00:00:00:01 - 00:00:00:14
Good morning.

00:00:00:14 - 00:00:02:24
Thank you for joining this workshop series
today.

00:00:02:24 - 00:00:04:17
My name is Dave Waltermire.

00:00:04:17 - 00:00:05:21
I'm the data strategy

00:00:05:21 - 00:00:09:23
and standards lead, for FedRAMP,
at the General Services Administration.

00:00:10:04 - 00:00:11:23
Today I'm looking forward to sharing

00:00:11:23 - 00:00:14:23
some exciting updates
around the FedRAMP program.

00:00:14:23 - 00:00:19:18
As it relates to OSCAL and automating
parts of the package submission process.

00:00:19:18 - 00:00:21:03
So let's jump right in.

00:00:21:03 - 00:00:25:04
So the purpose of today's
session is to inform all of you around,

00:00:25:06 - 00:00:28:09
tooling that FedRAMP, is putting into place,
as well as some,

00:00:28:11 - 00:00:32:06
piloting activities that were, currently
starting around OSCAL

00:00:32:06 - 00:00:36:06
So we'd like everyone to walk away today
with an understanding of the FedRAMP

00:00:36:06 - 00:00:39:14
digital authorization package pilots,
that we're currently running,

00:00:39:14 - 00:00:43:05
how to get involved in that pilot
and stay up to date with our team.

00:00:43:05 - 00:00:46:11
And also,
some additional clarity around, tools

00:00:46:11 - 00:00:50:01
that, we've been actively working on
So our agenda today follows,

00:00:50:01 - 00:00:54:01
these objectives will begin
with a brief introduction of, myself

00:00:54:01 - 00:00:54:21
and the team,

00:00:54:21 - 00:00:57:02
and then we'll get into the bulk
of the conversation

00:00:57:02 - 00:01:01:17
covering the digital authorization
package, pilot discussion of, tooling,

00:01:01:20 - 00:01:04:20
and also a live demo, of that tool

00:01:04:20 - 00:01:08:04
will finally wrap up
with how to get involved, these efforts.

00:01:08:07 - 00:01:13:01
So I just wanted to pause for a moment,
and introduce, members of the team.

00:01:13:02 - 00:01:16:15
We’ve been working to assemble a group of,
really excellent, subject

00:01:16:15 - 00:01:20:12
matter experts on OSCAL, automation developers,

00:01:20:15 - 00:01:25:00
and technical, writers, to work
with us on at FedRAMP other initiatives.

00:01:25:00 - 00:01:26:11
currently leading that team.

00:01:26:11 - 00:01:28:04
Rene, is joining us today.

00:01:28:04 - 00:01:30:01
Rene,
would you like to introduce yourself?

00:01:30:01 - 00:01:32:20
Yeah, sure. Thanks, Dave. Rene Tshiteya.

00:01:32:20 - 00:01:36:13
had the good fortune of working
both with Michaela and Dave going back,

00:01:36:13 - 00:01:38:11
three and a half, maybe four years on.

00:01:38:11 - 00:01:42:20
OSCAL have been part of the FedRAMP team
for, about the same amount of time

00:01:42:20 - 00:01:44:05
in different capacities.

00:01:44:05 - 00:01:47:18
More recently, focusing on the automation,
particularly in OSCAL

00:01:47:18 - 00:01:51:16
OSCAL adoption and how we can implement
it to, modernize our processes.

00:01:51:16 - 00:01:54:16
So got a fantastic team really excited
about the work that we're doing.

00:01:54:16 - 00:01:56:12
We also have Jake joining us today.

00:01:56:12 - 00:01:58:05
Jake,
would you like to introduce yourself?

00:01:58:05 - 00:01:58:22
Sure.

00:01:58:22 - 00:02:01:15
My name is Jake Ahearn. I work as a contractor.

00:02:01:15 - 00:02:03:23
With Dave
and the FedRAMP team. From the clearing.

00:02:03:23 - 00:02:07:19
And I'm a Process SME, so I really focused
on, making sure everything runs smoothly

00:02:07:19 - 00:02:08:11
in the background.

00:02:08:11 - 00:02:10:24
So some of these presentations
that we have today.

00:02:10:24 - 00:02:12:03
As well as once we have gone over

00:02:12:03 - 00:02:14:08
just making sure that everything's
in the right spot

00:02:14:08 - 00:02:16:14
and the people that need to be
there are there. Great.

00:02:16:14 - 00:02:20:07
I just wanted to give a little bit,
information around my background.

00:02:20:07 - 00:02:24:04
I've been participating in OSCAL,
since the early days.

00:02:24:04 - 00:02:27:10
used to work very closely,
with Michaela on the project.

00:02:27:10 - 00:02:31:04
When I worked NIST years ago
and, was involved in a lot of the OSCAL

00:02:31:04 - 00:02:32:05
model development.

00:02:32:05 - 00:02:36:03
And, now I have the opportunity
lead the FedRAMP team here. All right.

00:02:36:04 - 00:02:37:13
So with that, let's move on.

00:02:37:13 - 00:02:41:04
I want to talk a little bit about,
digital authorization, package pilot.

00:02:41:05 - 00:02:47:20
So as part of FedRAMPs, FY 24-25 roadmap,
we talked a lot about increasing program

00:02:47:20 - 00:02:51:15
effectiveness through automation
and technology forward operations.

00:02:51:15 - 00:02:55:09
So the digital authorization package
pilot is one of our first steps

00:02:55:09 - 00:02:56:17
in achieving this goal.

00:02:56:17 - 00:03:00:12
The pilot will focus on developing
extensive guidance to help

00:03:00:12 - 00:03:04:07
service providers
create machine readable OSCALs SSPs.

00:03:04:09 - 00:03:07:24
Through the use of automated validations
that provide faster,

00:03:08:04 - 00:03:12:09
more consistent and less laborous
reviews of FedRAM packages.

00:03:12:12 - 00:03:13:03
While this pilot

00:03:13:03 - 00:03:17:00
will not have an immediate impact
on the current authorization process,

00:03:17:01 - 00:03:21:02
it will provide significant insights
for FedRAMP as we design a new process

00:03:21:02 - 00:03:24:02
for reviewing, digital authorization
packages,

00:03:24:04 - 00:03:27:05
it will help CSPs
approve the level of detail and overall

00:03:27:05 - 00:03:30:18
quality of their systems
security plans using OSCAL.

00:03:30:18 - 00:03:32:04
And then as a side benefit, we're

00:03:32:04 - 00:03:36:13
also working a lot with, governance
risk and compliance tool providers,

00:03:36:19 - 00:03:39:17
also improve, capabilities of those tools

00:03:39:17 - 00:03:42:17
and generate, OSCAL, systems security plans

00:03:43:00 - 00:03:45:18
So the goals of the pilot are really five
fold.

00:03:45:18 - 00:03:49:14
want to provide accurate, clear
and actionable guidance,

00:03:49:17 - 00:03:52:23
on producing an OSCAL based system
security plan

00:03:53:02 - 00:03:57:00
focusing on common quality
problem areas to increase the overall

00:03:57:00 - 00:04:01:07
quality of SSP produced
by, cloud service providers.

00:04:01:11 - 00:04:04:22
We're also working to provide, 
richer system context,

00:04:04:22 - 00:04:08:15
which is really around,
focusing additional validations

00:04:08:15 - 00:04:12:12
and completeness checks,
that ensure that, the system context

00:04:12:12 - 00:04:17:14
is accurately described and a richer
for within, OSCAL system security plan.

00:04:17:15 - 00:04:21:19
So this includes things
like making use of, components within,

00:04:21:21 - 00:04:25:20
the system security plan, as well
as, taking advantage

00:04:25:20 - 00:04:28:03
of some of the inheritance capabilities

00:04:28:03 - 00:04:32:07
for inheriting, packages,
from an upstream, service.

00:04:32:11 - 00:04:36:00
We're working to define digital
authorization package composition.

00:04:36:04 - 00:04:39:09
want to gain an understanding
of what the critical components are

00:04:39:09 - 00:04:43:14
that need to be supported
within a digital, authorization package.

00:04:43:17 - 00:04:46:06
We're working
with the standardized validation checks.

00:04:46:06 - 00:04:50:15
So our goal at the end of this pilot
is to have a clear list of validations

00:04:50:15 - 00:04:54:15
that must be checked, prior to,
receiving, system security plan,

00:04:54:18 - 00:04:57:18
So we're using this as a way
to set expectations,

00:04:57:18 - 00:05:00:19
And as I touched on before,
we're really focusing a lot

00:05:00:19 - 00:05:04:02
on automation
And really trying to dramatically expand

00:05:04:02 - 00:05:08:02
the number of automated validation checks
that can help reduce,

00:05:08:02 - 00:05:10:19
review times as part of the program
process.

00:05:10:19 - 00:05:13:01
This will have the effect
of reducing human effort

00:05:13:01 - 00:05:14:13
and detecting issues
earlier in the process.

00:05:14:13 - 00:05:17:14
So the pilot is going to focus on
maturing guidance

00:05:17:14 - 00:05:21:08
and validations
to establish a baseline of requirements.

00:05:21:12 - 00:05:26:15
FedRAMP
using 800-53 Rev-5 based system security plan.

00:05:26:16 - 00:05:30:08
So we're focusing our efforts right now
on the control setup profile

00:05:30:12 - 00:05:33:08
 within this pilot,
a dual set of responsibilities.

00:05:33:08 - 00:05:38:04
There's responsibilities that the FedRAMP
automation team, will be meeting, as well as,

00:05:38:04 - 00:05:42:24
some responsibilities that we're asking
our pilot, participants, to, to also meet.

00:05:42:24 - 00:05:46:06
So the FedRAMP, team will be responsible,
for largely

00:05:46:06 - 00:05:49:22
implementing the system
security plan related constraints.

00:05:49:24 - 00:05:54:00
will be developing automated unit tests,
for each of these constraints.

00:05:54:04 - 00:05:57:20
These unit tests will check both positive
and negative test cases

00:05:57:20 - 00:06:01:03
so that we have confidence and, ability
to apply these

00:06:01:03 - 00:06:05:09
validations, to test,
give an authorization package.

00:06:05:09 - 00:06:07:15
going to be working on
updating documentation

00:06:07:15 - 00:06:11:23
as needed to make sure that, 
the documentation is clear, useful

00:06:11:23 - 00:06:15:17
and accurately describes the FedRAMP package requirements.

00:06:15:20 - 00:06:19:08
as part of this effort,
we're also looking to potentially improve,

00:06:19:11 - 00:06:24:20
autogenerated documentation capability
that would expose, the constraints

00:06:24:22 - 00:06:28:17
as part of this pilot,
we're asking that our pilot partners, the,

00:06:28:20 - 00:06:32:08
cloud service providers
that are producing OSCAL SSPs

00:06:32:11 - 00:06:35:24
We’re asking them that they, use
external constraints that we're providing,

00:06:36:02 - 00:06:40:14
validate their SSP, using,
you know, as close to real world data

00:06:40:16 - 00:06:43:16
as possible
and then provide us feedback on,

00:06:43:16 - 00:06:46:13
what they're saying
as far as applying these validations.

00:06:46:17 - 00:06:50:13
typically when they apply the validation,
they're going to get a pass result.

00:06:50:13 - 00:06:55:00
If, content meets, the expectations
or they're going to get, one or more,

00:06:55:00 - 00:06:58:20
validation issues identified,
that would indicate that,

00:06:58:22 - 00:07:02:10
certain aspects that were validating,
do not meet expectations.

00:07:02:10 - 00:07:05:13
some of those issues
might result from false positives.

00:07:05:14 - 00:07:09:11
And, yeah, we certainly want to hear about
like where, miss, the cloud service

00:07:09:11 - 00:07:13:13
provider or GRC tool vendor believes that,
their content is correct.

00:07:13:15 - 00:07:18:20
so we're going to be prioritizing,
most common SSP deficiencies

00:07:18:20 - 00:07:22:13
that we see during the FedRAMP package
review process.

00:07:22:13 - 00:07:27:18
As part of this effort, really a focus on
trying to accelerate the review process

00:07:27:18 - 00:07:31:22
and removing delays that are introduced
by, incomplete packages that comment,

00:07:31:24 - 00:07:32:18
know, typically

00:07:32:18 - 00:07:37:03
a major cause delay in the review process
is something called pass backs.

00:07:37:07 - 00:07:40:11
that's
where, service provider submits a package.

00:07:40:20 - 00:07:43:02
After some time,
they end up reviewing that package.

00:07:43:02 - 00:07:46:05
We identify a problem, package gets passed
back to the cloud

00:07:46:07 - 00:07:49:07
service provider,
who then has to make updates.

00:07:49:09 - 00:07:51:20
It goes back through the review process.

00:07:51:20 - 00:07:52:16
In some cases,

00:07:52:16 - 00:07:56:16
that can happen multiple times,
you know, causing significant delays.

00:07:56:19 - 00:07:59:11
we have to catch
a lot of those problems upfront.

00:07:59:11 - 00:08:00:14
so that, package

00:08:00:14 - 00:08:04:17
will not actually enter the process
unless it meets the basic criteria.

00:08:04:24 - 00:08:08:02
You know, as a result, it will reduce,
any further delays,

00:08:08:02 - 00:08:09:16
Please note that this pilot

00:08:09:16 - 00:08:14:18
is really focused on the data that cloud
service providers are providing today.

00:08:14:20 - 00:08:20:11
And we're not actually addressing agency
use of cloud services or the systems

00:08:20:11 - 00:08:25:12
security plans, that an agency
would produce, as part of documenting

00:08:25:12 - 00:08:29:18
their customer responsibilities,
What we are focusing on for the pilot.

00:08:29:18 - 00:08:35:02
our, some of the, the core, technical
areas of the system security plan.

00:08:35:02 - 00:08:38:06
You can see, on this list,
believe eight areas,

00:08:38:06 - 00:08:41:13
that we're currently focusing
constraints around.

00:08:41:15 - 00:08:46:01
So the, the front matter that contains,
you know, systems, characteristics

00:08:46:01 - 00:08:49:01
and basic information about the system,

00:08:49:01 - 00:08:51:16
appendix A, security control narrative.

00:08:51:18 - 00:08:57:04
These are all relative to, the FedRAMP
SSP, Information about, how, system needs

00:08:57:04 - 00:09:02:13
digital identity requirements, information
around the, customer responsibilities.

00:09:02:16 - 00:09:05:01
FIPS 199 levels for the system.

00:09:05:01 - 00:09:07:02
The, integrated inventory.

00:09:07:02 - 00:09:10:24
information about cryptographic modules
and how they're, validated

00:09:11:01 - 00:09:11:18
through the NIST.

00:09:11:18 - 00:09:15:23
Crypto module validation process, as well
as, separation of duties.

00:09:15:23 - 00:09:20:11
So these are the areas that largely
focusing, our current constraints around.

00:09:20:11 - 00:09:24:03
So I want to talk briefly
about some of the OSCAL tooling.

00:09:24:03 - 00:09:28:05
Rene is going to give a demo in a few minutes.
So FedRAMP has been working on

00:09:28:05 - 00:09:33:23
enhancing, the, OSCAL CLI to provide,
functionality that's needed, to define,

00:09:34:05 - 00:09:37:15
restrictions
on top of the core OSCAL models.

00:09:37:17 - 00:09:41:17
of the things that, OSCAL
CLI supported for, for quite some time

00:09:41:20 - 00:09:44:21
this notion of,
external metaschema constraints.

00:09:44:24 - 00:09:48:15
Meta schemas, the modeling technology
that all OSCAL uses,

00:09:48:17 - 00:09:53:03
Meta schema allows for, validation rules
to be defined, external,

00:09:53:03 - 00:09:57:11
to those models
which can provide for further checking of,

00:09:57:13 - 00:10:02:22
presence of specific values,
where OSCAL allows a value to be optional.

00:10:03:01 - 00:10:06:14
External constraints
allow like FedRAMP, for example,

00:10:06:14 - 00:10:10:07
to define and enforce,
the use of custom properties.

00:10:10:07 - 00:10:14:03
So, as a result, we've been working
to enhance, and fix bugs

00:10:14:03 - 00:10:18:04
and, OSCAL
CLI related to, the, evaluation.

00:10:18:04 - 00:10:22:07
We’ve also been adding some really interesting
new capabilities, to,

00:10:22:10 - 00:10:27:19
the OSCAL CLI, This includes the ability
to execute arbitrary meta paths.

00:10:27:19 - 00:10:33:03
Meta path is this the expression language
is used for, defining constraints.

00:10:33:07 - 00:10:38:21
We've had the ability to produce
mermaid diagrams of, a given, meta schema

00:10:38:21 - 00:10:43:17
model, which, you know, would allow you
to diagram, the OSCAL models.

00:10:43:21 - 00:10:46:11
And, 
you know, variety of different bugfixes.

00:10:46:11 - 00:10:48:17
We've been, releasing these updates.

00:10:48:17 - 00:10:52:02
and GitHub and the meta schema
framework organization.

00:10:52:05 - 00:10:54:24
At work,
you can find, quite a few releases there.

00:10:54:24 - 00:11:00:11
This work is, based on, the work that, 
NIST had started, with, the OSCAL CLI

00:11:00:11 - 00:11:03:23
But, this repo contains a lot of the
We're really approaching this work

00:11:03:23 - 00:11:08:04
in a way that, is generalized across
all OSCAL use cases.

00:11:08:04 - 00:11:12:15
You won't really find any functionality
in this tool that is specific to FedRAMP.

00:11:12:17 - 00:11:16:07
And our intent is to,
to need to work with the community

00:11:16:07 - 00:11:20:01
to maintain this tooling
in a way that supports the broader OSCAL.

00:11:20:01 - 00:11:23:15
And with that,
I would like to, hand it over to,

00:11:23:15 - 00:11:26:15
Rene, who is going to be giving a demo.

00:11:26:21 - 00:11:27:09
All right.

00:11:27:09 - 00:11:28:03
Thanks, Dave.

00:11:28:03 - 00:11:31:21
That that was a really good, overview of,
you know, the work that we're doing here

00:11:31:21 - 00:11:36:10
at FedRAMP how we're progressing with
the digital authorization, package, pilot.

00:11:36:10 - 00:11:37:16
Just want to thank, Michaela,

00:11:37:16 - 00:11:40:23
thank you for inviting
us, to this OSCAL mini workshop.

00:11:41:02 - 00:11:44:08
We're really excited, to share with you
and the audience today.

00:11:44:10 - 00:11:48:14
Some of the recent, development efforts,
here at FedRAMP in support of pilot

00:11:48:17 - 00:11:53:13
to show, the audience
how we are adapting the tools, to work,

00:11:53:17 - 00:11:57:09
on the OSCAL, pilot, In this demo,
you'll see me walk

00:11:57:09 - 00:12:01:01
through a couple of different use cases,
with different personas.

00:12:01:04 - 00:12:05:00
show you examples of how FedRAMP and pilot
participants,

00:12:05:06 - 00:12:07:24
are going to be using
these new capabilities during the pilot

00:12:07:24 - 00:12:11:17
and hopefully, that should shed
some light, how, members of the audience

00:12:11:17 - 00:12:12:19
may adapt their capabilities

00:12:12:19 - 00:12:16:06
as well for scenarios that they experience
within their organizations.

00:12:16:13 - 00:12:17:24
So a couple of key points.

00:12:17:24 - 00:12:20:24
you'll see me use in terms
of like the tools and the environment.

00:12:21:01 - 00:12:23:22
I'll pull up, my integrated
development environment.

00:12:23:22 - 00:12:27:15
I happen to be using Visual Studio
Code Windows Subsystem for Linux

00:12:28:08 - 00:12:29:23
with an ubuntu instance.

00:12:29:23 - 00:12:33:01
However, all of the capabilities
that I'll be showing you

00:12:33:01 - 00:12:37:01
today, can be run,
in any number of different environments.

00:12:37:04 - 00:12:40:16
Within the team that they've presented
at the top of the meeting.

00:12:40:18 - 00:12:43:18
We have, colleagues
that are working on Mac OS,

00:12:43:23 - 00:12:46:23
some on windows, others in Linux.

00:12:46:24 - 00:12:50:24
So this toolset is agnostic and can work
in a variety of different environments.

00:12:51:05 - 00:12:52:23
The scenarios, as Dave mentioned.

00:12:52:23 - 00:12:58:05
The pilot is focused primarily, on,
the SSP as that's the central, component

00:12:58:08 - 00:13:01:09
the authorization process
and the, a key point

00:13:01:09 - 00:13:03:21
where we want to make sure
that we have good information.

00:13:03:21 - 00:13:07:24
And so most of the scenarios that I walk
through today will be focused around,

00:13:08:05 - 00:13:12:14
the SSP and validation
runs, of the SSP in terms of personas.

00:13:12:18 - 00:13:16:07
I'm going to put on my CSP
hat and kind of, walk through

00:13:16:07 - 00:13:20:01
as a content, producer, that's
trying to validate OSCAL content.

00:13:20:07 - 00:13:24:01
this could be leveraged,
by agencies, by tool vendors.

00:13:24:01 - 00:13:27:12
If you have a tool So with that,
I will go ahead and start

00:13:27:12 - 00:13:30:12
sharing my screen
and walk through the first, scenario.

00:13:30:20 - 00:13:32:22
Okay, so let's, jump right in.

00:13:32:22 - 00:13:38:22
In this first use case, we're going to
take a look at the a very basic, scenario.

00:13:38:22 - 00:13:43:12
So as a pilot participant,
I need early and timely feedback, on my,

00:13:43:13 - 00:13:48:17
my content to make sure that it adheres
to, FedRAMP criteria, that it's valid.

00:13:48:21 - 00:13:53:05
And when we talk about valid OSCAL,
there's different layers of, validations.

00:13:53:05 - 00:13:55:13
We want to make sure
that it's well-formed.

00:13:55:13 - 00:13:59:04
So it has to be valid,
XML or Json or Yaml.

00:13:59:04 - 00:14:01:02
So there's schema validation.

00:14:01:02 - 00:14:04:12
has to adhere to the constraints
that are within the OSCAL models.

00:14:04:14 - 00:14:07:20
And then later on I also show
an example of how FedRAMP is layering

00:14:07:21 - 00:14:09:22
on taking advantage
of some of the capabilities

00:14:09:22 - 00:14:13:17
within the OSCAL CLI, to define
external constraints that we can use,

00:14:13:20 - 00:14:17:15
to add additional criteria
that are specific to, to FedRAMP.

00:14:17:15 - 00:14:21:16
So what I have here is my integrated
development environment.

00:14:21:19 - 00:14:24:20
I have a content folder
that I've put together with a couple of

00:14:24:20 - 00:14:28:23
sample SSPs that we'll use throughout
today's demonstration.

00:14:28:23 - 00:14:31:14
these SSPs
as a cloud service provider.

00:14:31:14 - 00:14:35:18
Perhaps I have tooling in my environment
that will generate such SSPs.

00:14:35:18 - 00:14:37:18
Perhaps created them manually.

00:14:37:18 - 00:14:41:08
I used a third party
tool, to, to produce, the SSP.

00:14:41:08 - 00:14:44:11
Nonetheless, pilot participants,
regardless of how they generate

00:14:44:11 - 00:14:45:17
the content, will be able

00:14:45:17 - 00:14:49:13
to bring in their content,
and then use, the validation tooling.

00:14:49:13 - 00:14:51:09
So I have a couple of examples here.

00:14:51:09 - 00:14:54:00
We'll start with the first, SSP example.

00:14:54:00 - 00:14:57:03
most of my examples here are XML,
but the same tooling

00:14:57:03 - 00:15:00:10
will work
whether you're using Json, or Yaml.

00:15:00:15 - 00:15:01:24
OSCAL artifacts.

00:15:01:24 - 00:15:03:14
So I have an SSP.

00:15:03:14 - 00:15:05:15
This is actually, because it's an example.

00:15:05:15 - 00:15:06:21
It's relatively small.

00:15:06:21 - 00:15:09:15
It's brief. It's
just a couple of hundred lines of code.

00:15:09:15 - 00:15:12:15
But in the real world, we know that
these SSPs are going to be rather large.

00:15:12:16 - 00:15:18:06
Tens of thousands of lines of code,
representing, in your SSP in OSCAL.

00:15:18:06 - 00:15:23:05
So I have this SSP, I'm going to use the 
OSCAL CLI, a command line interface

00:15:23:13 - 00:15:26:24
within my local environment
to validate this SSP

00:15:26:24 - 00:15:30:13
and make sure that it meets,
OSCAL requirements.

00:15:30:16 - 00:15:33:07
So to do that, I have my terminal here.

00:15:33:07 - 00:15:35:19
In my integrated development environment.

00:15:35:19 - 00:15:39:18
And I can just what we do
an OSCAL CLI.

00:15:39:24 - 00:15:42:14
I'm going to provide the command.

00:15:42:14 - 00:15:44:07
So the command is validate.

00:15:45:10 - 00:15:48:10
And then I'm going to specify the file
that I want to validate.

00:15:48:14 - 00:15:51:04
So in this case it's in my contents
folder.

00:15:51:04 - 00:15:54:15
it's SSP example one.

00:15:55:06 - 00:15:57:08
So very simple very straightforward.

00:15:57:08 - 00:16:00:02
going to process takes a few seconds here.

00:16:00:02 - 00:16:04:14
And we'll see that the results
tell me that this SSP file is, is valid.

00:16:04:16 - 00:16:06:11
Now for those of you
that have used the OSCAL

00:16:06:11 - 00:16:10:10
CLI in the past, I just want to, note
a couple of things really quickly.

00:16:10:10 - 00:16:12:01
So we've made some recent,

00:16:12:01 - 00:16:15:11
feature enhancements to the OSCAL CLI
simplify this command.

00:16:15:11 - 00:16:19:06
So you noticed that I basically gave it
the command validate it,

00:16:19:07 - 00:16:21:22
and then I specified the file
and it automatically

00:16:21:22 - 00:16:25:03
I was able to determine
that this is an SSP file.

00:16:25:05 - 00:16:26:14
And that it's an XML file.

00:16:26:14 - 00:16:29:16
And then did the validation
and produced results.

00:16:29:19 - 00:16:32:24
So this is an example
of some of the recent, enhancements

00:16:32:24 - 00:16:37:03
that we've made to the tool, to make it,
improve the usability, make it easier

00:16:37:03 - 00:16:40:07
to integrate, for environments
where there's a lot of automation.

00:16:40:12 - 00:16:44:04
You're trying to simplify the commands,
make it more, accessible.

00:16:44:04 - 00:16:44:16
For all.

00:16:44:16 - 00:16:46:09
So now let's move on to,

00:16:46:09 - 00:16:50:16
my second SSP, which is actually
a copy of this SSP as well.

00:16:50:19 - 00:16:52:18
It has some invalid content.

00:16:52:18 - 00:16:54:14
If we were to validate it against,

00:16:54:14 - 00:16:57:14
FedRAMP requirements, but it does meet
the core OSCAL requirements.

00:16:57:17 - 00:17:01:04
And let me just confirm that and, again,
run it.

00:17:01:06 - 00:17:04:12
Selecting now my SSP example number two.

00:17:04:23 - 00:17:09:18
Run it and you'll see that it passes
the core, OSCAL validations.

00:17:09:20 - 00:17:10:24
now let's change our scenario.

00:17:10:24 - 00:17:13:07
Let's, let's do something
a little bit more interesting.

00:17:13:07 - 00:17:16:07
What if we wanted to check
and make sure that it met?

00:17:16:13 - 00:17:19:06
FedRAMP specified, allowed values?

00:17:19:06 - 00:17:21:00
FedRAMP as other organizations.

00:17:21:00 - 00:17:23:08
May extend OSCAL and layer

00:17:23:08 - 00:17:27:07
on additional, 
constraints and requirements and criteria.

00:17:27:07 - 00:17:30:01
That the documents
that they receive, need to adhere to.

00:17:30:01 - 00:17:34:18
So in this case, we have some specific
requirements around some allowed values

00:17:34:24 - 00:17:38:18
that we've defined within
an external, FedRAMP constraints file.

00:17:38:21 - 00:17:40:01
So let's take a quick look

00:17:41:08 - 00:17:44:08
at how to to do that.

00:17:45:10 - 00:17:47:00
I'm going to use,

00:17:47:00 - 00:17:50:00
the help feature.

00:17:51:06 - 00:17:52:10
Within the CLI.

00:17:52:10 - 00:17:55:15
Again something to help with, usability.

00:17:55:17 - 00:17:58:17
You can quickly
see what the different commands are.

00:17:59:02 - 00:18:02:02
Validate.

00:18:04:02 - 00:18:04:13
here comes

00:18:04:13 - 00:18:08:00
another, example of, recent, enhancement.

00:18:08:00 - 00:18:11:15
And what we're leveraging,
during the digital authorization, pilot.

00:18:11:15 - 00:18:15:03
So you'll notice that now
there's this dash c, option,

00:18:15:06 - 00:18:19:03
where we can specify
additional constraint definitions.

00:18:19:03 - 00:18:23:02
So in this example we're going
to validate the file that was previously.

00:18:23:04 - 00:18:25:01
Passing core validations.

00:18:25:01 - 00:18:27:24
If you would,
but we're now going to specify a FedRAMP

00:18:27:24 - 00:18:31:19
developed file
that contains the constraints, indicating

00:18:31:19 - 00:18:35:23
what all of the allowed values
are for the FedRAMP, extensions.

00:18:36:01 - 00:18:38:20
so to do that.

00:18:38:20 - 00:18:41:23
You can run the same command as before,
just provided.

00:18:41:23 - 00:18:45:06
-c, I'm
going to point to my constraints file.

00:18:46:15 - 00:18:49:13
FedRAMP, allowed values.

00:18:49:13 - 00:18:51:18
And so now

00:18:51:18 - 00:18:54:24
if I run the validation
against the same file,

00:18:55:16 - 00:18:58:22
you'll see that I now have two, errors
identified.

00:18:59:00 - 00:19:00:05
This is color coded.

00:19:00:05 - 00:19:02:00
So previously, this file was valid.

00:19:02:00 - 00:19:04:23
Now it's telling me that it's not valid
because we specified

00:19:04:23 - 00:19:08:07
an additional set of constraints,
an additional set of criteria

00:19:08:16 - 00:19:12:08
that need to be, satisfied in order
for the file to pass validation.

00:19:12:10 - 00:19:14:07
you can see here that it tells me,

00:19:14:07 - 00:19:18:06
the, the level we have, errors,
we have warnings.

00:19:18:06 - 00:19:19:07
And sometimes we also have

00:19:19:07 - 00:19:23:15
informational feedback
that we provide as a result, validation.

00:19:23:20 - 00:19:24:18
Through the CLI.

00:19:24:18 - 00:19:29:09
There's a pointer, the node, within
the content, where the error occurred.

00:19:29:11 - 00:19:32:00
And a description
of what happened in this case.

00:19:32:00 - 00:19:35:09
I happened to put some, some invalid data
to force this error.

00:19:35:09 - 00:19:40:08
I have an address value here
that's, invalid.

00:19:40:08 - 00:19:43:02
Instead of, home or work.

00:19:43:02 - 00:19:45:04
Those are the allowed values per FedRAMP.

00:19:45:04 - 00:19:48:11
And I've also, provided
an invalid authorization type.

00:19:48:11 - 00:19:53:08
The values that are, acceptable
for listed here in the feedback as well.

00:19:53:15 - 00:19:57:15
So this gives you an idea
of how the external constraints

00:19:57:15 - 00:20:01:14
are being leveraged by FedRAMP,
to specify additional, constraints.

00:20:01:20 - 00:20:03:19
And the nice thing about
this is by being able,

00:20:03:19 - 00:20:07:07
as a content producer,
to run this locally, I'm able to identify

00:20:07:07 - 00:20:10:07
these issues early on in the process,
take action

00:20:10:10 - 00:20:14:16
prior to submitting it to
to submit for review and evaluation.

00:20:14:16 - 00:20:16:18
So now let's take a look
at the next example.

00:20:16:18 - 00:20:19:14
Perhaps we want to look at more
than just the allowable values.

00:20:19:14 - 00:20:23:08
We want to look at some more, advanced
constraints, that have been defined

00:20:23:10 - 00:20:24:04
by FedRAMP.

00:20:24:04 - 00:20:26:14
And you'll see here
as part of the setup for this demo,

00:20:26:14 - 00:20:29:14
I have several sets of constraints here
that are defined.

00:20:29:15 - 00:20:32:14
You can find these on our GitHub
repo as well.

00:20:32:14 - 00:20:34:11
So I have the allowed value constraints.

00:20:34:11 - 00:20:36:01
I have these external constraints.

00:20:36:01 - 00:20:38:04
I have a couple of other, sample
constraints.

00:20:38:04 - 00:20:42:12
for the second example we want to also
specify this additional file here.

00:20:42:12 - 00:20:43:19
So that we can layer

00:20:43:19 - 00:20:47:19
on additional FedRAMP requirements
as part of our validation process.

00:20:47:22 - 00:20:52:03
I can do this very simply
by rerunning the same command as before

00:20:52:03 - 00:20:55:04
and just specifying the second, file.

00:20:59:22 - 00:21:02:24
And so you'll notice, the first time
I ran it, it said the file was valid.

00:21:03:01 - 00:21:05:02
I added the FedRAMP cloud values.

00:21:05:02 - 00:21:07:01
It found some allowed value.

00:21:07:01 - 00:21:08:16
Violation within my data.

00:21:08:16 - 00:21:11:16
But now that I ran
the full set of constraints,

00:21:11:21 - 00:21:14:08
I see that in fact,
my package is not complete.

00:21:14:08 - 00:21:15:15
have some missing items.

00:21:15:15 - 00:21:19:10
So for FedRAMP submission,
I need to have some additional artifacts

00:21:19:12 - 00:21:22:10
are referenced
within my my SSP back matter.

00:21:22:10 - 00:21:24:21
I need to have, a user guide attachment.

00:21:24:21 - 00:21:28:19
I need to have rules of behavior,
contingency plans, other documents

00:21:28:19 - 00:21:31:08
that make up
our digital authorization package.

00:21:31:08 - 00:21:34:15
So again, this is sort of a
really simple example to show you

00:21:34:18 - 00:21:38:17
we're using these external constraints,
to define our requirements

00:21:38:24 - 00:21:42:15
and then providing them, to the community
so that they can leverage them

00:21:42:15 - 00:21:45:18
in testing their content,
whether it's content that you've developed

00:21:45:18 - 00:21:49:11
manually or content that you're using
a third party tool to generate.

00:21:49:22 - 00:21:53:02
To ensure that it's going to meet
the FedRAMP requirements.

00:21:53:08 - 00:21:55:00
These are, in fact, the very same checks

00:21:55:00 - 00:21:59:05
that we're going to be evaluating
when we receive the packages on our end.

00:21:59:11 - 00:22:00:24
Now, as part of the pilot,

00:22:00:24 - 00:22:04:18
this demo, I've only provided
a subset of the constraints.

00:22:04:18 - 00:22:08:17
But just to give you a sense of scope,
as part of the pilot, for the SSP,

00:22:08:19 - 00:22:11:22
looking at somewhere
just south of 300 different,

00:22:11:22 - 00:22:15:05
validation checks
that we're, processing these documents.

00:22:15:07 - 00:22:17:00
So this is a huge time saver.

00:22:17:00 - 00:22:19:23
It's going to parse your large SSP,
go through,

00:22:19:23 - 00:22:23:06
identify issues,
and give you actionable items.

00:22:23:19 - 00:22:27:10
To update prior to your submission,
saving a tremendous amount of time.

00:22:27:17 - 00:22:29:10
In the review process.

00:22:29:10 - 00:22:33:04
we look at these results,
these are actually, meta paths,

00:22:33:06 - 00:22:37:16
that identify, the nodes
within the content where the issue arises.

00:22:37:16 - 00:22:38:14
But as I mentioned, at

00:22:38:14 - 00:22:42:19
the onset, SSP is probably going
to be tens of thousands of lines long.

00:22:42:21 - 00:22:46:14
How can we make this process
a little bit more, user friendly?

00:22:46:17 - 00:22:48:24
And make these errors more actionable?

00:22:48:24 - 00:22:52:19
That brings me to the next, example
that I'd like to share new feature

00:22:52:19 - 00:22:55:01
that we've introduced in the OSCAL CLI.

00:22:55:01 - 00:22:59:01
So now we're going to take a quick
look at, sarif, results,

00:22:59:05 - 00:23:03:09
which is another format
that we're using, to generate, results.

00:23:03:13 - 00:23:05:06
And it has some really great integration

00:23:05:06 - 00:23:09:09
features that make it, more user friendly
to work with and more actionable

00:23:09:09 - 00:23:13:10
for you to update your, SSP
as you find validation, errors.

00:23:13:14 - 00:23:17:15
So let's take a quick look again
at the help for the validate function.

00:23:18:04 - 00:23:19:21
I'm going to clear my screen here.

00:23:19:21 - 00:23:23:10
I'm just going to do OSCAL CLI validate.

00:23:24:11 - 00:23:26:13
Let's take a quick look at the help.

00:23:26:13 - 00:23:29:13
So we already walked through the dash c
option

00:23:29:15 - 00:23:32:22
I was able to specify the FedRAMP
constraints.

00:23:33:04 - 00:23:36:18
of the new features and options
that's available in OSCAL CLI

00:23:36:19 - 00:23:39:22
and that we're using in the pilot
is this -o, which allows

00:23:39:22 - 00:23:42:22
you to write the output
of your validations,

00:23:42:24 - 00:23:46:16
to a specified file
in the sarif, format.

00:23:46:16 - 00:23:47:05
for those of you

00:23:47:05 - 00:23:51:03
that are not familiar sarif
or static analysis Results Interchange

00:23:51:03 - 00:23:55:22
Format is a standard file format for,
output of static analysis tools.

00:23:55:22 - 00:23:58:01
It's an Oasis standard, that's designed

00:23:58:01 - 00:24:02:01
really to make it easier for static
analysis tools to to share results.

00:24:02:01 - 00:24:06:13
And that's exactly how we intend
to use it, FedRAMP and during the pilot.

00:24:06:17 - 00:24:10:02
But we really want to take advantage
of our, the integration capabilities,

00:24:10:05 - 00:24:13:03
with our IDE,
because sarif is the standard,

00:24:13:03 - 00:24:16:11
regardless of the, integrated development
environment that you may be using.

00:24:16:11 - 00:24:20:05
very likely that there are some,
plug ins available that allow you

00:24:20:05 - 00:24:23:22
to view and work with the results,
in a more usable, way.

00:24:23:24 - 00:24:26:23
all we need to do
is specify the dash au, option

00:24:26:23 - 00:24:30:07
and then give it a file name,
and we'll be able to view those results.

00:24:30:11 - 00:24:33:12
So right now I think I have nothing
in my results folder.

00:24:33:18 - 00:24:35:20
I'm going to rerun the same command
to this before.

00:24:35:20 - 00:24:39:10
So the exact same command
I'm going to add -o

00:24:40:00 - 00:24:44:01
And let's call it,
let's put it in the results folder

00:24:44:04 - 00:24:49:15
we'll look at our, demo FedRAMP validation

00:24:50:16 - 00:24:52:17
error.

00:24:52:17 - 00:24:55:02
I'm going to give it a .sarif file
extension.

00:24:55:02 - 00:24:58:09
The file extension really doesn't matter
all that much.

00:24:58:15 - 00:25:01:08
But sarif is actually written in Json.

00:25:01:08 - 00:25:07:02
this will help my plugin,
automatically detect, what kind of file this

00:25:07:02 - 00:25:10:11
So this time when I ran it, you saw
that, results were not,

00:25:10:11 - 00:25:14:14
generated, a standard output,
but were persisted to, my file.

00:25:14:14 - 00:25:16:23
It does
let me know that this file is invalid.

00:25:16:23 - 00:25:18:11
So there are some issues with it.

00:25:18:11 - 00:25:22:08
If I go and look in my results folder,
you'll see that the file has been created.

00:25:22:11 - 00:25:26:05
As I mentioned, it is Json,
but we don't have to worry about that.

00:25:26:05 - 00:25:30:20
I think we can look at the plugin,
UI now we have a nice view.

00:25:30:20 - 00:25:32:05
me just minimize this.

00:25:32:05 - 00:25:36:01
We have a nice view of all of the issues,
that occurred

00:25:36:05 - 00:25:39:02
within, my, sample SSP.

00:25:39:02 - 00:25:42:02
If I go really quickly, the rules,
you'll see

00:25:42:02 - 00:25:46:00
that the constraints that we've defined
all have unique identifiers.

00:25:46:00 - 00:25:50:02
And so I can quickly see that,
authorization type was one of the errors.

00:25:50:06 - 00:25:53:06
And when I click on it in the panel,

00:25:53:10 - 00:25:57:00
I get the description,
much like I did on the console earlier.

00:25:57:01 - 00:26:00:17
I see some additional information,
but it also opened up the file

00:26:00:17 - 00:26:04:04
and took me directly to the line of code
where the issue occurred.

00:26:04:04 - 00:26:09:06
And you'll see here that I have, 
this invalid value for authorization type.

00:26:09:06 - 00:26:11:08
It needs to be one of the following. Okay.

00:26:11:08 - 00:26:16:08
So this is just an example
of how we're leveraging the sarif output

00:26:16:08 - 00:26:19:21
to give us a nice integrated capability
with our IDE

00:26:20:12 - 00:26:24:24
really improve the user experience,
make the content more actionable

00:26:24:24 - 00:26:28:22
so that I can go and make the necessary
updates to my content

00:26:28:22 - 00:26:32:19
when working with these large,
OSCAL documents in our case and SSP.

00:26:32:22 - 00:26:37:10
And over time, we're continuing to
look at different ways that we can enrich,

00:26:37:13 - 00:26:41:23
the results that we're producing,
in our OSCAL, CLI validations.

00:26:42:07 - 00:26:43:11
And so some of the features

00:26:43:11 - 00:26:47:23
that we've discussed, for example, include
providing direct links to documentation

00:26:48:01 - 00:26:51:24
on our automated fedramp.gov/documentation
site.

00:26:51:24 - 00:26:55:09
Where there are some full fledged examples
and documentation

00:26:55:09 - 00:26:59:07
around the use of that particular, data
element or constraint.

00:26:59:11 - 00:27:01:17
So now I'll transition.
I know we're, short on time.

00:27:01:17 - 00:27:03:10
So I'm going to move a little bit quickly.

00:27:03:10 - 00:27:06:10
I'm going to transition
to my next example.

00:27:06:12 - 00:27:07:24
One of the things that we saw

00:27:07:24 - 00:27:12:00
is it told me that I had the wrong
authorization type for, for FedRAMP.

00:27:12:00 - 00:27:14:14
But wouldn't
it be great to have, that information

00:27:14:14 - 00:27:17:17
upfront and to know, you know,
what are the allowed values?

00:27:17:19 - 00:27:20:19
And so that's feature that Dave touched on
at the beginning.

00:27:20:19 - 00:27:23:19
The ability for us to actually use

00:27:23:19 - 00:27:26:19
the constraints, information
that we're defining in our constraints

00:27:26:24 - 00:27:31:10
and, generate documentation from that,
that could be of use to the community.

00:27:31:14 - 00:27:34:22
to do that, again, most of this,
you can use the help, function.

00:27:34:22 - 00:27:38:14
I'm going to skip through the help
function, and post here.

00:27:38:20 - 00:27:43:02
You'll see that there's this OSCALl
CLI list allowed values.

00:27:43:02 - 00:27:46:08
Command and I want to make sure
that it's also including

00:27:46:08 - 00:27:49:16
the allowed values
that are specified in the FedRAMP file.

00:27:49:16 - 00:27:52:01
And so once I do that, I'm
just typing here

00:27:52:01 - 00:27:54:22
at the end of the command,
really the results to a file

00:27:54:22 - 00:27:58:05
to make it easier for us to look at
because it's, it's quite lengthy.

00:27:58:12 - 00:28:01:22
once I enter that,
you'll see that, automatically, generate,

00:28:02:12 - 00:28:06:17
Yaml document that gives me
a list of all of the, allowed values.

00:28:06:21 - 00:28:07:21
For the model

00:28:07:21 - 00:28:11:02
that I'm, that I'm working with
and based on the constraints that I have.

00:28:11:02 - 00:28:14:03
So I can do a quick find and,

00:28:14:05 - 00:28:18:05
I think it was authorization type.

00:28:18:15 - 00:28:20:04
You'll see here.

00:28:20:04 - 00:28:21:15
There's some documentation.

00:28:21:15 - 00:28:25:08
It tells us the type of constraint,
happened to look for our allowed values

00:28:25:08 - 00:28:26:07
in the future.

00:28:26:07 - 00:28:30:17
We can probably publish similar types
of outputs for other types of constraints.

00:28:31:03 - 00:28:32:01
The location.

00:28:32:01 - 00:28:34:10
So this is within the system
security plan.

00:28:34:10 - 00:28:38:16
gives you a meta path, letting you know
where, that constraint applies.

00:28:38:21 - 00:28:41:09
This happens
to be a FedRAMP namespace constraint,

00:28:41:09 - 00:28:44:10
and that's why we had it
in our external constraints file.

00:28:44:10 - 00:28:48:14
You can also tell that it's a FedRAMP
specific item, because of the,

00:28:48:14 - 00:28:49:08
the source.

00:28:49:08 - 00:28:52:18
so here again,
I referenced that external constraints

00:28:52:18 - 00:28:56:06
file, whereas
some of the other items are built in.

00:28:56:12 - 00:28:59:15
So like this part constraint here,
the cloud deployment models.

00:29:00:08 - 00:29:02:12
That's just built into core OSCAL.

00:29:02:12 - 00:29:05:20
So those are constraints that are in
the main, matter schema models.

00:29:05:24 - 00:29:09:19
So that's a really nifty feature
that we, we've,

00:29:09:22 - 00:29:12:22
added to the OSCAL Cloud again, gives us.

00:29:13:00 - 00:29:16:16
You know, we want to empower, the content
authors to be able to,

00:29:16:20 - 00:29:20:18
understand what some of the, requirements
are around their data

00:29:20:18 - 00:29:22:10
while they're developing the data.

00:29:22:10 - 00:29:25:13
Now, when working again,
we just have a few moments.

00:29:25:14 - 00:29:28:06
So I'm going to progress
a little bit quickly here.

00:29:28:06 - 00:29:29:11
Let's clear the results.

00:29:29:11 - 00:29:31:10
I want to show you two more features.

00:29:31:10 - 00:29:35:23
One is visualizing the OSCAL models
and the other one is meta path queries.

00:29:36:02 - 00:29:38:01
The first one,
if you're anything like me, I'm

00:29:38:01 - 00:29:40:02
a visual person,
and we're working with data.

00:29:40:02 - 00:29:44:03
It's really helpful, 
to see the relationships between the data.

00:29:44:05 - 00:29:47:16
how's the data structured,
what elements relate to other elements.

00:29:48:01 - 00:29:51:21
And so the ability to produce
something like an entity relationship

00:29:51:21 - 00:29:56:07
diagram or even the object or class
diagram is really, really helpful.

00:29:56:09 - 00:30:00:01
We've added that capability
in this, version of the OSCAL CLI.

00:30:00:01 - 00:30:01:22
copy a command here that I have.

00:30:01:22 - 00:30:05:16
Just really quickly, you can see that,
the OSCAL, the command is,

00:30:05:16 - 00:30:08:20
meta schema, Subcommand,
generates diagram.

00:30:08:22 - 00:30:11:08
then I'm specifying meta schema model.

00:30:11:08 - 00:30:13:05
Essentially to use as the source.

00:30:13:05 - 00:30:15:05
then I'm going to produce output.

00:30:15:05 - 00:30:16:13
Let me change this here.

00:30:16:13 - 00:30:18:19
I'm going to change this to mermaid.

00:30:18:19 - 00:30:20:15
It's going to create a mermaid diagram.

00:30:20:15 - 00:30:25:14
And mermaid is just think of it
as diagram, as code is a JavaScript based,

00:30:26:01 - 00:30:30:14
way to represent, 
data models and data objects.

00:30:31:02 - 00:30:34:05
And so I'm able to run this
on the SSP model

00:30:34:15 - 00:30:37:09
and very quickly get, an ER

00:30:37:09 - 00:30:40:09
diagram of the OSCAL. SSP.

00:30:40:10 - 00:30:41:19
really useful.

00:30:41:19 - 00:30:43:20
Now, the visualization part,

00:30:43:20 - 00:30:46:20
there are third party plugins
that you can use for your IDE

00:30:46:24 - 00:30:51:18
I'm going to copy this paste it in the,
mermaid live.

00:30:51:19 - 00:30:53:23
There are some other online viewers again.

00:30:53:23 - 00:30:57:10
Any number of tools are able to interpret
mermaid results.

00:30:57:14 - 00:30:58:23
I'm just going to.

00:30:58:23 - 00:31:00:02
Replace here.

00:31:00:02 - 00:31:03:05
I know this is really an eye chart,
but what you have here

00:31:03:05 - 00:31:06:13
is the complete SSP model for for OSCAL.

00:31:06:15 - 00:31:10:12
So starting with the SSP,
you can see the system characteristics.

00:31:10:15 - 00:31:14:07
You can see, different data
elements, their type, their name,

00:31:14:07 - 00:31:16:09
the relationship between items.

00:31:16:09 - 00:31:20:05
So again this is akin
to, working with an ER diagram.

00:31:20:05 - 00:31:25:10
If you're database person or class,
an object diagrams if you're a programmer.

00:31:25:10 - 00:31:28:20
Gives you a visual representation that
you can reference as you're building out

00:31:29:04 - 00:31:33:24
your tool, your tooling, and trying
to better understand how to implement,

00:31:35:01 - 00:31:36:17
Last but not least, I do

00:31:36:17 - 00:31:41:09
want to show the meta
path expression, query evaluation feature.

00:31:41:13 - 00:31:45:03
This is something that on the FedRAMP
side, we found, quite useful

00:31:45:03 - 00:31:46:23
as we're building out constraints.

00:31:46:23 - 00:31:51:04
We're using the meta path, language
to specify, nodes

00:31:51:04 - 00:31:55:01
where in these different documents,
validations to, to execute.

00:31:55:04 - 00:31:56:24
And we have to make sure
that we're pointing

00:31:56:24 - 00:31:58:16
the right portions of the document.

00:31:58:16 - 00:32:02:13
You may have use cases where you need to
do something similar in your organization.

00:32:02:15 - 00:32:07:24
And the way to do that is with,
we clear the screen really quickly.

00:32:08:08 - 00:32:13:08
Essentially with this OSCAL meta schema
meta path, Subcommand evaluate.

00:32:13:08 - 00:32:16:14
And then you can specify an expression
in this example here.

00:32:16:14 - 00:32:19:14
I'm actually just looking for
every single FedRAMP

00:32:19:16 - 00:32:22:17
namespace property
in our OSCAL SSP 2

00:32:22:19 - 00:32:24:13
And then I'm piping the results,

00:32:24:13 - 00:32:27:22
to, a file here way
it's a little bit easier for us to review.

00:32:28:07 - 00:32:29:05
It's going to run.

00:32:29:05 - 00:32:32:06
It's going to essentially
look at the meta schema.

00:32:32:09 - 00:32:34:19
It's going to look at the document here
we go.

00:32:34:19 - 00:32:37:14
We're able to generate, result.

00:32:37:14 - 00:32:41:14
And it lists here, the file,
but also the path within the file

00:32:41:15 - 00:32:45:18
and that path for those particular,
FedRAMP namespace properties arc.

00:32:45:20 - 00:32:48:14
There's only about 14 of them in this file
because,

00:32:48:14 - 00:32:51:11
haven't defined all of the properties
in our constraints.

00:32:51:11 - 00:32:54:12
But this is a quick and easy
way to identify that content.

00:32:54:21 - 00:32:57:17
I have a slightly more advanced
example here.

00:32:57:17 - 00:33:01:14
I go through and I identify
all of the inventory items.

00:33:01:18 - 00:33:04:16
we look at the expression here,
all of our inventory items

00:33:04:16 - 00:33:07:20
that are, assets, that,
that call out a web server.

00:33:08:05 - 00:33:12:03
If I execute this,
it will, generate, an output

00:33:12:03 - 00:33:15:06
that gives me all of the nodes
within my sample document.

00:33:15:11 - 00:33:19:00
Where, meta path found, same, set of data.

00:33:19:04 - 00:33:20:15
So I went through a lot.

00:33:20:15 - 00:33:23:15
One key point as we, kind of close.

00:33:23:17 - 00:33:25:07
used an ID here.

00:33:25:07 - 00:33:29:03
I mentioned at the onset,
different environments may have, different

00:33:29:03 - 00:33:31:06
constraints,
but this tooling is flexible enough

00:33:31:06 - 00:33:33:12
to work in a variety of different
environments.

00:33:33:12 - 00:33:34:12
We've also recently

00:33:34:12 - 00:33:38:11
for pilot participants, released
a, containerized version of this

00:33:38:16 - 00:33:43:21
to make it easier for, individuals to,
get started with using these capabilities.

00:33:43:24 - 00:33:46:24
You can go to our repository
and we have instructions there

00:33:47:03 - 00:33:49:19
for how to get set up
and how to get started.

00:33:49:19 - 00:33:53:01
we're we're really excited about, 
the capabilities.

00:33:53:04 - 00:33:56:04
Really what you saw. To to take it back.

00:33:56:10 - 00:34:01:02
At higher level, is the ease with which
we're able to extend OSCAL CLI

00:34:01:05 - 00:34:03:09
We saw how as a content author.

00:34:03:09 - 00:34:05:17
You're able to, whether you're generating

00:34:05:17 - 00:34:09:14
your, your SSP natively or using,
third party tooling.

00:34:09:16 - 00:34:13:16
How you're able to validate your content
and identify issues early on.

00:34:13:16 - 00:34:17:23
And perhaps as an agency,
if your, agency stakeholder and your,

00:34:18:01 - 00:34:21:11
need to receive, SSP packages
from, from FedRAMP,

00:34:21:15 - 00:34:25:05
you can validate it as well and make sure
that it adheres to our requirements,

00:34:25:05 - 00:34:27:15
but also any additional requirements
that you have.

00:34:27:15 - 00:34:31:16
So we're really excited about, all of the
capabilities that we've shown here today.

00:34:31:21 - 00:34:33:06
this is only the beginning.

00:34:33:06 - 00:34:36:06
Part of the pilot
is to continue to expand in Ida

00:34:36:09 - 00:34:40:01
and other ways
that we can continue to add, capabilities

00:34:40:01 - 00:34:43:22
that will help us transform
our authorization process.

00:34:44:01 - 00:34:46:19
also, help
you all the community along the way.

00:34:46:19 - 00:34:49:05
So we're happy to partner
with you on this journey.

00:34:49:05 - 00:34:49:11
All right.

00:34:49:11 - 00:34:51:18
I know we have a few slides left.

00:34:51:18 - 00:34:54:03
Dave, do we have a few moments
to go through those?

00:34:54:03 - 00:34:56:15
Jake is going to re-share
the slides. Great.

00:34:56:15 - 00:34:59:18
So I just wanted to go over some, like,
really brief information.

00:34:59:18 - 00:35:03:17
If you're interested in participating
in the digital authorization package pilot

00:35:03:17 - 00:35:05:01
how to how to do that.

00:35:05:01 - 00:35:09:18
I wanted to point out that, this pilot
is being run as an open source project.

00:35:09:18 - 00:35:14:11
So, really, you need to, 
access, our GitHub repo, which is,

00:35:14:11 - 00:35:18:17
github.com/GSA/FedRAMP-automation.

00:35:18:20 - 00:35:19:15
All of the work

00:35:19:15 - 00:35:22:05
that we're doing is going to be
in that repository

00:35:22:05 - 00:35:25:07
And so you can, minimally participate,
there.

00:35:25:13 - 00:35:28:00
we also hold, regular implementers meeting.

00:35:28:00 - 00:35:30:05
If you'd like to join, those meetings,

00:35:30:05 - 00:35:33:18
we typically share details around, like,
current efforts.

00:35:33:21 - 00:35:36:20
We use that to talk through
any open issues.

00:35:36:20 - 00:35:38:14
give updates on other pilots.

00:35:38:14 - 00:35:42:05
So, that can also be a way to engage
with us.

00:35:42:05 - 00:35:45:19
also recently started offering
office hours, which are available

00:35:45:19 - 00:35:49:11
on a first come, first serve basis
for anyone in the public, speak.

00:35:49:13 - 00:35:54:03
So you're welcome to sign up,
And as always, if you have any questions,

00:35:54:03 - 00:35:58:21
relating to, OSCAL FedRAMP,
you can email us at oscal@fedramp.gov

00:35:58:21 - 00:36:01:09
So with that,
that concludes our presentation.