:28:07:11
So you would select your system
and then that's good.

00:28:07:12 - 00:28:08:22
Select information types.

00:28:08:22 - 00:28:10:22
This is where the 800-60,

00:28:12:06 - 00:28:13:15
OSCAL document comes in.

00:28:13:15 - 00:28:16:21
You got general insurance,
you got, you know, fiscal

00:28:17:03 - 00:28:19:12
and then you can do
your classification.

00:28:19:12 - 00:28:21:23
Save it case in case your app crashes

00:28:22:01 - 00:28:22:19
Which it really shouldn't,

00:28:22:19 - 00:28:25:02
or your battery dies or whatever
the case is.

00:28:25:02 - 00:28:26:05
And then you continue.

00:28:26:05 - 00:28:27:07
You got a moderate impact

00:28:27:07 - 00:28:30:13
based off of information types,
and then continue to go through there,

00:28:30:13 - 00:28:32:14
instead of a diagram, you can describe it.

00:28:33:00 - 00:28:34:16
I'm not sure how assessors
feel about that, but, 

00:28:35:13 - 00:28:37:00
I’ll look at the questions.

00:28:37:00 - 00:28:38:04
There’s five questions here.