00:00:00:13 - 00:00:02:22 Well. Welcome, everybody. I'm Brian Ruff. 00:00:02:22 - 00:00:05:07 Chris, you want to give yourself a quick introduction? 00:00:05:07 - 00:00:07:15 Uh. yeah. I’m a consultant here at Eazy Dynamics. 00:00:07:15 - 00:00:12:09 I work with, Brian's team, assisting with various, product development efforts, 00:00:12:17 - 00:00:16:11 including the OSCAL registry that will be, working on here. 00:00:16:16 - 00:00:18:21 All right. Thank you. Chris. Yes, and I'm Brian Ruff. 00:00:18:21 - 00:00:23:13 at one time, I was part of the NIST OSCAL team as a contractor. 00:00:23:15 - 00:00:26:09 was involved in creating the OSCAL standard. 00:00:26:09 - 00:00:30:05 Now I'm at Easy Dynamics, where I'm leading efforts to build tools that, 00:00:30:07 - 00:00:34:19 that will hopefully further the cyber security industry with automation, 00:00:34:22 - 00:00:38:19 and these capabilities that we’ll be talking about here 00:00:38:23 - 00:00:42:17 were briefed in January, as part of a, 00:00:42:20 - 00:00:46:09 Mid-Atlantic OSCAL community meetup that we facilitate. 00:00:46:15 - 00:00:51:13 that meetup meets every, 3 to 5 months, in the DC metro area. 00:00:51:16 - 00:00:54:20 you'll see some branding related to that on these slides today. 00:00:54:22 - 00:00:57:23 and the same email address we're going to give you for information about 00:00:57:23 - 00:01:01:04 the slides is also you can find out more about the meetup. 00:01:01:04 - 00:01:02:23 If you're interested in participating. 00:01:02:23 - 00:01:04:20 that is open to anybody who's, 00:01:04:20 - 00:01:08:09 developing tools for OSCAL, trying to implement OSCAL in any way. 00:01:08:19 - 00:01:10:19 So let's go ahead and jump right in. 00:01:10:19 - 00:01:12:20 We have a few things we want to tell you about today. 00:01:12:20 - 00:01:16:16 These are all, features or capabilities that, we've been working on 00:01:16:21 - 00:01:20:08 with the idea of making them available the OSCAL community. 00:01:20:08 - 00:01:23:24 in hopes of ultimately having the OSCAL community collaborate with us 00:01:24:02 - 00:01:24:21 on these items. 00:01:24:21 - 00:01:29:02 And that's part of why we are, presenting them under the auspices of the meetup 00:01:29:09 - 00:01:32:23 rather than as, representatives of Easy Dynamics, 00:01:32:23 - 00:01:34:09 and where we view ourselves 00:01:34:09 - 00:01:37:16 as more of the facilitators of these community capabilities right now. 00:01:37:22 - 00:01:41:01 so we'll tell you a little bit about OSCAL.io, which is intended 00:01:41:01 - 00:01:44:01 to be a hub for OSCAL information. 00:01:44:03 - 00:01:45:09 We're going to introduce 00:01:45:09 - 00:01:48:11 an OSCAL content registry, which will be open to the public. 00:01:48:19 - 00:01:51:03 along with that, an OSCAL content viewer. 00:01:51:03 - 00:01:52:20 have a little demo of those. 00:01:52:20 - 00:01:57:05 we'll talk a little bit about a REST open API specification 00:01:57:09 - 00:02:00:06 that we think the community sorely needs. 00:02:00:06 - 00:02:03:15 There's been a few REST API discussions over the last few years. 00:02:03:15 - 00:02:05:19 So this is our contribution. 00:02:05:19 - 00:02:08:17 and then we'll, we'll get into just some additional information 00:02:08:17 - 00:02:12:04 and, resources that are available to, to you as community members. 00:02:13:06 - 00:02:18:10 OSCAL.io is intended to be a portal, kind of a one stop shop for people 00:02:18:10 - 00:02:22:12 trying to get started in the community or trying to find more resources. 00:02:22:18 - 00:02:25:10 we have deployed the site. It's out there. 00:02:25:10 - 00:02:27:12 It's still has a lot of growing to do. 00:02:27:12 - 00:02:30:07 even the, GitHub repo for managing the site 00:02:30:07 - 00:02:33:10 is a public repo so that others can contribute. 00:02:33:13 - 00:02:37:15 basically, it's a place where we can get events listed. 00:02:38:01 - 00:02:40:16 We can start to list any known tools. 00:02:40:16 - 00:02:42:16 and communication channels. 00:02:42:16 - 00:02:44:19 some of these are implemented today. 00:02:44:19 - 00:02:47:12 Some of them are, are planned as you're seeing here. 00:02:47:12 - 00:02:48:22 this is also where you can, 00:02:48:22 - 00:02:52:16 where you will eventually link out to the content registry and the viewer. 00:02:53:06 - 00:02:54:21 this is OSCAL.io 00:02:54:21 - 00:02:57:07 actually, this is what the landing page looks like. 00:03:00:03 - 00:03:02:09 And it's again, it's a start. 00:03:02:09 - 00:03:07:14 we do have so far an events page and a tools page. 00:03:08:03 - 00:03:09:17 now, the idea is that you can, 00:03:09:17 - 00:03:13:10 send requests over email to have things listed on either of these pages. 00:03:13:13 - 00:03:16:06 but eventually there'll be a self-service portal. 00:03:16:06 - 00:03:18:10 So, as I mentioned, we have a tools list. 00:03:18:10 - 00:03:20:13 communication channels coming soon. 00:03:20:13 - 00:03:22:02 some of the things you're going to see on the next 00:03:22:02 - 00:03:25:22 few slides our proposed, criteria for inclusion. 00:03:26:04 - 00:03:29:20 and some of the proposed details we believe should be listed there. 00:03:30:01 - 00:03:33:01 These are things that we're looking for community input on. 00:03:33:03 - 00:03:34:05 We want the community 00:03:34:05 - 00:03:37:05 to shape this, to be something that makes sense for everybody. 00:03:37:08 - 00:03:39:12 So we have drafted criteria. 00:03:39:12 - 00:03:42:07 that's part of why we're keeping the process manual today 00:03:42:07 - 00:03:45:07 as we get clarification on the criteria. 00:03:45:07 - 00:03:48:10 Our intention is to create that self-service portal. 00:03:48:17 - 00:03:52:21 But for today, this ask OSCAL@OSCAL.io email address. 00:03:52:24 - 00:03:56:05 really everything you see in this presentation, that's the email address 00:03:56:07 - 00:03:59:07 to use to get more information or to get involved. 00:03:59:13 - 00:04:02:08 So for tools, the criteria we're considering 00:04:02:08 - 00:04:06:07 is that to be listed as a tool you have to be able to support 00:04:06:07 - 00:04:10:21 any version of OSCAL starting from 1.0.0 or later. 00:04:11:01 - 00:04:13:12 you don't have to support the latest version. 00:04:13:12 - 00:04:15:24 We recognize that there will be drift. 00:04:15:24 - 00:04:18:24 but you have to support a valid version of OSCAL 00:04:18:24 - 00:04:23:15 in some way, tools could be a library, it could be open source. 00:04:23:21 - 00:04:27:17 it could be, a for profit closed source, license tool. 00:04:27:17 - 00:04:32:21 There's no limit on the type of tool, only that it supports OSCAL 00:04:33:04 - 00:04:35:22 Some of the details we believe should be listed. 00:04:35:22 - 00:04:37:15 name, a description. 00:04:37:15 - 00:04:39:19 which OSCAL versions you support? 00:04:39:19 - 00:04:42:23 you know, some of the details about how how you would be contacted 00:04:42:23 - 00:04:45:11 as the tool owner, what type of license you're offering. 00:04:45:11 - 00:04:47:19 this is an area where we want your feedback. 00:04:47:19 - 00:04:49:07 Is this the right criteria? 00:04:49:07 - 00:04:50:22 for tool entries? 00:04:50:22 - 00:04:51:20 So anything different? 00:04:51:20 - 00:04:53:06 Anybody thinks they 00:04:53:06 - 00:04:57:02 we should see their, It's very similar for communication channel. 00:04:57:02 - 00:05:00:02 So the idea here is that we would list things like 00:05:00:02 - 00:05:03:10 the NIST mailing lists and the Gitter community. 00:05:03:13 - 00:05:07:04 for OSCAL, the the LinkedIn OSCAL community, 00:05:07:11 - 00:05:09:19 even the Mid-Atlantic OSCAL meetup. 00:05:09:19 - 00:05:13:09 all of those things would be listed here if there's any other communication 00:05:13:09 - 00:05:18:06 channels, that anybody is hosting for any reason related to OSCAL 00:05:18:06 - 00:05:22:01 we want to be able to list it at OSCAL.io so people can find it. 00:05:22:12 - 00:05:24:10 the only thing we really think is important 00:05:24:10 - 00:05:27:10 is that the communications channel must be related to OSCAL 00:05:27:10 - 00:05:31:04 in some way, whether that's development, implementation, adoption 00:05:31:19 - 00:05:35:11 doesn't matter how it's related to Scout, but that's the only requirement. 00:05:35:14 - 00:05:37:06 now, we asked about whether this should 00:05:37:06 - 00:05:40:19 be, only communication channels open to the public should be listed 00:05:41:02 - 00:05:43:15 or whether closed channel should also be listed. 00:05:43:15 - 00:05:44:15 I think we're hearing that 00:05:44:15 - 00:05:47:15 we should also allow the ability to list closed channels. 00:05:47:21 - 00:05:51:04 For example, DoD may offer a communications channel 00:05:51:04 - 00:05:54:09 that requires you to have like a governmental email address. 00:05:54:13 - 00:05:56:23 We would still want that listed, even though 00:05:56:23 - 00:06:00:06 people outside of that community would not be able to join. 00:06:00:14 - 00:06:05:05 But at least the channel detail should indicate the, join or linking 00:06:05:05 - 00:06:10:02 instructions, So again, here are we missing other criteria we should consider? 00:06:10:08 - 00:06:14:20 Is this the right list of details for providing a communication channel? 00:06:15:00 - 00:06:17:04 On the OSCAL.io website. 00:06:17:04 - 00:06:21:04 if you have input, send an email to OSCAL@OSCAL.io. 00:06:21:17 - 00:06:24:13 I'm going to turn it over at this point to, Chris Roblee. 00:06:24:13 - 00:06:28:03 this is actually one of the highlights of the presentation today 00:06:28:10 - 00:06:30:15 is the OSCAL registry. 00:06:30:15 - 00:06:33:20 And, Chris is, dedicated a lot of blood, sweat and tears 00:06:33:22 - 00:06:36:22 leading this effort to try to get us to this point. 00:06:36:22 - 00:06:39:01 This started out as an intern project. 00:06:39:01 - 00:06:40:01 That grew. 00:06:40:01 - 00:06:42:18 it's been an interesting journey to get here. 00:06:42:18 - 00:06:43:18 Chris has lived through it all. 00:06:43:18 - 00:06:47:18 So, without further ado, Chris, I'm going to turn it over to you, Yeah. 00:06:47:18 - 00:06:49:08 So, good afternoon. 00:06:49:08 - 00:06:51:16 Good evening. Good morning everybody. 00:06:51:16 - 00:06:54:07 I look forward to showing you with the latest and greatest with the registry. 00:06:54:07 - 00:06:56:22 So just as a reminder, this is still all 00:06:56:22 - 00:07:00:07 Beta software. we're not in production yet. 00:07:00:10 - 00:07:05:02 when we do have it completed, it will be at this URL we've shared. 00:07:05:07 - 00:07:10:05 the purpose of the OSCAL registry is to allow anyone to easily, 00:07:10:05 - 00:07:15:03 and anonymously share, OSCAL content and have a centralized repository, 00:07:15:03 - 00:07:19:04 take a lot of inspiration from, Docker Hub and other repositories, 00:07:19:05 - 00:07:20:01 of the like 00:07:20:01 - 00:07:23:14 there's actually two ways of interfacing with the registry, both, through a web 00:07:23:14 - 00:07:28:06 GUI, which will be downloading as well as through, the basic REST API, 00:07:28:11 - 00:07:32:07 that we, have some initial read only functionality built out to date. 00:07:32:19 - 00:07:36:23 the purpose is that you would be able to, integrate your existing 00:07:36:23 - 00:07:43:01 tooling workflows, GRC capabilities, with a centralized repository, 00:07:43:03 - 00:07:47:22 so that you don't need to manually send copy, convert documents back and forth. 00:07:48:18 - 00:07:51:03 double click on what the registry does right now. 00:07:51:03 - 00:07:54:18 It's still fairly basic, but want we focused on doing what it does 00:07:54:18 - 00:07:57:23 reliably and growing and iterating from there. 00:07:58:08 - 00:08:03:15 So today you can easily view, upload, manage to share OSCAL documents, 00:08:03:19 - 00:08:08:16 with your teams, and external parties, you can have individual user profiles, 00:08:08:19 - 00:08:12:12 it links to standard SSO identity providers, 00:08:12:15 - 00:08:16:07 everything here is stored, cloud native, encrypted, in the cloud. 00:08:16:13 - 00:08:20:04 as of today, we are supporting OSCAL releases 00:08:20:04 - 00:08:23:04 up to version 1.1.2. 00:08:23:08 - 00:08:28:00 so far we're only, supporting the catalog profiles and component definition models. 00:08:28:06 - 00:08:32:01 on the roadmap we’ll be extending that will be the additional for 00:08:32:04 - 00:08:33:18 models of OSCAL. 00:08:33:18 - 00:08:36:19 so one thing that people found was we had a lot of feedback is they 00:08:36:19 - 00:08:41:24 want a simple way to upload and convert and validate OSCAL documents. 00:08:41:24 - 00:08:47:00 So we have converters in the back end that will allow you to import, 00:08:47:10 - 00:08:51:02 in any of those three formats and export to any of those three formats. 00:08:51:02 - 00:08:55:15 So we're finding it useful as a validation and conversion tool. 00:08:55:18 - 00:09:00:08 we built in basic search, filtering and I talked about validation. 00:09:00:22 - 00:09:06:09 but so far we've been seeding the registry with, NIST 800-53, 63 00:09:06:17 - 00:09:09:09 Federal PKI and ISM baselines. 00:09:09:09 - 00:09:11:06 we encourage, once it's live. 00:09:11:06 - 00:09:16:07 the community to start uploading and using, registry to host our content. 00:09:16:16 - 00:09:20:13 I'm going to go and jump into a really brief demo here. 00:09:20:23 - 00:09:25:17 All right, so really, simply, when we land here, into the registry 00:09:25:20 - 00:09:28:24 or the web app, this is an unauthenticated user. 00:09:28:24 - 00:09:31:00 So this is publicly facing. 00:09:31:06 - 00:09:34:23 You can easily browse, search, filter, 00:09:35:01 - 00:09:38:05 existing, packages that have been uploaded by the community. 00:09:38:08 - 00:09:39:07 as I mentioned earlier, 00:09:39:07 - 00:09:42:24 we support catalog component definition and profile models. 00:09:43:05 - 00:09:46:05 easy to filter on those, depending on what you're looking to do. 00:09:46:10 - 00:09:49:12 I'm going to go ahead and search for a, 00:09:50:23 - 00:09:53:23 let's see. 00:09:56:02 - 00:09:56:16 The search for 00:09:56:16 - 00:10:00:02 FedRAMP Rev for, low impact SAS baseline here. 00:10:00:10 - 00:10:04:14 immediately we have, metadata here that's, about high level information 00:10:04:14 - 00:10:08:08 about the OSCAL content itself and who uploaded it when, 00:10:08:10 - 00:10:12:24 can easily view the document in three different formats. 00:10:13:05 - 00:10:16:14 we discussed earlier also, download here. 00:10:16:14 - 00:10:20:24 So this will just download it as a file in that, that format to your drive. 00:10:20:24 - 00:10:25:00 well, one cool thing is that it does integrate directly with the OSCAL viewer. 00:10:25:00 - 00:10:27:16 So we can go in and, 00:10:27:16 - 00:10:30:05 we will share the I shared the link to our viewer, 00:10:30:05 - 00:10:32:22 which anybody can use today, but we can go 00:10:32:22 - 00:10:37:23 and drill down on any of the objects, inside of that OSCAL model. 00:10:38:08 - 00:10:41:17 So ultimately we, we're thinking of integrating a lot 00:10:41:17 - 00:10:45:07 of this into the same application, but for now, it's still a different 00:10:45:15 - 00:10:48:23 product, a different app. A couple of notes. 00:10:49:04 - 00:10:52:21 first of all, see, the Ray is on, when Ray was here 00:10:52:21 - 00:10:56:11 at Easy Dynamics full time, the the product of a lot of his hard work. 00:10:56:11 - 00:10:59:11 so I just wanted to call that out as Chris mentioned, the viewer, 00:10:59:13 - 00:11:02:17 is available standalone today as well as, integrated. 00:11:02:20 - 00:11:05:00 Just be a link from the registry. 00:11:05:00 - 00:11:06:03 the important thing to know 00:11:06:03 - 00:11:10:10 is that the viewer works entirely inside your own browser. 00:11:10:15 - 00:11:15:08 So if you were to go to viewer.oscal.io, whatever content you load 00:11:15:08 - 00:11:19:00 upload into the viewer never leaves your browser, never leaves your computer. 00:11:19:05 - 00:11:23:04 it was designed that way, with some semblance of security in mind. 00:11:23:07 - 00:11:24:03 yeah. That's it. 00:11:24:03 - 00:11:26:11 Thank you. I'll turn it back to Chris. cool. 00:11:26:11 - 00:11:30:06 So this is, the unauthenticated workflow next, 00:11:30:06 - 00:11:32:02 I'm going to sign in, on the back end. 00:11:32:02 - 00:11:33:23 Right now, we're linking into, 00:11:35:02 - 00:11:35:14 let me go 00:11:35:14 - 00:11:38:14 ahead and just use my Gmail account. 00:11:39:13 - 00:11:43:12 so we'll link it with single sign on providers through, Gmail. 00:11:43:12 - 00:11:46:05 And I right now. It's just Google. 00:11:46:05 - 00:11:50:12 It's it's, that's the only federated account we support today. 00:11:50:12 - 00:11:52:16 We're open to federating other ones. 00:11:52:16 - 00:11:54:01 let's go ahead. 00:11:54:01 - 00:12:00:13 And, I mentioned earlier, we can, structure and, save information 00:12:00:13 - 00:12:05:07 about this and I've already bookmarked and liked, so I can go back to my account. 00:12:05:07 - 00:12:08:04 I can see which ones I've bookmarked here. 00:12:08:04 - 00:12:12:18 So that was a highly requested feature So I'm going to go ahead and do something. 00:12:13:03 - 00:12:15:16 upload a document. 00:12:15:16 - 00:12:18:16 go into my account here, upload. 00:12:19:12 - 00:12:21:20 I'm going to go ahead and upload the 00:12:21:20 - 00:12:24:20 Rev4 moderate baseline profile. 00:12:25:19 - 00:12:26:03 In fact, 00:12:26:03 - 00:12:29:04 I'm going to upload a few other documents to the same time just to show. 00:12:32:15 - 00:12:34:15 I just selected 8 different document. 00:12:34:15 - 00:12:36:06 So these are all very large documents. 00:12:36:06 - 00:12:40:16 They're at least one megabyte size, some up to 10.5 to 10MB or so. 00:12:41:01 - 00:12:42:06 Just kind of limit. 00:12:42:06 - 00:12:44:10 So what's happened in the back end? It's not just uploading. 00:12:44:10 - 00:12:47:04 It's also doing the full validation. 00:12:47:04 - 00:12:50:07 So making sure a it's a valid Json or Yaml file. 00:12:50:22 - 00:12:53:22 and then actually validating it against the schema itself, 00:12:54:01 - 00:12:56:03 to guarantee that it does meet. 00:12:56:03 - 00:13:00:00 So in this case, I think there is an error with this particular file. 00:13:00:04 - 00:13:03:22 I intentionally had one in there that was I modified anyway. 00:13:03:22 - 00:13:06:22 So the other documents that successfully uploaded. 00:13:07:24 - 00:13:08:18 Yeah, they give it a minute. 00:13:08:18 - 00:13:13:11 I said I double check on the back end, but I think I overwhelmed it with the files 00:13:14:01 - 00:13:14:19 but the idea here is 00:13:14:19 - 00:13:18:20 you can upload any documents, large quantities at once, and then, 00:13:18:23 - 00:13:24:02 go and bookmark them, document, manage, delete them if you like, and share them. 00:13:24:02 - 00:13:28:02 So, definitely encourage everybody to once it's out to start 00:13:28:02 - 00:13:32:03 kicking the tires, start uploading content know, sharing public documents 00:13:32:08 - 00:13:36:21 and using this as a landing ground for sharing OSCAL content. 00:13:36:21 - 00:13:40:10 so, so here's all the documents that I uploaded here. 00:13:40:10 - 00:13:42:10 So this is associated with my profile. 00:13:43:09 - 00:13:45:21 let's just click on one of these files. 00:13:45:21 - 00:13:50:22 I uploaded here download view the entire content in here. 00:13:50:22 - 00:13:53:22 Or of course, put back over to the viewer. 00:13:54:05 - 00:13:58:12 I go and delete this if I no longer want it shared in the portal. 00:13:58:12 - 00:13:59:16 So that's basically it. 00:13:59:16 - 00:14:01:13 Very basic functionality right now. 00:14:01:13 - 00:14:02:17 It does its job. 00:14:02:17 - 00:14:05:22 we're working on scaling, so we can handle more and more load. 00:14:05:22 - 00:14:08:01 We're also looking to add 00:14:08:01 - 00:14:11:12 basic, useful features that people might find, helpful to their jobs. 00:14:12:00 - 00:14:16:01 So encourage everybody to, when it gets up to start storing their, 00:14:16:05 - 00:14:17:07 their documents here. 00:14:17:07 - 00:14:19:21 please share feedback and requests. 00:14:19:21 - 00:14:21:12 Are there any questions? 00:14:21:12 - 00:14:25:00 there's there's one in the chat that I'm trying to respond to. 00:14:25:00 - 00:14:25:22 the question is about 00:14:25:22 - 00:14:29:20 what formats can be uploaded and, what does it do with the formats? 00:14:29:21 - 00:14:33:24 and all three formats can be uploaded XML, Json or Yaml. 00:14:34:02 - 00:14:37:22 Upon receiving the upload, it will convert to the other two, 00:14:37:24 - 00:14:39:15 but that can take a few minutes. 00:14:39:15 - 00:14:43:24 So if you immediately upload and try to immediately go over to the, 00:14:44:03 - 00:14:47:20 listing, you won't get all three formats right away, but within a few minutes 00:14:47:20 - 00:14:50:19 they'll become available. It's an asynchronous operation. 00:14:50:19 - 00:14:54:00 and this is small file seem to be available almost instantly. 00:14:54:00 - 00:14:57:09 But, we do a lot of testing with 800-53 Rev 5. 00:14:57:09 - 00:15:00:20 It's the biggest file we've encountered, So that's that's what we're seeing there. 00:15:00:23 - 00:15:06:15 also want to point out that we intend to expand it to handle the other OSCAL formats, 00:15:06:19 - 00:15:09:23 we know you can't put a live SSP up there, but maybe you might want 00:15:09:23 - 00:15:13:07 to put an SSP template or sample SSP content. 00:15:13:07 - 00:15:15:24 For example, we focused on the three formats 00:15:15:24 - 00:15:19:13 that are most likely to be made public in the initial, rollout. 00:15:19:18 - 00:15:20:24 Chris, I see that is, 00:15:20:24 - 00:15:24:20 Michaela is asking, what it's using to, process the conversion. 00:15:25:00 - 00:15:25:07 yeah. 00:15:25:07 - 00:15:28:09 So right now it's using the Jackson, 00:15:28:09 - 00:15:31:19 Node.js library, on the backend. 00:15:31:19 - 00:15:33:06 So this is a node server. 00:15:33:06 - 00:15:36:20 it's not the most performant, but it was chosen 00:15:36:20 - 00:15:40:14 because it had the most consistent, format conversion rules. 00:15:40:20 - 00:15:43:20 so we are exploring alternate of modules. 00:15:44:10 - 00:15:47:11 but for now, yeah, it's, it's less performance than we'd like it to be. 00:15:47:15 - 00:15:50:15 I think we're also using the, Saxon. 00:15:51:05 - 00:15:51:19 Exactly. 00:15:51:19 - 00:15:52:03 Yeah. 00:15:52:03 - 00:15:56:19 Yeah, that's integrated with, TypeScript on the back end. 00:15:56:19 - 00:16:00:00 and so that's, it's using the NIST OSCAL converter 00:16:00:00 - 00:16:04:06 XSLT files in Saxon to be processed within. 00:16:04:06 - 00:16:11:04 for those of you who aren't aware, NIST published converters require XSLT 3.0 00:16:11:04 - 00:16:12:01 processing. 00:16:12:01 - 00:16:12:19 there's a lot of 00:16:12:19 - 00:16:16:10 choices for processing XSLT at 1.0 which is typically all 00:16:16:10 - 00:16:17:18 you need on websites. 00:16:17:18 - 00:16:20:24 But when you get into 3.0, stacks is one of the few that offers 00:16:20:24 - 00:16:24:07 a free library, for doing that level of processing. 00:16:24:16 - 00:16:29:24 I see email asks about the, the intended release date for the registry. 00:16:30:03 - 00:16:33:03 we would like to get it out during Q2 of this year. 00:16:33:07 - 00:16:36:04 we think our features are where we want them to be at this point. 00:16:36:04 - 00:16:39:02 We have a couple of, DevOps things to work out. 00:16:39:02 - 00:16:41:09 We just want to make sure it's working smoothly 00:16:41:09 - 00:16:43:06 before we make it available to the public. 00:16:43:06 - 00:16:45:16 Tyler is asking, how can the community help? 00:16:45:16 - 00:16:49:01 I think the best answer there is, certainly feedback. 00:16:49:04 - 00:16:53:01 again, OSCAL@OSCAL.io right now the registry repo is 00:16:53:04 - 00:16:55:05 We haven't made that publicly available yet. 00:16:55:05 - 00:16:58:21 We've been on the fence about whether we were going to make the registry, 00:16:58:24 - 00:17:00:04 publicly available. 00:17:00:04 - 00:17:03:11 The capability will remain publicly available. 00:17:03:13 - 00:17:05:03 there will always be an option 00:17:05:03 - 00:17:08:11 to create an account for free and upload content for free. 00:17:08:11 - 00:17:09:15 the only thing 00:17:09:15 - 00:17:14:19 that we may eventually get into, similar to, like the Docker Hub model is, 00:17:14:22 - 00:17:18:07 we may do some verified, accounts at some point in the future. 00:17:18:07 - 00:17:21:00 so there might be a nominal fee with verified accounts, 00:17:21:00 - 00:17:24:19 just to cover processing costs to get established that, yes, 00:17:24:19 - 00:17:29:02 you're really getting this file from NIST or from the FedRAMP 00:17:29:02 - 00:17:32:20 PMO or, know, whoever's publishing it, not from somebody masquerading. 00:17:33:10 - 00:17:35:16 Can one filter by license? 00:17:35:16 - 00:17:37:08 That- that's a good question. 00:17:37:08 - 00:17:39:24 so the short answer is no, you cannot wait. 00:17:39:24 - 00:17:44:13 So that's we need to expand to be able to, capture the usage rights. 00:17:44:15 - 00:17:47:18 and then I guess we would offer the ability to, to filter on that. 00:17:47:23 - 00:17:51:08 the idea is if you're publishing it in the registry, the actual content 00:17:51:08 - 00:17:55:04 in the registry that you're, you're making it available to the public for use. 00:17:55:10 - 00:17:55:20 you're right. 00:17:55:20 - 00:17:56:21 I think we have to, 00:17:56:21 - 00:18:00:21 probably a legal, we need to address in terms of making that clear. 00:18:00:21 - 00:18:03:15 in addition to that, we intend to expand the functionality 00:18:03:15 - 00:18:06:20 so that people can list the fact that there's content 00:18:06:20 - 00:18:10:09 without providing the content itself and then point to a paywall. 00:18:10:09 - 00:18:16:06 And so the use case we keep in mind here is, the like if ISO wants to list 27,001 00:18:16:06 - 00:18:19:08 in the registry where they want to charge you for it, so they could list 00:18:19:08 - 00:18:23:06 the fact that they have, OSCAL content to the registry once they have it. 00:18:23:08 - 00:18:26:09 and then point to their paywall where would have any 00:18:26:09 - 00:18:29:18 additional usage terms and fees for getting to that content. 00:18:29:21 - 00:18:31:20 we don't support that today. 00:18:31:20 - 00:18:33:24 That's one of the next features on our roadmap that. 00:18:33:24 - 00:18:36:10 Yeah, I think you're right. We do need to make this clear. 00:18:36:10 - 00:18:39:10 for users of the registry the first for people who are publishing 00:18:39:10 - 00:18:42:16 to the registry they are making this content available to the public. 00:18:42:18 - 00:18:46:10 and then for users of the registry that they can use the content freely 00:18:46:13 - 00:18:49:18 or if there's restrictions, they need to understand what those restrictions are. 00:18:49:20 - 00:18:51:12 yeah. One more please. 00:18:51:12 - 00:18:55:10 Will there be, links to the content for source of the content. 00:18:55:10 - 00:19:00:02 So like, go back to the GitHub source and make pull requests there if I want to 00:19:00:05 - 00:19:05:10 that'll go along with the, the feature to just to content rather than upload it. 00:19:05:14 - 00:19:07:14 it would be the same feature at that point. 00:19:07:14 - 00:19:11:17 So in other words, you would always point back to the source of the content 00:19:11:17 - 00:19:14:00 in your registry listing when you uploaded it 00:19:14:00 - 00:19:15:07 and then then be your choice 00:19:15:07 - 00:19:18:21 as to also upload a copy locally for public use or not. 00:19:19:13 - 00:19:22:05 And continuing on here. 00:19:24:10 - 00:19:26:18 okay, so, yeah, this is just some of the feedback 00:19:26:18 - 00:19:29:18 we've already received and it's factoring into our roadmap. 00:19:30:07 - 00:19:30:17 Okay. 00:19:30:17 - 00:19:34:17 I want to briefly touch on another capability that we're offering on the. 00:19:34:20 - 00:19:36:03 Is a specification. 00:19:36:03 - 00:19:40:16 the analogy my CTO likes to use is, in the identity management world, 00:19:40:21 - 00:19:44:24 you know, there's Saml and Saml is both a data format and a data exchange 00:19:44:24 - 00:19:49:18 protocol here in OSCAL OSCAL is the format specification, 00:19:49:18 - 00:19:53:10 but we don't have a corresponding data exchange specification. 00:19:53:15 - 00:19:55:23 we believe that that's needed, and we believe that there should be 00:19:55:23 - 00:19:59:09 an open source data exchange specification for OSCAL 00:19:59:11 - 00:19:59:21 there's, 00:19:59:21 - 00:20:04:03 you know, the FedRAMP PMO has talked about the need for one for for their purposes. 00:20:04:06 - 00:20:09:22 there is an issue out in the next OSCAL GitHub repo about the need for a rest API. 00:20:10:00 - 00:20:14:14 on one, know, we've designed it with real world use cases in mind. 00:20:14:19 - 00:20:18:22 and this is really intended to be for exchange of OSCAL data. 00:20:19:00 - 00:20:22:11 or transfers or, you know, transferring between one tool and another, 00:20:22:16 - 00:20:26:23 so we're releasing this draft specification as open source. 00:20:27:05 - 00:20:29:16 The idea is that the final will be open source. 00:20:29:16 - 00:20:31:23 so we are facilitating its creation. 00:20:31:23 - 00:20:34:07 But we won't own its creation. 00:20:34:07 - 00:20:36:02 The the community will own the definition. 00:20:36:02 - 00:20:39:02 We want to be able to have the rest API handle both the OSCAL 00:20:39:05 - 00:20:41:00 formats themselves, plus attachments. 00:20:41:00 - 00:20:44:15 We want it to be able to handle any version of OSCAL we wanted to use 00:20:44:23 - 00:20:47:23 traditional REST principles, 00:20:48:00 - 00:20:51:23 for which, there's no definitive standard out there. 00:20:51:23 - 00:20:52:16 There's more like 00:20:52:16 - 00:20:57:04 the industry best practices for rest, that is a bit of a gray area 00:20:57:04 - 00:21:00:12 when we talk about REST principles that may generate some discussion. 00:21:00:24 - 00:21:05:24 this is really out, laying the, methods and the endpoints that we're looking at. 00:21:06:11 - 00:21:09:11 everything would be based on the OSCAL syntax. 00:21:09:11 - 00:21:12:17 So when we talk about model name, it's the exact model 00:21:12:17 - 00:21:16:11 name as it appears at the root of each of the OSCAL models. 00:21:16:15 - 00:21:19:15 all lowercase catalog profile, what have you. 00:21:19:15 - 00:21:23:02 you know, you can post the new catalog via the arrest. 00:21:23:08 - 00:21:25:19 get catalog would give you a list 00:21:25:19 - 00:21:29:12 of all the catalogs available in the, repository. 00:21:29:15 - 00:21:34:17 you would use get catalogs, identified to deal with a specific catalog. 00:21:34:17 - 00:21:38:23 So you could use that to get an entire catalog, update an existing catalog, 00:21:39:12 - 00:21:40:14 or to remove one. 00:21:40:14 - 00:21:43:20 there's this couple of, endpoints for handling snapshots, 00:21:44:06 - 00:21:47:03 couple of, endpoints for handling attachments. 00:21:47:03 - 00:21:50:20 the idea is that, you might say get system security plan. 00:21:50:20 - 00:21:54:21 You'd get a list of all the SSP in the system with their identifiers. 00:21:55:00 - 00:21:57:14 you know, you would find the SSP that you want, 00:21:57:14 - 00:21:59:22 you would issue another get, system security plan 00:21:59:22 - 00:22:02:24 with the identifier of the SSP that you want to retrieve. 00:22:03:17 - 00:22:04:24 Now you've retrieved it. 00:22:05:24 - 00:22:06:09 then you 00:22:06:09 - 00:22:09:09 maybe want to provide an attachment to that SSP. 00:22:09:12 - 00:22:13:19 now, you want to, you want to upload a new SSP into the system. 00:22:13:19 - 00:22:17:04 So this is like I'm delivering an SSP to another organization. 00:22:17:13 - 00:22:22:00 So I would use “POST /system-security-plan” to deliver my SSP. 00:22:22:11 - 00:22:26:13 And now we get an, implementation assigned SSP identifier. 00:22:26:17 - 00:22:30:15 I could then use that identifier to reference anything I want to do 00:22:30:15 - 00:22:31:15 with that SSP. 00:22:31:15 - 00:22:35:05 in this case, I'm using that identifier to post that attachment. 00:22:35:07 - 00:22:37:12 So I use another post command. 00:22:37:12 - 00:22:41:09 use the SSP identifiers and say I'm sending an attachment to this SSP. 00:22:41:23 - 00:22:45:06 I would then get back the UUID for that attachment. 00:22:45:21 - 00:22:49:23 The implementation would receive that attachment and it would update the SSP. 00:22:50:04 - 00:22:53:04 back matter content for the fact that there's now an attachment. 00:22:53:10 - 00:22:57:02 so we update the R link you could then use something like 00:22:57:12 - 00:23:01:11 put with the SSP identifier and the attachment identifier 00:23:01:11 - 00:23:05:16 to update additional information about the attachment in the SSP. 00:23:05:20 - 00:23:11:06 This is an example of how you might handle attachments within a REST specification. 00:23:11:10 - 00:23:15:07 these URLs are designed so that they can go inside 00:23:15:12 - 00:23:18:17 the Href fields within the OSCAL content. 00:23:18:23 - 00:23:21:03 And it would work seamlessly. 00:23:21:03 - 00:23:24:08 So for example, if I have a profile, 00:23:24:10 - 00:23:29:03 the import Href statement could include, the get endpoint for catalog. 00:23:29:12 - 00:23:33:04 And it would just work across the API to pull that catalog in without 00:23:33:07 - 00:23:36:04 having to do any translation or modification. 00:23:36:04 - 00:23:39:21 The idea is that OSCAL files work seamlessly with the REST API. 00:23:40:04 - 00:23:43:22 there's a question about how the recipients verify 00:23:43:22 - 00:23:47:11 integrity of OSCAL documents exchange with a service. 00:23:48:01 - 00:23:50:12 on the registry, one of the first things that happens 00:23:50:12 - 00:23:52:19 when a file is uploaded is it's put through the, 00:23:52:19 - 00:23:55:20 validation tools for whichever OSCAL model was uploaded. 00:23:55:20 - 00:23:59:20 So, you know, the XML, schema that's published by NIST or 00:23:59:20 - 00:24:03:16 the Json schema that's published by nest and can be used for Json or Yaml. 00:24:03:20 - 00:24:08:12 if the file doesn't validate, then content doesn't make it into the registry. 00:24:09:01 - 00:24:11:06 but there's also there's an integrity, right? 00:24:11:06 - 00:24:14:00 The actual like authenticity of the, creation. 00:24:14:00 - 00:24:15:10 Who created it. 00:24:15:10 - 00:24:18:14 the authenticity right now is, for the registry, 00:24:18:14 - 00:24:20:20 people are asserting their own identity based on 00:24:20:20 - 00:24:22:15 either they create an account to the system 00:24:22:15 - 00:24:26:19 with an email address, or they're using, Google recognized account. 00:24:26:19 - 00:24:30:10 there's no additional validation today that's that verified 00:24:30:10 - 00:24:33:13 publisher that we talked about introducing down the road. 00:24:33:13 - 00:24:37:10 that would at least ensure the integrity of the source of the file. 00:24:37:12 - 00:24:40:12 the whole reason that we, display the file publicly 00:24:40:14 - 00:24:44:04 in all three formats is so that it can be community verified. 00:24:44:16 - 00:24:47:07 what are the other features that we intend to implement? 00:24:47:07 - 00:24:50:07 Eventually, are community rating and ranking criteria 00:24:50:09 - 00:24:53:08 Now. you'll need an account rate or rank the content. 00:24:53:08 - 00:24:57:04 But we were looking at criteria such as, is it complete? 00:24:57:06 - 00:24:59:14 is it free of editorial issues? 00:24:59:14 - 00:25:02:01 does it do what it's representing that it does? 00:25:02:01 - 00:25:06:01 you know, we want that to be a community driven, verification, if you will. 00:25:06:08 - 00:25:11:01 And then, you know, we want people to give priority to higher vetted content. 00:25:11:08 - 00:25:15:14 we recognize that one person might publish a component definition 00:25:15:14 - 00:25:16:22 that's very sparse, 00:25:16:22 - 00:25:20:15 and another person might then publish a better one that has additional detail. 00:25:20:18 - 00:25:23:18 and so we would want those both to get ranked accordingly. 00:25:23:23 - 00:25:26:23 I was a follow up question about are we using open API? 00:25:26:23 - 00:25:28:19 for the for the REST specification. 00:25:28:19 - 00:25:31:00 We are using open API. 00:25:31:00 - 00:25:34:08 first of all, if you visit this, first link here, you'll get to see, 00:25:34:08 - 00:25:34:21 some additional 00:25:34:21 - 00:25:38:07 write up about the specification and then there'll be some additional links. 00:25:38:16 - 00:25:41:23 You can view the open API spec, with this link here. 00:25:42:03 - 00:25:46:04 the repository for the rest specification is a public repo. 00:25:46:04 - 00:25:47:19 so you can actually go in 00:25:47:19 - 00:25:52:04 view the, issues, you can submit issues, you can contribute, Yeah. 00:25:52:04 - 00:25:55:05 So in the API spec, the implementation 00:25:55:07 - 00:25:59:14 there's detail about things like, validated, identity managed. 00:25:59:20 - 00:26:02:15 submission of content via the API spec. 00:26:02:15 - 00:26:04:08 So, you know, that's all going to depend 00:26:04:08 - 00:26:06:19 on your level of identity proofing to some degree. 00:26:06:19 - 00:26:09:19 the implementation upon, receiving content, 00:26:09:22 - 00:26:11:23 should perform its own validation. 00:26:11:23 - 00:26:16:02 The minimum that the spec requires is that it's syntactically valid. 00:26:16:04 - 00:26:20:14 beyond that, the implementation is free to do additional validation 00:26:20:19 - 00:26:23:23 that's always a tricky balance of where the spec should end. 00:26:24:06 - 00:26:26:06 you know, where should we should give the implementers 00:26:26:06 - 00:26:29:01 freedom move and where the spec needs to be tight 00:26:29:01 - 00:26:31:22 because otherwise tools wouldn't interoperate well. 00:26:31:22 - 00:26:35:12 Our goal is to use the, appropriate portions 00:26:35:17 - 00:26:39:05 of the rest API specification the OSCAL registry. 00:26:40:01 - 00:26:44:11 So the idea is that, you your tools, if they're configured to use the REST 00:26:44:11 - 00:26:47:21 spec, then they're configured to interact with the registry. 00:26:48:15 - 00:26:51:03 what are the use cases being the tool comes across 00:26:51:03 - 00:26:55:03 a, need for a particular catalog that it doesn't have in its own library. 00:26:55:05 - 00:26:58:10 It can query the registry, see what catalogs are available 00:26:58:10 - 00:27:01:23 in the registry and offer them to the user by using the API. 00:27:02:18 - 00:27:04:08 Okay OSCAL Extensions. 00:27:04:08 - 00:27:09:01 I learned that there's, the possibility of implementing extensions 00:27:09:07 - 00:27:12:12 either at the OSCAL specification level 00:27:12:14 - 00:27:17:13 or at the meta schema level, which is tool used to define the OSCAL standard. 00:27:17:16 - 00:27:20:17 so what we're looking for you know, are you 00:27:20:23 - 00:27:25:19 are you developing tools, where you using your own OSCAL extensions? 00:27:25:19 - 00:27:29:06 do you have a need to use that namespace parameter on the properties? 00:27:29:10 - 00:27:33:00 do you have an organizational need to define your own allowed values? 00:27:33:07 - 00:27:36:16 and if so, would you benefit from a standard 00:27:36:20 - 00:27:40:19 where you can define all of those things such that tools can consume them 00:27:40:19 - 00:27:45:03 and know how to validate your extensions to OSCAL content? 00:27:45:17 - 00:27:48:17 So these are some of the questions to consider. 00:27:48:17 - 00:27:52:01 Michaela, this is a good point to open the floor for discussion.