00:00:00:00 - 00:00:02:05 Hi I’m Matthew Donkin from AWS. 00:00:02:05 - 00:00:05:07 And I'm joined by Stephanie Lacy I'm going to present some of our lessons 00:00:05:07 - 00:00:09:28 learned for AWS and Telos OSCAL submission of an SSP FedRAMP, 00:00:10:04 - 00:00:12:04 and some of the things that we kind of gone 00:00:12:04 - 00:00:13:03 through to get it done 00:00:13:03 - 00:00:15:15 and some of the lessons learned to share with others 00:00:15:15 - 00:00:17:28 the first thing is the format challenges. 00:00:17:28 - 00:00:21:11 So one of the issues that we've had was aligning some of our documentation 00:00:21:11 - 00:00:26:06 and the documentation to the OSCAL format for specifically FedRamp our SSPs are written 00:00:26:10 - 00:00:29:02 very differently and we have various dependencies 00:00:29:02 - 00:00:32:03 which cause some issues getting those into the proper format. 00:00:32:03 - 00:00:34:10 And I'll go over that a little bit more on the next slide. 00:00:34:10 - 00:00:38:07 And then with our POAMs we have some extra information within our poems as well 00:00:38:07 - 00:00:39:05 that will be causing 00:00:39:05 - 00:00:42:20 a little bit of issue in the future that we working through right now. 00:00:42:20 - 00:00:43:15 But really what it is, 00:00:43:15 - 00:00:47:08 is taking that documentation and getting into that digitized format, 00:00:47:08 - 00:00:50:10 which we knew was not going to be a very easy lift. 00:00:50:10 - 00:00:52:13 we knew there's going to be issues setting out for this. 00:00:52:13 - 00:00:54:20 So a lot of this was we know what was going to happen. 00:00:54:20 - 00:00:58:15 And we're working through plans right now to get everything in line for that 00:00:58:15 - 00:01:00:11 machine readable OSCAL format. 00:01:00:11 - 00:01:01:18 And the SSP challenges. 00:01:01:18 - 00:01:04:01 we have our commercial boundary and our GovCloud boundary, 00:01:04:01 - 00:01:04:21 which each have a main 00:01:04:21 - 00:01:08:28 SSP and three appendices each for the IaaS, PaaS, and SaaS offerings. 00:01:09:00 - 00:01:11:04 this caused some trouble when we put it into the OSCAL 00:01:11:04 - 00:01:13:09 format for FedRAMP specifically. 00:01:13:09 - 00:01:17:07 we had to have a temporary solution right now is just to have a separate 00:01:17:07 - 00:01:21:07 OSCAL formatted SSP for each of those offerings right? 00:01:21:08 - 00:01:23:26 So we have one for commercial offerings and one for IaaS, PaaS, and SaaS. 00:01:23:26 - 00:01:28:11 for our GovCloud offerings as long as like an another appendices for aisle five. 00:01:28:11 - 00:01:32:10 So it's seven documents right now for all of our SSPs 00:01:32:10 - 00:01:36:24 and appendices which is not perfect but it's what we have right now. 00:01:36:24 - 00:01:39:23 And we're going to be working towards that single two SSPs. Right? 00:01:39:23 - 00:01:43:25 One for commercial and one for GovCloud And some of the implementation challenges, 00:01:43:25 - 00:01:47:16 there's multiple work streams that go into providing this information. 00:01:47:21 - 00:01:51:02 And not all work streams are really onboard at first for OSCAL. 00:01:51:10 - 00:01:53:22 Even within our organization. 00:01:53:22 - 00:01:56:27 So we had to really sell it and show the benefits. 00:01:56:27 - 00:01:59:28 And that is something that was actually fairly easy to do once 00:01:59:28 - 00:02:03:12 you got into the do what you could do with this particular format. 00:02:03:15 - 00:02:06:25 once you get people on board it created issues with managing that workflow. 00:02:06:25 - 00:02:08:10 So instead of just managing 00:02:08:10 - 00:02:12:06 for our one team we have to now manage across multiple teams. 00:02:12:09 - 00:02:15:20 And there's some erroneous information one of the template issues was 00:02:15:23 - 00:02:17:22 how many users is on the cloud at one time. 00:02:17:22 - 00:02:21:26 As you know we're a very large hyperscale cloud company. 00:02:21:26 - 00:02:24:20 And you answer that question it's going to be different within ten minutes. 00:02:24:20 - 00:02:26:26 no you can't just say this is not applicable to us. 00:02:26:26 - 00:02:28:06 So you have to put an answer in there. 00:02:28:06 - 00:02:29:29 And it's kind of like well you just put something in there. 00:02:29:29 - 00:02:32:23 And to me wrong in the next 10-20 minutes What we do with that. 00:02:32:23 - 00:02:35:03 And then roles of each individual working within the environment. 00:02:35:03 - 00:02:37:25 We have thousands of people working within the cloud at one time. 00:02:37:25 - 00:02:40:05 plus that changes too literally on a daily basis. 00:02:40:05 - 00:02:42:11 So providing that information how they want 00:02:42:11 - 00:02:45:13 it is implementation challenge that we're still working through. 00:02:45:18 - 00:02:49:05 And this has not been all horrible, it hasn’t been all just challenges. 00:02:49:05 - 00:02:49:29 We have some successes. 00:02:49:29 - 00:02:54:18 We were the first obviously with Telos to provide the SSP FedRAMP which is good 00:02:54:18 - 00:02:56:25 because now we got the ball rolling on ironing out 00:02:56:25 - 00:02:59:12 some of the template issues ironing out some of the schemas, 00:02:59:12 - 00:03:02:10 and learning ourselves what we need to do on our side 00:03:02:10 - 00:03:03:20 make this very successful 00:03:03:20 - 00:03:06:09 and be able to provide some of that feedback to the industry partners and, 00:03:06:09 - 00:03:08:07 kind of continue pushing the ball down the road. 00:03:08:07 - 00:03:12:11 we've also partnered with Accenture (3PAO) to pilot OSCAL authorization package 00:03:12:14 - 00:03:13:27 for some of our services in order 00:03:13:27 - 00:03:17:07 to provide the system assessment plan and system assessment report provide 00:03:17:07 - 00:03:21:01 a complete OSCAL authorization package to the FedRAMP 00:03:21:05 - 00:03:22:25 And we hope to do that by Q4 00:03:22:25 - 00:03:26:18 And some of the roadmap items right now we have the complete SSP. 00:03:26:21 - 00:03:28:21 again we're working on the SAP, and the SAR, and the POAMs 00:03:28:21 - 00:03:32:12 So to be able to really be pushing this format out in a usable way 00:03:32:17 - 00:03:34:13 that can be ingested by our customers. 00:03:34:13 - 00:03:36:22 And with that I must hand it over to Stephanie 00:03:36:22 - 00:03:39:22 to discuss some of the XACTA’s lessons learned as well. 00:03:39:24 - 00:03:42:18 So Telos has this solution that's called XACTA. 00:03:42:18 - 00:03:46:23 And we help manage customers going through the RMF process 00:03:46:23 - 00:03:50:22 and how we can get accredited. With OSCAL we had to address some challenges 00:03:50:22 - 00:03:54:04 where our models and our methods needed to be realigned 00:03:54:04 - 00:03:57:07 to be able to export to an OSCAL package. 00:03:57:12 - 00:04:00:12 So we have that data change model XDE. 00:04:00:15 - 00:04:01:16 But we needed to be able 00:04:01:16 - 00:04:06:05 to translate the information that was in XDE into the OSCAL structure. 00:04:06:09 - 00:04:10:25 we have a data exchange model and it predates to OSCAL and it was a way 00:04:10:25 - 00:04:15:21 for us to export and ingest information between our XACTA solutions. 00:04:16:07 - 00:04:20:20 But we needed to figure out how to get our XDE into 00:04:20:20 - 00:04:23:12 or convert it into an OSCAL format, 00:04:23:12 - 00:04:27:27 but that also make sure that that we can support and balance future deployments 00:04:27:27 - 00:04:31:11 of OSCAL that don't necessarily follow the FedRAMP use case. 00:04:31:18 - 00:04:36:15 And we also had to be able to ingest and process the manual documents 00:04:36:15 - 00:04:39:16 that are being provided to us put it into our tool 00:04:39:16 - 00:04:42:19 so that we can format it and convert it into OSCAL. 00:04:42:29 - 00:04:46:21 one of the first things that we did was leverage what our APIs our forum 00:04:46:21 - 00:04:52:05 posts and various technologies to ingest our handwritten SSP 00:04:52:13 - 00:04:56:19 manual POAMs spreadsheets and data that's provided to the customer 00:04:56:27 - 00:05:01:12 to get an end to XACTA so that we can output the information. 00:05:01:12 - 00:05:05:21 But we also found was our original FedRAMP template file in line 00:05:05:21 - 00:05:10:10 with the original fabric SSD needed some tweaks and modernization 00:05:10:10 - 00:05:13:15 to be able to output into the correct OSCAL format. 00:05:13:19 - 00:05:18:29 We're able to do some modernization of our template to meet the OSCAL requirements, 00:05:18:29 - 00:05:22:04 and then leverage some validation and schema 00:05:22:15 - 00:05:25:11 output for OSCAL SSP. 00:05:25:11 - 00:05:29:15 And what we found was we want to be able to add new API 00:05:29:15 - 00:05:33:27 endpoints and new calls to be able to not just output, 00:05:33:27 - 00:05:39:01 but ingest some additional OSCAL information especially as the model matures more 00:05:39:15 - 00:05:42:14 and there are additional catalog pieces and customer 00:05:42:14 - 00:05:45:20 information that we need to be able to pull into XACTA. 00:05:45:26 - 00:05:49:25 We have also worked with NIST and FedRAMP to create a feedback loop process. 00:05:49:25 - 00:05:54:02 Just to address any use challenges or use cases that fall within these areas 00:05:54:05 - 00:05:58:04 make sure we're still meeting the core requirements of NIST OSCAL 00:05:58:07 - 00:06:01:04 while addressing that unique use cases of FedRAMP, 00:06:01:04 - 00:06:04:19 and leveraging the catalogs provided by NIST to make sure 00:06:04:19 - 00:06:08:13 that we are matching information up with the core base model. 00:06:08:24 - 00:06:12:04 So our future OSCAL deliverables in development are underway. 00:06:12:06 - 00:06:15:13 So we're working now towards outfitting the POAM model. 00:06:15:16 - 00:06:20:10 we're also exploring catalog and profile generation for our regulations. 00:06:20:10 - 00:06:25:10 So we have inside XACTA that are not NIST 800-53 based. 00:06:25:10 - 00:06:29:04 That way we can support customers who need to meet other regulations 00:06:29:04 - 00:06:31:08 and want to be able to use the OSCAL model. 00:06:31:08 - 00:06:34:01 And we're also right now collecting analysis for SAP. 00:06:34:01 - 00:06:38:03 And SAR models to make sure we can output the full OSCAL package. 00:06:38:08 - 00:06:39:26 I feel like that's everything. 00:06:39:26 - 00:06:42:11 That's fantastic. Thank you. Thank you so much.