00:00:00:00 - 00:00:01:20 Okay. Thank you. Michaela. 00:00:01:20 - 00:00:02:23 And, hello 00:00:02:23 - 00:00:06:04 to the audience, live here and, 00:00:06:04 - 00:00:09:04 who is going to listen to this recording 00:00:09:05 - 00:00:13:19 we are going to discuss, today introduced the OSCAL-COMPASS suites 00:00:13:19 - 00:00:18:06 of projects. COMPASS stands for compliance automated standard solution. 00:00:18:18 - 00:00:21:00 And we will see the projects that belong to that. 00:00:21:00 - 00:00:24:24 And OSCAL, of course, you all know already, Open Security Control Assessment Language. 00:00:25:03 - 00:00:29:15 I will take one minute to allow the team to, introduce themselves 00:00:29:15 - 00:00:32:14 with the title and group we belong to. 00:00:32:14 - 00:00:34:20 So I'll start with Vikas. Hi, everyone. 00:00:34:20 - 00:00:36:03 I'm the Vikas Agarwal. 00:00:36:03 - 00:00:38:23 I'm part of IBM research lab in India. 00:00:38:23 - 00:00:43:17 I've been working on the compliance related work for last, four years. 00:00:43:17 - 00:00:47:18 And am kind of leading the, OSCAL compliance research and related projects 00:00:47:21 - 00:00:48:19 here. Thank you. 00:00:49:18 - 00:00:50:18 Lou? 00:00:50:18 - 00:00:52:06 Hi, I’m Lou DeGenaro 00:00:52:06 - 00:00:54:21 I work at IBM Research in Yorktown Heights. 00:00:54:21 - 00:00:58:05 I've also been working, in the compliance area. 00:00:58:05 - 00:01:01:05 Related to OSCAL for about the last four years. 00:01:01:05 - 00:01:02:12 Thank you. Manjiree? 00:01:02:12 - 00:01:04:03 Hello. My name is Manjiree Gadgil. 00:01:04:03 - 00:01:07:13 I work as an engineering manager with the C2 architecture group 00:01:07:22 - 00:01:11:07 for Public Cloud at IBM, and I lead the compliance automation 00:01:11:07 - 00:01:13:08 effort that the C2 architecture team 00:01:13:08 - 00:01:14:09 undertakes. 00:01:14:09 - 00:01:14:17 Thank you. 00:01:14:17 - 00:01:15:10 Alejandro. 00:01:15:10 - 00:01:18:04 Alejandro cannot be here. He's okay. No. 00:01:18:04 - 00:01:18:16 No problem. 00:01:18:16 - 00:01:19:19 Yeah. He's part of the team. 00:01:19:19 - 00:01:22:24 He works with Manjiree in the Secure team. Jenn? 00:01:23:07 - 00:01:24:13 Hi, I'm Jenn Power. 00:01:24:13 - 00:01:27:17 I'm a product security engineer with Redhat product security. 00:01:28:02 - 00:01:31:02 I've been in the compliance space specifically around 00:01:31:02 - 00:01:32:19 OSCAL for the last year. 00:01:32:19 - 00:01:33:13 And in the last year, 00:01:33:13 - 00:01:37:08 I also became a maintainer from, in the Project Compliance Trestle, 00:01:37:08 - 00:01:39:05 which we'll talk about a bit more. 00:01:39:05 - 00:01:40:23 Yana’s turn. Hi, everyone. 00:01:40:23 - 00:01:42:04 My name is Takumi Yanagawa 00:01:42:04 - 00:01:45:16 I work at the IBM Research Tokyo as a software engineer. 00:01:46:05 - 00:01:50:20 I'm engaged in, designing and development of automation for continuous compliance. 00:01:51:01 - 00:01:52:11 So thank you very much. 00:01:52:11 - 00:01:53:06 Thank you. 00:01:53:06 - 00:01:55:05 And, my name is Anca Sailer. 00:01:55:05 - 00:02:00:06 I'm a distinguished engineer in IBM, research in, in Yorktown, 00:02:00:13 - 00:02:03:10 and I've been leading for the past four years, the, 00:02:03:10 - 00:02:06:13 IBM compliance digitization transformation. 00:02:06:20 - 00:02:11:11 And part of that effort we have, deliver this open source projects. 00:02:11:11 - 00:02:17:02 And we have been also working closely with, OSCAL and, you know, 00:02:17:02 - 00:02:21:09 Michaela’s team, to mutually benefit from the compliance as code. 00:02:21:16 - 00:02:24:01 that is very much needed in the industry today. 00:02:24:01 - 00:02:29:06 So we can go to the next slide so we have the agenda will have a short introduction 00:02:29:06 - 00:02:34:01 of the main aspect of compliance versus security compliance artifacts, 00:02:34:01 - 00:02:38:00 the personas that we, consider as part of the, suite of technologies 00:02:38:00 - 00:02:38:24 that we provide. 00:02:38:24 - 00:02:41:20 And then we'll go into the details of the, project themselves. 00:02:41:20 - 00:02:44:03 So, I always get the question, okay. 00:02:44:03 - 00:02:48:12 When we talk about compliance versus security, where we are, how we stand. 00:02:48:12 - 00:02:54:00 And I wanted to point that, for us, the security and compliance is a continuum 00:02:54:00 - 00:02:57:12 going from, security, discretionary requirements, 00:02:57:20 - 00:03:01:04 best practices, towards compliant environments 00:03:01:04 - 00:03:04:15 where now we have a minimum set of mandatory requirements. 00:03:04:15 - 00:03:08:15 So from the point of view of the tooling and the organization, 00:03:08:17 - 00:03:12:21 the authoring of the artifacts that we are considering, 00:03:13:01 - 00:03:17:01 there is no difference whether we are dealing with discretionary security, 00:03:17:09 - 00:03:22:22 best practices, optional requirements, or the, compliance mandatory requirements. 00:03:23:07 - 00:03:26:13 From a technology point of view, of course, security implements 00:03:26:13 - 00:03:29:03 a lot of the controls that are necessary for compliance. Right? 00:03:29:03 - 00:03:30:21 From the compliance, we go into audit. 00:03:30:21 - 00:03:33:08 And there are other type of capabilities. 00:03:33:08 - 00:03:37:13 but those are, capabilities that build on top of the technology that they provide. 00:03:37:13 - 00:03:40:21 So the technology that we see here, right there is this continuum 00:03:41:02 - 00:03:44:02 from, security requirements to compliance requirements. 00:03:44:08 - 00:03:46:13 Let's see when I think about the compliance 00:03:46:13 - 00:03:49:12 and compliance artifacts, what we are talking about 00:03:49:12 - 00:03:53:13 and what is their representation as code and, why do we need that? 00:03:53:13 - 00:03:55:22 So if we are looking at the, 00:03:55:22 - 00:03:59:24 compliance documents or organizational policies, these are, 00:04:00:13 - 00:04:03:04 typically released as PDFs or, 00:04:03:04 - 00:04:06:07 spreadsheets, difficult to manage in a programmatic environment. 00:04:06:17 - 00:04:09:10 So we have been looking at compliance as code. 00:04:09:10 - 00:04:12:24 And if the core of those regulations, 00:04:12:24 - 00:04:17:14 we have the controls, their properties and parameters and so on. 00:04:17:14 - 00:04:21:09 So, here I will follow from, you know, top to bottom, 00:04:21:13 - 00:04:25:18 A NIST example in here is the SC-7, boundary protection control 00:04:26:01 - 00:04:29:21 and the, NIST AI RMF that has been released, 00:04:29:23 - 00:04:32:24 and looking into a complementary type of controls 00:04:32:24 - 00:04:37:16 in the context of AI, so, middle, we have cyber security, and, right 00:04:37:16 - 00:04:39:14 We will have the AI. 00:04:39:14 - 00:04:43:06 So, as we move from, the realm of compliance 00:04:43:06 - 00:04:46:06 into the technology that implements those controls, 00:04:46:08 - 00:04:49:08 we are looking, to express 00:04:49:14 - 00:04:53:22 how the technology implements those controls through rules. 00:04:53:22 - 00:04:57:05 So here you have examples in the context of NIST SC-7, 00:04:57:16 - 00:05:02:19 if we are talking about the cloud object storage, or the Kubernetes or the load 00:05:02:19 - 00:05:05:19 balancing, as a VPC, load balancing as a service 00:05:06:05 - 00:05:08:22 to relate to SC-7, right? 00:05:08:22 - 00:05:13:11 We create a rules that would reflect the requirements of the SC-7. 00:05:13:19 - 00:05:16:20 Looking into the AI context for the, 00:05:17:01 - 00:05:22:04 filtering the harmful or biased content, we are looking at the models 00:05:22:04 - 00:05:25:20 to have a certain threshold for the bias or for the harmful content, 00:05:25:20 - 00:05:27:12 or for the misinformation. 00:05:27:12 - 00:05:31:23 So at the technology level, the rules, help to express 00:05:31:23 - 00:05:36:22 how the controls are actually implemented by the technology and at the next level. 00:05:36:22 - 00:05:40:04 Right, because we want, eventually to collect the actual state 00:05:40:04 - 00:05:44:09 from the environment and provide the posture where the those, you know, 00:05:44:14 - 00:05:48:04 the controls, right, of the regulation are satisfied or not, 00:05:48:17 - 00:05:51:21 we are talking about, technology checks. 00:05:51:21 - 00:05:55:23 So we have assessment tools that are, implementing scripts 00:05:55:23 - 00:05:58:24 to validate that the rules are actually satisfied. 00:05:59:07 - 00:06:03:02 And, across all the technologies and the rules belonging to a particular 00:06:03:02 - 00:06:07:04 control aggregating, we get the posture for that particular control. 00:06:07:17 - 00:06:11:14 So this governance from the controls to the rules and down to 00:06:11:14 - 00:06:17:09 the checks, this compliance governance is what helps, to, divide and conquer. 00:06:17:13 - 00:06:19:06 Right. The high level controls. Right. 00:06:19:06 - 00:06:22:06 This for cyber security or for finances or for AI. 00:06:22:12 - 00:06:24:21 it helps to provide the posture. 00:06:24:21 - 00:06:27:00 we are considering both manual assessments 00:06:27:00 - 00:06:30:21 as automatic assessments, of course, for the automation that, divide 00:06:30:21 - 00:06:35:02 and conquer at the rule and check level, right is critical. 00:06:35:02 - 00:06:36:20 Although if you think from manual point of view 00:06:36:20 - 00:06:41:10 that procedures, right, that are, developed are the first level 00:06:41:10 - 00:06:45:23 right towards, dividing a control, and helping towards automation. 00:06:46:03 - 00:06:50:20 so with this, artifact in mind and their representation as code, as, 00:06:50:20 - 00:06:52:00 you know, controls, 00:06:52:00 - 00:06:56:00 with the details as rules, with their details and parameters and so on. 00:06:56:00 - 00:07:00:22 And the checks, we are looking at the personas that are, expected to author 00:07:00:22 - 00:07:05:00 or to, manage, content and the results of those artifacts. 00:07:05:00 - 00:07:07:04 So we are talking about regulators. 00:07:07:04 - 00:07:09:21 So they need to be able to express that those controls. 00:07:09:21 - 00:07:14:24 And we are looking at the, CXOs that will take a particular regulation 00:07:14:24 - 00:07:18:08 and will adjust it and tune it to provide a baseline 00:07:18:08 - 00:07:21:04 for the particular organization or the environment. 00:07:21:04 - 00:07:22:23 They need to be able to express. 00:07:22:23 - 00:07:24:15 yes, there is automation. 00:07:24:15 - 00:07:26:06 So if, know, the information will come. 00:07:26:06 - 00:07:29:00 so we are looking for regulations. CXOs. We are talking 00:07:29:00 - 00:07:30:08 about the technology. Right. 00:07:30:08 - 00:07:31:16 We discussed about, 00:07:31:16 - 00:07:35:13 being able to divide and conquer the controls at the technology level. 00:07:35:13 - 00:07:41:07 So we need we to allow those, software or, service providers or the processes, 00:07:41:07 - 00:07:45:01 providers providing support for them to, to be able to express that. 00:07:45:04 - 00:07:49:07 And then of course, we have the, assessors, we have, tools like CSPNs 00:07:49:17 - 00:07:54:22 that will look into those, rules or the CS benchmarks. 00:07:54:22 - 00:07:58:07 If we are talking about official benchmark for particular 00:07:58:07 - 00:08:01:07 technologies and provide, how we check those. 00:08:01:09 - 00:08:06:13 So, of the, key, aspects in, the compliance and governance 00:08:06:13 - 00:08:11:03 of the compliance is to allow those personas to be able to collaborate. 00:08:11:07 - 00:08:16:05 and one of the tools that we are providing, that we are offering: the compliance 00:08:16:05 - 00:08:21:06 that we are offering is allowing these as a GitHubs workflow automation. 00:08:21:13 - 00:08:24:23 There’s a lot of support for the versioning 00:08:24:23 - 00:08:30:08 and for the change logs and for automatic PRs on when there are changes 00:08:30:08 - 00:08:34:19 downstream of the artifact that the person is, is, responsible for. 00:08:34:19 - 00:08:39:14 So obviously, the persona B is dependent on the regulation changes 00:08:39:14 - 00:08:44:00 while the persona D is depending on any of the changes in the personas A, B, and C. 00:08:44:03 - 00:08:47:17 another aspect, as part of the compliance agile authoring 00:08:47:17 - 00:08:50:21 is to understand the complexity of the, 00:08:50:21 - 00:08:55:24 skills that are required going from A to D on the legal side of the, 00:08:56:02 - 00:09:00:13 expertise versus persona D, who is more a developer and, you know, code oriented. 00:09:00:13 - 00:09:04:18 So we need to be able to support various interfaces and allow the various personas 00:09:04:18 - 00:09:08:18 to manage the type of artifact that they feel comfortable with while, 00:09:08:18 - 00:09:12:03 as common denominator to have everything expressed as code. 00:09:12:03 - 00:09:15:24 So one of the, first requirements for doing a 00:09:15:24 - 00:09:17:14 continuous compliance, right. 00:09:17:14 - 00:09:20:01 to support automation is standardization. 00:09:20:01 - 00:09:25:06 So as you can see, I'm building here the, basis for why we need OSCAL. 00:09:25:06 - 00:09:25:11 Right. 00:09:25:11 - 00:09:29:18 So this is what allows those personas now to have a common denominator 00:09:29:18 - 00:09:32:19 with the OSCAL data model for compliance as code 00:09:32:19 - 00:09:35:10 In parallel with the compliance. 00:09:35:10 - 00:09:37:03 As told we have the policy as code. 00:09:37:03 - 00:09:39:08 So policy as code is more prevalent. 00:09:39:08 - 00:09:44:01 if we are looking especially in Kubernetes or in that a lot of those tools 00:09:44:01 - 00:09:48:02 already, automate security configuration or network configuration 00:09:48:09 - 00:09:52:19 as policies, some of them, as you know, already enforcing through, 00:09:52:20 - 00:09:55:24 you know, operators, those policies are there 00:09:55:24 - 00:09:58:24 just evaluating and providing, you know, posture for them. 00:09:59:13 - 00:10:03:10 So this is a separate complementary type of artifacts. 00:10:03:10 - 00:10:05:15 They are not part of the compliance as code. 00:10:05:15 - 00:10:08:15 This policy as code are leveraging like 00:10:08:16 - 00:10:11:23 regular languages like Python or JavaScript. 00:10:11:23 - 00:10:16:09 Or if you are looking at more of a tool that is focused on policies, 00:10:16:13 - 00:10:18:01 open policy agent. Right. 00:10:18:01 - 00:10:19:10 With it’s language rego 00:10:19:10 - 00:10:20:12 So these these are, 00:10:20:12 - 00:10:24:17 these are complimentary providing support for automating the evaluation. 00:10:24:17 - 00:10:28:08 And of course, the evaluation of what is describing compliance. 00:10:28:08 - 00:10:30:09 It's or can be also done manually. Right. 00:10:30:09 - 00:10:35:09 So we are moving now from the authoring, whether it's the compliance 00:10:35:09 - 00:10:39:12 or whether there is the, the policies. 00:10:39:12 - 00:10:41:10 We are moving from the authoring side, 00:10:41:10 - 00:10:44:10 think, right, in terms of the traditional like CI, CD 00:10:44:15 - 00:10:48:00 and the authoring part of the house to the runtime. 00:10:48:03 - 00:10:52:14 So, persona E system owners, they start, you know, subscribing to services, 00:10:52:14 - 00:10:55:23 installing the environment, and they need to be able to associate 00:10:55:23 - 00:10:59:09 their, inventory, their, environments with, you know, certain 00:10:59:12 - 00:11:03:11 regulations or baselines that come from the, AB so, 00:11:03:11 - 00:11:07:10 so this is, what is going to trigger the scans, right? 00:11:07:19 - 00:11:11:06 And the checks that are done in the PVPs in this policy validation 00:11:11:06 - 00:11:16:05 or enforcement points, which where we fetch the actual state 00:11:16:05 - 00:11:19:13 from the environment, we compare it with the desired state that comes in 00:11:19:19 - 00:11:22:14 one persona C expressed in the rules. 00:11:22:14 - 00:11:26:06 And the results are provided back for the system owners 00:11:26:06 - 00:11:31:10 or for the, auditors, the SREs to, interpret and, either 00:11:31:10 - 00:11:35:15 declare reskin tools like GRC is or doing remediation 00:11:35:20 - 00:11:39:14 back in their environment so that they regain compliance status. 00:11:39:19 - 00:11:43:00 again, for being able to support such an architecture, 00:11:43:00 - 00:11:46:03 one of the key points is obviously standardized version. 00:11:46:07 - 00:11:49:06 we worked for many years now with OSCAL. 00:11:49:06 - 00:11:52:07 We have implemented an SDK. 00:11:52:20 - 00:11:56:08 So if we are going out to the next slide, I think we are going to talk 00:11:56:08 - 00:11:59:20 about the technology that we provided to support this. 00:11:59:24 - 00:12:00:06 okay. 00:12:00:06 - 00:12:03:07 So theres-, just to show we are not going to go into the details. 00:12:03:07 - 00:12:07:19 We expect that the people in this audience are familiar with the details 00:12:07:19 - 00:12:12:02 is just to let you know that all those layers that are presented here 00:12:12:09 - 00:12:15:22 are considered handled as part of our technology. 00:12:16:07 - 00:12:18:07 So, I think I mentioned right. 00:12:18:07 - 00:12:21:07 this slide is just, presentation here that we are covering 00:12:21:07 - 00:12:24:22 all the OSCAL models, and the set of tools that we are 00:12:25:02 - 00:12:30:15 building and, our tools basically adhere to the OSCAL schemas, basically. 00:12:30:15 - 00:12:30:20 Right. 00:12:30:20 - 00:12:31:10 let us look at 00:12:31:10 - 00:12:35:00 what are the tools that we have in the OSCAL-COMPASS suite of projects 00:12:35:00 - 00:12:35:07 Right. 00:12:35:07 - 00:12:36:22 So, as we already know, 00:12:36:22 - 00:12:40:22 OSCAL is a framework and language for managing compliance artifacts as code. 00:12:41:09 - 00:12:44:06 it provides capability for selection of controls 00:12:44:06 - 00:12:48:02 to implementation, and assessment and plan of actions and remediation. 00:12:48:17 - 00:12:52:04 And the first tool in the OSCAL-COMPASS suite of projects is, 00:12:52:05 - 00:12:55:10 compliance trestle, which is an opinionated 00:12:55:10 - 00:12:58:10 implementation of the OSCAL Standard. 00:12:58:13 - 00:13:02:16 it allows manipulating or editing these OSCAL documents, 00:13:02:24 - 00:13:07:03 either through programmatically, in Python code or through CLIs, 00:13:07:17 - 00:13:11:06 while making sure that these schemas, OSCAL schemas are, enforced. 00:13:11:06 - 00:13:11:12 Right? 00:13:11:12 - 00:13:16:11 So whatever changes and we are making either through directly 00:13:16:22 - 00:13:22:03 modifying the Json files, or through a program, we are creating new content, 00:13:22:09 - 00:13:24:23 these will always be compliant with the OSCAL schemas. 00:13:24:23 - 00:13:29:02 It provides an SDK for users to either use compliance 00:13:29:02 - 00:13:32:10 Trestle in their own program, or one can directly use the, 00:13:33:10 - 00:13:35:04 CLI API that we have. 00:13:35:04 - 00:13:39:03 And we'll go into more details in the, Trestle architecture in later slides. 00:13:40:02 - 00:13:42:20 another related project, in this Suite of projects 00:13:42:20 - 00:13:46:12 is, what we call the collaborative agile authoring platform. 00:13:46:23 - 00:13:49:18 What this enables is basically it allows 00:13:49:18 - 00:13:54:06 various personals that we saw earlier to create 00:13:54:06 - 00:13:58:11 and manipulate their content in an interface of their choice. 00:13:58:11 - 00:14:03:22 So, as you know, directly editing XML or Json files is not very human friendly. 00:14:03:24 - 00:14:08:05 humans would like to create or manipulate content in more human 00:14:08:05 - 00:14:12:18 friendly formats such as Markdown or Excel file, or CSV file and so on. 00:14:13:02 - 00:14:16:13 let that tool, do the, conversion from those human, 00:14:16:16 - 00:14:19:20 readable and editable format to these OSCAL format 00:14:20:07 - 00:14:24:07 and what Trestle agile authoring collaborative platform provides 00:14:24:07 - 00:14:27:13 it provides a Git based automated workflow 00:14:27:24 - 00:14:32:14 that ensures the consistency of these, human friendly formats. 00:14:32:14 - 00:14:36:02 And the OSCAL formats and it allows traceability of this content. 00:14:36:14 - 00:14:40:12 So Agile authoring platform builds on top of the, 00:14:40:18 - 00:14:44:16 compliance trestle projects, and it provides a set of automation 00:14:44:16 - 00:14:46:20 and GitHub workflows that enables 00:14:46:20 - 00:14:50:13 you to, just create the content in your own format. 00:14:50:22 - 00:14:54:14 And behind the scenes automation would convert the human friendly, 00:14:54:14 - 00:14:58:04 format into the OSCAL format and keep them consistent and so on. 00:14:58:18 - 00:15:02:17 And it also allows, other, advantages such as, enabling 00:15:02:22 - 00:15:06:02 approval process, automatic semantic versioning and all. 00:15:06:02 - 00:15:08:21 And we'll see more details on this, in the later slides. 00:15:08:21 - 00:15:14:03 the third project in this suite of projects is Compliance_to_Policy, which basically 00:15:14:03 - 00:15:18:04 acts as a bridge between compliance as code and policy as code. 00:15:18:04 - 00:15:18:10 Right. 00:15:18:10 - 00:15:22:13 So, till now, in the agile authoring realm, we are working with compliance 00:15:22:13 - 00:15:26:12 as code artifacts such as catalog, profiles, component definition, SSP. 00:15:26:24 - 00:15:31:17 And now once we have to implement these controls and checks 00:15:31:17 - 00:15:35:12 on, various software and services and perform the validation 00:15:35:23 - 00:15:40:21 we need to create policies, that would run on various systems, right. 00:15:40:21 - 00:15:46:08 So for example, given a policy or auditory or a toolchain or other other 00:15:46:08 - 00:15:50:24 kinds of tools systems that perform the checks against these controls. 00:15:50:24 - 00:15:51:05 Right. 00:15:51:05 - 00:15:56:01 And each of these policy validation tools have their own policy language. 00:15:56:01 - 00:16:00:13 and the way to specify the policy and, execute the policy and so on. 00:16:00:22 - 00:16:05:06 So what this Compliance_to_Policy allows is basically it acts as a bit 00:16:05:08 - 00:16:08:19 it will take the compliance as code documents in OSCAL format. 00:16:09:03 - 00:16:12:13 And depending upon what are the various assessment tools that we plan to use, 00:16:12:13 - 00:16:16:06 it would create policies, in the language and format expected 00:16:16:06 - 00:16:20:21 by that assessment tool and, deploy the policies on those systems. 00:16:20:21 - 00:16:25:15 get the assessment track from the system and then create back the OSCAL assessment 00:16:25:15 - 00:16:28:15 trigger, which can then be consumed with the rest of the system. 00:16:28:21 - 00:16:31:21 And here at the top we provide a set of links 00:16:31:21 - 00:16:34:15 for a compliance OSCAL-COMPASS set of projects. 00:16:34:15 - 00:16:36:24 So the main organization is OSCAL-COMPASS. 00:16:36:24 - 00:16:40:20 And underneath it we have all the three projects, represented over there. 00:16:41:06 - 00:16:41:24 Thank you, Vikas. 00:16:41:24 - 00:16:43:22 And thank you for introducing the project. 00:16:43:22 - 00:16:47:14 I'm going to talk in detail on two of the projects 00:16:47:14 - 00:16:51:18 there, which is Trestle and Agile Authoring, as Vikas mentioned, 00:16:51:18 - 00:16:55:08 and as Anca mentioned in her presentation before, 00:16:55:16 - 00:16:59:08 that compliance artifacts is all about interaction 00:16:59:08 - 00:17:04:11 between human and machines, so human for editing, providing 00:17:04:16 - 00:17:07:16 the SMEs the policy and, automation 00:17:07:16 - 00:17:12:17 for actually scaling up, the compliance, and then providing a way 00:17:12:17 - 00:17:16:04 so that, service teams can complete that end to end cycle 00:17:16:04 - 00:17:19:15 from implementation to finally evidence gathering. 00:17:20:02 - 00:17:22:19 Trestle is an open source OSCAL SDK. 00:17:22:19 - 00:17:26:10 You can find the link in the previous slide, which Vikas presented, 00:17:26:13 - 00:17:29:12 it is an ensemble of tools, that enables 00:17:29:12 - 00:17:33:11 creation, validation, governance, transformation 00:17:33:18 - 00:17:36:22 of artifacts, for compliance needs 00:17:36:23 - 00:17:39:05 It is an open source. 00:17:39:05 - 00:17:41:23 you know, go ahead and, download it. 00:17:41:23 - 00:17:43:13 it is an SDK. 00:17:43:13 - 00:17:45:21 It is a Python based, tool. 00:17:45:21 - 00:17:49:16 it can be integrated, with the CI/CD pipeline 00:17:49:18 - 00:17:54:08 to help, validation, creation, as well as transformation of artifacts. 00:17:54:17 - 00:17:58:04 And I would be explaining in a later side for agile authoring on 00:17:58:04 - 00:17:59:22 how we leverage Trestle. 00:17:59:22 - 00:18:03:03 Trestle provides an easy way to transform 00:18:03:03 - 00:18:08:03 compliant artifacts between the human readable markdown 00:18:08:03 - 00:18:12:23 format for editing, reading, approving of artifacts 00:18:13:04 - 00:18:17:02 and the OSCAL format, which can be read by machines. 00:18:17:09 - 00:18:20:22 so Trestle can be that transformer and validator 00:18:20:24 - 00:18:25:17 for the compliant artifacts, as well as in the compliance Trestle 00:18:25:19 - 00:18:26:06 repo. 00:18:26:06 - 00:18:30:16 we have issues, release management, to include new features 00:18:30:19 - 00:18:31:14 for Trestle. 00:18:31:14 - 00:18:35:05 And we recently released Trestle version three, 00:18:35:09 - 00:18:39:05 which is based on the OSCAL 1.1.2 schema. 00:18:39:14 - 00:18:44:00 So it's support OSCAL 1.1.2 schema as well as previous versions. 00:18:44:16 - 00:18:46:19 So a little bit about Trestle architecture. 00:18:46:19 - 00:18:49:01 And I'm going top to down bottom. 00:18:49:01 - 00:18:55:04 so the base of it is the core Trestle which is based on the OSCAL models. 00:18:55:10 - 00:19:00:03 So Trestle takes the OSCAL schema and inputs it into Python classes, 00:19:00:09 - 00:19:04:04 which it then leverages, for its validation and transformation. 00:19:04:16 - 00:19:07:10 The next layer, is the one where, Git repos 00:19:07:10 - 00:19:10:14 compliance artifacts, and humans actually interact with Trestle. 00:19:10:22 - 00:19:13:20 So Trestle provides task, and transformers, 00:19:13:20 - 00:19:18:09 so that humans can provide input data in the form of Excel sheet 00:19:18:13 - 00:19:19:17 and spreadsheet. 00:19:19:17 - 00:19:24:22 And trestle takes those and transforms them into OSCAL format 00:19:24:24 - 00:19:26:13 as well as markdown. 00:19:26:13 - 00:19:30:22 So you can have your starting point in Excel and CSPs 00:19:31:03 - 00:19:35:18 and then leverage trestle to convert them into Json format. 00:19:35:21 - 00:19:39:05 And then it is up to you whether you want to, change your source 00:19:39:15 - 00:19:43:16 to the markdown and OSCAL or you want to continue using Excel 00:19:43:16 - 00:19:47:22 and then leverage trestle to again generate, your OSCAL Markdown 00:19:48:02 - 00:19:52:05 It also provides repository as well as CLI for OSCAL 00:19:52:05 - 00:19:56:20 editing, editing the markdowns, editing your parameter values, etc. 00:19:56:24 - 00:20:00:10 it also provides an authoring capabilities leveraging Ninja. 00:20:00:14 - 00:20:04:11 for markdown editing, as well as generating artifacts 00:20:04:11 - 00:20:08:15 which can be published, like SSP, along with it, we have developed 00:20:08:15 - 00:20:13:17 a special plugins to handle special use cases like Trestle for FedRAMP. 00:20:14:00 - 00:20:16:07 which handle special cases. 00:20:16:07 - 00:20:21:04 And that is where the word opinionated comes into picture. Some of the applications 00:20:21:04 - 00:20:25:16 where trestle could be, used is, of course, for, content authoring. 00:20:25:16 - 00:20:30:04 specialized, workflows, like generating, the SSP and, 00:20:30:04 - 00:20:34:10 like I mentioned, to convert, from your existing legacy 00:20:34:17 - 00:20:39:20 format like spreadsheet to the markdown and OSCAL format. 00:20:41:06 - 00:20:42:02 agile authoring, 00:20:42:02 - 00:20:46:01 like Vikas mentioned, it is a collaborative, authoring platform. 00:20:46:11 - 00:20:49:17 to successfully implement, and provide evidence 00:20:49:17 - 00:20:53:23 for a compliance program that had multiple personals of various 00:20:54:02 - 00:20:56:24 skill levels and intentions, come into play. 00:20:56:24 - 00:21:03:05 And agile authoring is our way to have humans and machines, to have humans 00:21:03:05 - 00:21:08:18 and automation seamlessly interact to generate compliance artifacts. 00:21:08:24 - 00:21:14:15 at the core of this, for validation, transformation, we leverage compliance. 00:21:14:24 - 00:21:17:24 Trestle. I'm going to go from left to right. 00:21:18:02 - 00:21:22:12 As you can see that there are multiple, compliance artifacts represented here, 00:21:22:21 - 00:21:26:05 like catalog, profile, crosswalk between 00:21:26:13 - 00:21:30:15 two compliance programs, component definition, which is controlled to 00:21:30:18 - 00:21:35:06 rules mapping, and the SSP, which is the auditable artifact. 00:21:35:14 - 00:21:40:06 all of these compliant artifacts are represented as, git repos. 00:21:40:10 - 00:21:43:21 they provide a human friendly way of editing, 00:21:44:08 - 00:21:49:04 authoring and approving, reviewing compliance artifacts in form of markdown. 00:21:49:15 - 00:21:53:00 we also leverage Trestle to generate the machine 00:21:53:00 - 00:21:56:06 readable format, which is the OSCAL Json. 00:21:56:08 - 00:21:58:19 For example, in catalog repo. 00:21:58:19 - 00:22:03:17 we would have the catalog represented in form of markdowns 00:22:04:00 - 00:22:08:17 as well as we would have catalog represented in form of catalog Json, 00:22:08:17 - 00:22:13:17 which would then be ingested by automation to get the controls later 00:22:14:14 - 00:22:18:05 since this is a git based approach, we leverage some of the native 00:22:18:05 - 00:22:22:08 git features like pull request as well as we integrate 00:22:22:08 - 00:22:26:17 with the pipeline orchestrator, we integrate with, Travis inside IBM, 00:22:26:21 - 00:22:31:11 to run additional scripts to transform, as well as run trestle 00:22:31:18 - 00:22:35:05 to transform and validate from one format, to another, 00:22:35:13 - 00:22:39:21 also, you can see solid arrows going from one repo to another, 00:22:39:24 - 00:22:43:14 which indicate that we have a domino effect. 00:22:43:14 - 00:22:47:19 So if there is a new release of catalog, then it would update 00:22:47:19 - 00:22:52:11 all the dependent repositories which leverage the catalog. 00:22:52:21 - 00:22:56:10 So with the git based flow, we have also built 00:22:56:18 - 00:22:59:18 a cascade of the artifacts. 00:22:59:18 - 00:23:03:02 And we leverage semantic release, and symbol versioning 00:23:03:06 - 00:23:08:00 for our release mechanism along with it, the documentation can be published, 00:23:08:00 - 00:23:11:11 we publish it using, Cloud Docs, markdown 00:23:11:12 - 00:23:14:12 and other technologies like box. 00:23:14:12 - 00:23:15:18 Thank you. Manjiree. 00:23:15:18 - 00:23:19:04 I will introduce, compliance to policy project. 00:23:19:18 - 00:23:23:00 So I mentioned in some previous chats it's necessary 00:23:23:00 - 00:23:27:14 to integrate the compliance workflows with, the parts of security 00:23:27:14 - 00:23:30:23 and configuration assessment that actually collect 00:23:31:12 - 00:23:36:05 and check the status’ of target system and services. 00:23:36:11 - 00:23:41:19 So there are a lot of security software to fetch the status’ from systems 00:23:41:23 - 00:23:45:01 and compare the desired status 00:23:45:07 - 00:23:48:07 and returned the security postures. 00:23:48:13 - 00:23:50:22 So the desired status is called policy. 00:23:50:22 - 00:23:53:22 And the point that this happens, 00:23:54:04 - 00:23:59:22 is called the policy validation point, or simply the PVPs, for example, 00:23:59:23 - 00:24:04:17 PVP for Kubernetes is Kyverno or OPA gatekeeper. 00:24:04:24 - 00:24:07:24 these, policy engines can be a PVP 00:24:08:08 - 00:24:11:08 for other targets, like VMs networks 00:24:11:11 - 00:24:15:02 ansible and auditree can be, PVPs. 00:24:15:18 - 00:24:19:19 So compliance to policy is the bridge between the interface. 00:24:19:19 - 00:24:24:05 So with OSCAL compliance as code and policy as code, 00:24:24:20 - 00:24:28:01 to enable end to end integration of components, workloads 00:24:28:13 - 00:24:33:13 from the technical perspectives, C2P functionalities to generate, 00:24:33:18 - 00:24:38:10 PVP policies from OSCAL compliance definitions and aggregate the, 00:24:38:13 - 00:24:42:14 PVP native results as OSCAL assessment results. 00:24:43:07 - 00:24:45:21 So C2P aims to provide 00:24:45:21 - 00:24:51:12 flexibility in choice of policy engines with probable architecture 00:24:51:16 - 00:24:56:07 so that, various policy engine can easily adapt to OSCAL. 00:24:56:17 - 00:25:01:00 program interface is, simple as it, requires to write, simple, 00:25:01:04 - 00:25:04:13 pieces of code that implement to interface 00:25:05:00 - 00:25:09:14 that, transforms the rest of the compliance control to the list of policies. 00:25:10:02 - 00:25:15:10 And, the transformer from PVP native results to each control result. 00:25:16:12 - 00:25:16:19 Other 00:25:16:19 - 00:25:20:15 things such as aggregation, mapping or PVP result 00:25:20:15 - 00:25:24:03 like controls are handled by C2P core part. 00:25:25:04 - 00:25:29:08 So currently we have developed the plugins for Kyverno 00:25:29:08 - 00:25:33:13 OCM policy framework work and the auditree. 00:25:33:18 - 00:25:39:12 combining C2P and a compliance to policy and to receive other authoring, 00:25:39:14 - 00:25:43:23 we can offer the, full end to end continuous compliance automation. 00:25:44:10 - 00:25:47:22 and currently C2P is community driven development. 00:25:47:22 - 00:25:52:05 So yeah it's very welcome to develop new future. 00:25:52:05 - 00:25:55:05 or plugins. 00:25:55:07 - 00:25:56:03 Yes. Thank you. 00:25:56:03 - 00:25:59:13 Yana, now that we've talked about all these projects, 00:25:59:13 - 00:26:02:18 I want to talk a bit about the OSCAL-COMPASS community. 00:26:03:11 - 00:26:06:12 As mentioned in the presentation previously, 00:26:06:12 - 00:26:09:20 this is an open source suite of projects. 00:26:10:01 - 00:26:12:05 where to start, how to get involved. 00:26:12:05 - 00:26:16:06 Our community repo has most of the information 00:26:16:10 - 00:26:19:10 for how to get involved in the OSCAL-COMPASS community. 00:26:19:20 - 00:26:24:12 The Readme contains information about how to get in touch with the maintainers, 00:26:24:18 - 00:26:29:11 how to reach us on slack, how to get in our OSCAL-COMPASS community calls. 00:26:30:04 - 00:26:34:09 Those occur biweekly on alternate Tuesdays at 11 a.m. 00:26:34:09 - 00:26:35:20 eastern time. 00:26:35:20 - 00:26:39:14 All of the information is in our READ.me and when the presentation 00:26:39:14 - 00:26:42:14 is made available, it can be reached on that link. 00:26:42:16 - 00:26:45:21 our governance right now is new and evolving. 00:26:46:00 - 00:26:50:06 we are currently onboarding as a CNCS sandbox project. 00:26:50:17 - 00:26:53:11 I want to talk a little bit about the decision making 00:26:53:11 - 00:26:55:12 and our governance structure. 00:26:55:12 - 00:26:58:12 We strive to make community based decisions, 00:26:58:19 - 00:27:02:13 and with that, we take a consensus based approach for most of our day 00:27:02:13 - 00:27:07:04 to day project decisions, there are times where we need to employ 00:27:07:05 - 00:27:11:18 a voting based approach that is done by our oversight committee, 00:27:12:02 - 00:27:15:23 which is made up of a group of project maintainers and project representatives, 00:27:16:06 - 00:27:17:17 and you can learn more about that 00:27:17:17 - 00:27:20:17 at our governance document and our community repository. 00:27:21:11 - 00:27:24:05 And also we're always looking for contributors. 00:27:24:05 - 00:27:28:10 so where to get started is the contributing guide in our community 00:27:28:10 - 00:27:29:14 repository. 00:27:29:14 - 00:27:33:15 This will, outline the organizational community guidelines. 00:27:33:22 - 00:27:36:16 And if you're interested in a specific project, 00:27:36:16 - 00:27:40:06 there's also project level, contributing guides that you can check out. 00:27:40:17 - 00:27:44:09 one more thing I want to mention is there are other roles 00:27:44:09 - 00:27:47:15 available in the community other than the oversight committee. 00:27:47:20 - 00:27:48:20 This is outlined in 00:27:48:20 - 00:27:52:16 our membership document where you can find roles, responsibilities, 00:27:52:16 - 00:27:56:09 privileges, and the process on how to get into those roles. 00:27:56:20 - 00:28:00:16 And here on this slide, we just have some project resources. 00:28:00:21 - 00:28:04:02 the link to the meeting notes for community calls. 00:28:04:08 - 00:28:08:01 This is the most up to date information on how to get into 00:28:08:01 - 00:28:11:02 the community calls, the meeting information. 00:28:11:02 - 00:28:15:09 It also has a record of all of our past calls, along with recordings 00:28:15:09 - 00:28:18:12 that are in our YouTube channel, our GitHub organization. 00:28:18:20 - 00:28:22:23 And then finally a set of blogs that expand on what we've talked about here. 00:28:23:03 - 00:28:27:12 these blogs and the links to them are available in our organizational profile. 00:28:27:22 - 00:28:28:09 All right. 00:28:28:09 - 00:28:30:16 I think that's the end of the presentation. 00:28:30:16 - 00:28:33:02 We can probably move on to questions.