00:00:00:00 - 00:00:05:07
today the floor is open for NIST team
for David Waltermire, the OSCAL

00:00:05:07 - 00:00:10:01
technical director and Dmitry Cousin
the OSCAL team member.

00:00:10:06 - 00:00:14:15
They are going to go over
some of the NIST open source tooling.

00:00:14:15 - 00:00:16:16
I just wanted to say welcome everyone.

00:00:16:16 - 00:00:21:00
thank you for the opportunity to present some of the work we've been doing.

00:00:21:02 - 00:00:22:08
so we've been working

00:00:22:08 - 00:00:26:11
a variety of different types of tooling to support our work 

00:00:26:11 - 00:00:28:03
around developing OSCAL.

00:00:28:03 - 00:00:32:05
keeping an eye towards building open source software that,

00:00:32:05 - 00:00:36:01
we believe will be broadly useful to the larger community.

00:00:36:08 - 00:00:38:12
so today
I'm going to talk a little bit about,

00:00:38:12 - 00:00:42:06
some of the software that
we currently have available as well as,

00:00:42:08 - 00:00:46:03
some software that we're currently working
on for feature release.

00:00:46:08 - 00:00:49:05
before I get into specific tools I wanted to talk a little bit

00:00:49:05 - 00:00:52:23
about the types of tooling that we're working to provide here.

00:00:52:25 - 00:00:57:03
some of what we provide are what
we would call programing language APIs.

00:00:57:03 - 00:01:00:11
the intent there is to support development

00:01:00:17 - 00:01:03:03
of business logic functionality.

00:01:03:04 - 00:01:07:00
on top of OSCAL based formats as quickly as possible.

00:01:07:00 - 00:01:10:26
can use a library
which will give you basic parsing

00:01:10:26 - 00:01:14:19
capabilities to marshal OSCAL
content into,

00:01:15:02 - 00:01:18:27
native objects which you can
then manipulate and you know build

00:01:18:27 - 00:01:22:14
higher level applications
on top of, our thoughts there is that,

00:01:22:14 - 00:01:27:07
you know these types of programing APIs provide an easier onramp for developers

00:01:27:07 - 00:01:30:27
who are trying to implement
tools around OSCAL

00:01:30:27 - 00:01:34:17
we're also working on tooling
that supports content conversion.

00:01:34:23 - 00:01:38:06
so OSCAL right now
has seven current models, eight

00:01:38:06 - 00:01:41:28
total planned models and 1.1 release at the moment.

00:01:42:02 - 00:01:45:26
and those models are available
in three different formats.

00:01:45:29 - 00:01:48:29
eight times three that's 24 different

00:01:48:29 - 00:01:51:29
models specific formats
that we currently maintain.

00:01:52:02 - 00:01:55:09
we recognize that different parties
are going to prefer

00:01:55:09 - 00:01:56:25
the use of different formats.

00:01:56:25 - 00:02:02:01
Some may prefer Yaml for editing
and maybe Json for tooling or XML.

00:02:02:01 - 00:02:03:19
we want to make it very easy,

00:02:03:19 - 00:02:06:19
to take a piece of OSCAL content
against any model

00:02:06:19 - 00:02:11:17
and any format and you know convert it
to an appropriate format for use.

00:02:11:20 - 00:02:15:20
and this type of content conversion helps to provide the greater

00:02:15:20 - 00:02:20:00
adaptability and flexibility And
then finally we're working on content

00:02:20:00 - 00:02:24:08
editing capabilities specifically
browser based applications that,

00:02:24:12 - 00:02:28:04
support visualizing and editing various OSCAL content.

00:02:28:07 - 00:02:29:05
and our focus there

00:02:29:05 - 00:02:32:29
is providing tooling and a browser
that has a minimal footprint

00:02:32:29 - 00:02:36:24
that doesn't require that you install
anything or get approval to,

00:02:36:29 - 00:02:39:27
We want to make it easy for all of you to use.

00:02:39:27 - 00:02:43:04
so one tool that I've been working
on for a few years

00:02:43:04 - 00:02:46:17
now well it's actually a library called libOSCAL-Java.

00:02:46:20 - 00:02:50:00
this library is Java API library.

00:02:50:02 - 00:02:53:04
It provides basic code to help you parse

00:02:53:04 - 00:02:56:18
OSCAL data
and any of the available formats.

00:02:56:19 - 00:03:01:00
It allows you then to operate on that data
and some specific ways,

00:03:01:00 - 00:03:04:29
this is an open source project that is published out on GitHub

00:03:05:00 - 00:03:08:01
So libOSCAL-Java
has a variety of features.

00:03:08:03 - 00:03:11:26
one feature that it supports
is constraint validation.

00:03:12:02 - 00:03:14:23
some of you might know
that OSCAL is actually modeled

00:03:14:23 - 00:03:17:19
using a technology
that we built called meta schema.

00:03:17:19 - 00:03:19:16
it's basically a way that we can,

00:03:19:16 - 00:03:23:15
represent the structure of a model
in a format agnostic way.

00:03:23:15 - 00:03:26:16
meta schema
allows us to define constraints

00:03:26:16 - 00:03:29:18
we can say things like if you provide this value then

00:03:29:18 - 00:03:33:12
you must provide this other value we can say things like three fields.

00:03:33:17 - 00:03:35:02
you must use one of the three,

00:03:35:02 - 00:03:38:11
these types of code constraint checks
are not very well supported.

00:03:38:21 - 00:03:42:17
in common schema technologies
like XML and Json schema.

00:03:42:19 - 00:03:46:05
So we've developed constraint system
that allows us to express

00:03:46:05 - 00:03:49:06
a richer set of constraints
on top of the OSCAL models.

00:03:49:15 - 00:03:52:06
so this libOSCAL- Java tool supports,

00:03:52:06 - 00:03:55:11
enforcing those constraints on the content
it parses.

00:03:55:14 - 00:03:57:20
it's also a multi-format parser.

00:03:57:20 - 00:04:01:11
So it's capable of reading any of the OSCAL

00:04:01:11 - 00:04:05:16
formats XML, Json, and Yaml
and then writing out content.

00:04:05:18 - 00:04:08:22
back to any of those format so you can read

00:04:08:22 - 00:04:12:04
content in XML
and write it back out in Yaml.

00:04:12:06 - 00:04:16:16
it does that by marshaling the data
to of a common object

00:04:16:16 - 00:04:19:22
model that is independent
of the underlying format.

00:04:19:22 - 00:04:21:18
And then basically writing from that

00:04:21:18 - 00:04:25:20
independent object model
back out to the selected format.

00:04:25:20 - 00:04:29:18
it provides builders using builder pattern which allows you to

00:04:29:18 - 00:04:33:12
very easily construct some of the common objects that exist

00:04:33:12 - 00:04:37:29
within OSCAL things
like props and lengths and controls and,

00:04:37:29 - 00:04:41:19
responsible parties and those types of constructs they all have,

00:04:41:22 - 00:04:45:24
builders which really simplify
and make easy generating content.

00:04:45:24 - 00:04:47:08
these types of objects.

00:04:47:08 - 00:04:51:15
and it also provides a profile resolver that's currently experimental.

00:04:51:15 - 00:04:54:15
thanks to all of the great community
feedback we've been working to,

00:04:54:18 - 00:04:58:01
make it better and this supports taking an OSCAL profile

00:04:58:01 - 00:05:01:27
in any of the formats and performs
the profile resolution

00:05:01:27 - 00:05:06:25
operation on that profile generating resulting resolved catalog.

00:05:06:28 - 00:05:10:10
That's all based on the latest specification that's out on

00:05:10:14 - 00:05:12:10
the OSCAL website.

00:05:12:10 - 00:05:15:29
using the libOSCAL-Java,  we're also producing

00:05:16:02 - 00:05:19:18
Java based
command line tool called OSCAL CLI.

00:05:19:18 - 00:05:24:00
OSCAL CLI basically exposes
all of the features that libOSCAL-Java

00:05:24:00 - 00:05:28:02
supports using an easy to use
command line interface.

00:05:28:12 - 00:05:31:15
it makes it easy
to convert between content by

00:05:31:18 - 00:05:35:14
loading that content
and storing it in an alternate content.

00:05:35:16 - 00:05:38:26
this allows you to write content
in whatever your favorite format is,

00:05:38:29 - 00:05:43:16
and then convert that content very easily
for use in any of the other formats,

00:05:43:20 - 00:05:47:04
such as to import into a tool or for publication.

00:05:47:08 - 00:05:50:13
it also allows you to quickly validate
OSCAL content using,

00:05:50:13 - 00:05:53:13
the OSCAL constraints and resolving profiles

00:05:53:19 - 00:05:57:26
I'd like to give you just a brief demo
of what this tool functions.

00:05:57:28 - 00:06:00:28
for this purpose I have downloaded

00:06:00:29 - 00:06:07:10
the OSCAL 800-53 Rev 5 catalog
and low baseline profile, both in XML.

00:06:07:10 - 00:06:11:03
And I'll be using those to show you both the profile resolution

00:06:11:03 - 00:06:14:20
functionality of the tool
as well as its ability to convert

00:06:14:23 - 00:06:16:17
content into alternate formats.

00:06:16:17 - 00:06:19:19
First command I'm going to show you the command that you would use,

00:06:19:19 - 00:06:24:25
to convert OSCAL catalog from any format into a specific format.

00:06:24:25 - 00:06:27:28
the OSCAL CLI tool actually does
a deep inspection

00:06:27:28 - 00:06:31:11
of the content to determine what it's source format is.

00:06:31:15 - 00:06:33:05
you don't have to actually tell the tool,

00:06:33:05 - 00:06:36:23
what that format is. You do have to tell
it what format you want to convert to.

00:06:36:27 - 00:06:40:06
it can take two file arguments
or a single argument.

00:06:40:08 - 00:06:43:05
two file arguments are provided: the first one indicates

00:06:43:05 - 00:06:44:20
the source content.

00:06:44:20 - 00:06:46:25
The second one, the destination file.

00:06:46:25 - 00:06:50:03
a single argument is provided it reads the source content

00:06:50:03 - 00:06:53:03
that's that's specified
and then writes the output the standard

00:06:53:05 - 00:06:56:26
So it's reading the content and
then processing that content.

00:06:56:26 - 00:07:02:10
And it’s writing it back out. You can see
the entire OSCAL catalog now Yaml.

00:07:02:13 - 00:07:08:29
I can pipe this to my file if I wanted to so I can call it like catalog dot.

00:07:10:29 - 00:07:12:28
the next thing I wanted to show you

00:07:12:28 - 00:07:17:03
is the ability of the tool
to do profile a resolution.

00:07:17:03 - 00:07:20:16
And one of the interesting things
about this tool is you can mix formats.

00:07:20:16 - 00:07:24:05
So this is the command to take a profile and resolve it.

00:07:24:08 - 00:07:29:15
two argument indicates that you want to write the resolved catalog out in Json.

00:07:29:15 - 00:07:33:17
You can see the first argument
is the profile which is currently in XML.

00:07:33:17 - 00:07:34:23
the second argument is

00:07:34:23 - 00:07:38:12
the name of the file that we want to store
at the resolved catalog.

00:07:38:24 - 00:07:42:06
I'll run this
and it'll run the profile resolver.

00:07:42:08 - 00:07:46:22
I already have that file so I need to specify the overwrite of

00:07:47:01 - 00:07:53:26
the command. So.

00:07:58:13 - 00:07:59:08
There we go. Oh.

00:07:59:08 - 00:08:00:21
Nope. That's still not right.

00:08:00:21 - 00:08:03:21
So now it's resolving the profile
and writing that file.

00:08:03:22 - 00:08:04:12
which it's done.

00:08:04:12 - 00:08:08:26
So now can show you the solved profile.

00:08:11:12 - 00:08:12:22
In Json format.

00:08:12:22 - 00:08:16:12
So that's the first few lines of resolved profile.

00:08:16:12 - 00:08:19:19
I can take that profile and convert it.

00:08:19:24 - 00:08:23:08
And this command will File to XML.

00:08:23:19 - 00:08:28:12
Now it generated the XML version of that resolved profile.

00:08:28:15 - 00:08:31:27
So this shows you like how quick and easy
this tool will allow

00:08:31:27 - 00:08:35:03
you to move between OSCAL content format.

00:08:35:05 - 00:08:37:02
That concludes my short demo.

00:08:37:02 - 00:08:42:05
this is just a start of some capabilities
that we and intend to include in this

00:08:42:05 - 00:08:46:03
tool over time we'd like to continue
to add features to it.

00:08:46:03 - 00:08:49:17
one of the next things that we'd like
to start looking at is adding

00:08:49:17 - 00:08:54:26
functionality to take OSCAL content
and generate HTML or PDF documents.

00:08:54:26 - 00:08:58:23
out of the article content using customizable template.

00:08:58:23 - 00:09:02:09
we've got some existing XSLT based tooling

00:09:02:14 - 00:09:05:25
that we're currently using to do things
like generate PDFs

00:09:05:25 - 00:09:10:04
and Excel spreadsheets
and things like that for the 800-53 project.

00:09:10:06 - 00:09:14:03
one of the things that we want to work on
next is generalizing that so that we can

00:09:14:03 - 00:09:17:16
integrate that into some of this tooling for more general use.

00:09:17:22 - 00:09:18:17
that'll be a feature

00:09:18:17 - 00:09:22:12
that should hopefully be coming in months
as we continue to make progress on that.

00:09:22:12 - 00:09:23:18
so we also have a variety

00:09:23:18 - 00:09:27:10
of other additional tools that I don't have time to demo today.

00:09:27:14 - 00:09:29:04
but I'd like to touch on them
a little bit.

00:09:29:04 - 00:09:33:16
one area of tooling that we've invested
pretty heavily in is around our,

00:09:33:18 - 00:09:37:13
continuous integration continuous
deployment environment which we use in

00:09:37:13 - 00:09:41:15
both the main OSCAL repo as well
as in the OSCAL content repo.

00:09:41:15 - 00:09:45:14
this CI/CD environment supports a variety operations.

00:09:45:16 - 00:09:49:19
it allows us to take the source
matter schemas for defining models

00:09:49:23 - 00:09:55:12
and generate XML and Json schemas all of this happens automatically as we,

00:09:55:14 - 00:09:59:06
merge pull requests into developer
main and,

00:09:59:06 - 00:10:02:09
this type of automation
saves us a ton of time.

00:10:02:09 - 00:10:05:23
we also have similar functionality
that exist out on the article

00:10:05:23 - 00:10:09:21
content site which does
things like automatically convert content

00:10:09:21 - 00:10:13:28
that we offer in one format
to all of the other corresponding formats.

00:10:14:04 - 00:10:17:23
and this also saves us a bunch of time
because we don't have to manually convert

00:10:17:23 - 00:10:19:13
every file. that we touch.

00:10:19:13 - 00:10:23:18
technically the CI/CD
is capable of being run in any repo,

00:10:23:18 - 00:10:26:22
another tool that we offer
is the OSCAL Diff tool.

00:10:26:29 - 00:10:28:29
this tool that is maintained by Nikita

00:10:28:29 - 00:10:32:24
Wooten provides context sensitive differencing capabilities.

00:10:32:29 - 00:10:36:16
if you're comparing couple pieces of content sometimes doing

00:10:36:16 - 00:10:38:22
just a simple difference over
the document.

00:10:38:22 - 00:10:39:27
it's not sufficient.

00:10:39:27 - 00:10:42:26
content may be moved from one section

00:10:42:26 - 00:10:45:26
of the document
to another section of the document.

00:10:45:28 - 00:10:50:16
this was a problem that we ran into when comparing 800-53 Rev

00:10:50:16 - 00:10:55:06
four and five control
content was merged with other controls.

00:10:55:09 - 00:10:56:19
some was withdrawn

00:10:56:19 - 00:11:00:26
and some was created broken out
as additional control enhancements.

00:11:00:29 - 00:11:04:25
And we had a really difficult time
tracing the movement of content

00:11:04:25 - 00:11:05:27
through the document.

00:11:05:27 - 00:11:09:19
try to provide a better way
of understanding the changes and,

00:11:09:19 - 00:11:11:27
that type of underlying OSCAL content,

00:11:11:27 - 00:11:15:11
such as the 800-53 catalog, we built this Deep Diff tool

00:11:15:11 - 00:11:19:08
it allows you to effectively
configure tool does its comparison.

00:11:19:08 - 00:11:23:19
So it allows you to do things like ignore
certain elements that are irrelevant

00:11:23:19 - 00:11:28:11
for comparison or identify specific fields that should be used.

00:11:28:11 - 00:11:30:23
And more strongly if this type of differencing

00:11:30:23 - 00:11:32:07
is something that you're interested

00:11:32:07 - 00:11:35:18
in I would encourage you to go out
and look at the OSCAL Deep Diff.

00:11:35:24 - 00:11:40:06
another area that we have quite
a bit of tooling around is in XSLT.

00:11:40:07 - 00:11:44:07
you go out to the pages.nist.gov/usnistgov

00:11:44:08 - 00:11:49:09
/oscal-tools site there's a variety of different XSLT

00:11:49:09 - 00:11:53:18
demos you'll also be able to find out
another tool that we call OSCAL-Cat.

00:11:53:21 - 00:11:56:15
which Dmitry will be demoing in a quick moment,

00:11:56:15 - 00:12:00:16
we also have a variety of programing APIs
that are currently in work.

00:12:00:16 - 00:12:02:05
in addition to the Java

00:12:02:05 - 00:12:06:19
API and OSCAL CLI tool that I showed you
earlier we're also working

00:12:06:21 - 00:12:11:11
on C-sharp and TypeScript NodeJS APIs these are projects

00:12:11:11 - 00:12:15:10
that are kind of in their early inception phase building out some of the,

00:12:15:22 - 00:12:20:05
like really basic capabilities right now
hope is over time they'll be able

00:12:20:05 - 00:12:25:01
to provide similar kinds of features
the Java APIs currently provide.

00:12:25:09 - 00:12:28:06
before I hand off to Dmitry I just wanted

00:12:28:06 - 00:12:30:15
let you know how you can contribute
to these efforts.

00:12:30:15 - 00:12:34:22
so like all of OSCAL our open source tooling is intended

00:12:34:22 - 00:12:36:19
to be a community driven effort.

00:12:36:19 - 00:12:40:22
participation can directly impact
both the success of the project

00:12:40:24 - 00:12:43:13
as well as our skills larger success.

00:12:43:13 - 00:12:45:28
there's a few ways that you can contribute
to these tools.

00:12:45:28 - 00:12:48:29
you can integrate support
for OSCAL in your tools using,

00:12:48:29 - 00:12:50:24
some of these open source projects.

00:12:50:24 - 00:12:55:25
your feedback on the existing tooling
that we have is absolutely critical.

00:12:55:25 - 00:12:59:25
we also are interested in hearing from you
around what other types of tooling

00:12:59:25 - 00:13:01:04
you would like to see. Don't

00:13:01:04 - 00:13:04:05
have a huge amount of bandwidth to build a lot of tooling.

00:13:04:05 - 00:13:08:01
but if you have good ideas on some commodity tooling that could be used

00:13:08:01 - 00:13:10:06
by a wide swath of the community,

00:13:10:06 - 00:13:13:02
it might be something
that we would be interested in building.

00:13:13:02 - 00:13:16:17
as always you can contribute
to the development of any of these tools.

00:13:16:20 - 00:13:18:17
since they're out there open source.

00:13:18:17 - 00:13:21:19
if you're interested in coordinating with any of the devs,

00:13:21:19 - 00:13:23:24
you can reach out to us. I wanted to highlight,

00:13:23:24 - 00:13:25:23
that we also have OSCAL Tools page,

00:13:25:23 - 00:13:28:26
which lists many of these tools as well as community tools.

00:13:28:26 - 00:13:32:23
tools on that page are not endorsed
by NIST. Dmitry are you ready?

00:13:33:09 - 00:13:37:00
I’m Dmitry Cousin. So I'll be presenting
an open security assessment

00:13:37:00 - 00:13:40:27
language catalog authoring tool which we for short call OSCAL-Cat

00:13:41:05 - 00:13:43:29
And what  OSCAL-Cat is supposed

00:13:43:29 - 00:13:46:29
to do
it's supposed to take a catalog model.

00:13:47:09 - 00:13:48:28
one of the instance will be catalogs.

00:13:48:28 - 00:13:50:28
At the moment that's only one and build,

00:13:50:28 - 00:13:54:26
Allow user to build a profile
and further idea

00:13:54:26 - 00:13:58:05
was that it's supposed to generate
what's called profile.

00:13:58:05 - 00:14:02:05
And then as mark this TBD
to resolve profiles into catalogs.

00:14:02:05 - 00:14:06:16
So out of the whole hierarchy of the OSCAL
objects also looking at operates

00:14:06:16 - 00:14:09:25
only on OSCAL catalog model
and also profile models.

00:14:09:27 - 00:14:15:00
currently Cat does not have some things
which would make it considerably

00:14:15:10 - 00:14:19:07
production ready but for professional users
it's still usable.

00:14:19:11 - 00:14:21:14
it doesn't have some user protection.

00:14:21:14 - 00:14:22:21
It doesn't ask questions.

00:14:22:21 - 00:14:26:08
Are you sure you want to do this
when you can kill something critical?

00:14:26:10 - 00:14:28:20
it doesn't yet to work
with multiple catalogs.

00:14:28:20 - 00:14:31:21
So it's the work for the future because we have to figure out

00:14:31:21 - 00:14:35:02
how to work with multiple catalogs
and in terms of profiles properly.

00:14:35:05 - 00:14:40:00
It's not yet ready to add new controls
which do not exist in the profile,

00:14:40:00 - 00:14:42:17
but it has all the tooling necessary
for that.

00:14:42:17 - 00:14:44:26
Basically control the the control right.

00:14:44:26 - 00:14:48:01
It's an object in TypeScript so it's not a problem.

00:14:48:03 - 00:14:50:24
doesn't have the moment to remove it.

00:14:50:24 - 00:14:53:19
it had a screen for back
matter editing but

00:14:53:19 - 00:14:56:19
very few people
actually wanted to deal with that yet.

00:14:56:20 - 00:15:00:19
it doesn't have all this currently
not yet available features.

00:15:00:24 - 00:15:03:27
The tool itself is made in Ionic and Angular,

00:15:04:06 - 00:15:06:10
if you're curious versions are listed
here.

00:15:06:10 - 00:15:11:20
cat code mainly consists of TypeScript HTML CSS SaaS and Json.

00:15:11:26 - 00:15:13:20
was also using QuickType.

00:15:13:20 - 00:15:18:15
And at the moment QuickType is
used as a library only in the CI/CD pipeline

00:15:18:17 - 00:15:21:17
to remove dependency
from the code deployment.

00:15:21:17 - 00:15:25:25
But if you want locally to generate types you might want to use the tool.

00:15:25:25 - 00:15:29:02
And I saw the Zach asking if there are TypeScript available,

00:15:29:02 - 00:15:32:02
entities catalogs for OSCAL objects.

00:15:32:04 - 00:15:35:27
using QuickType
also to generate every single entity

00:15:35:27 - 00:15:39:18
as interfaces for TypeScript and it allows you to generate

00:15:39:18 - 00:15:43:16
the most TypeScript interfaces
every single object from the Json schema,

00:15:43:24 - 00:15:49:01
and then allows you to re cast
the objects back into Json.

00:15:49:01 - 00:15:50:01
If you want to.

00:15:50:01 - 00:15:51:16
So it's quite handy.

00:15:51:16 - 00:15:54:29
There was also a question about validation, validation of the human level.

00:15:54:29 - 00:15:58:29
For instance dynamic relationships
is not done by this tool either.

00:15:59:12 - 00:16:01:04
But I'm using AGV.

00:16:01:04 - 00:16:03:05
to validate download the entities

00:16:03:05 - 00:16:07:08
as of the latest version all the entities are actually pulled out

00:16:07:08 - 00:16:11:28
from GitHub storage of their catalogs
and GitHub storage from the schemas

00:16:12:12 - 00:16:13:15
few shell scripts.

00:16:13:15 - 00:16:16:26
Because I'm developing a mark they’re
are all based on.

00:16:16:26 - 00:16:19:01
So that's basically the whole thing.

00:16:19:01 - 00:16:22:00
ionic angular is not a bad tool
because it allows you

00:16:22:00 - 00:16:25:09
to compile the same source code
for multiple platforms.

00:16:25:09 - 00:16:28:28
You can make desktop
application use an electron compiler.

00:16:28:29 - 00:16:33:07
can make iOS and Android application
But at the moment

00:16:33:12 - 00:16:36:17
we are targeting
mainly the web application

00:16:36:20 - 00:16:42:06
and we rely upon internet availability
of the schema files and profile,

00:16:42:09 - 00:16:43:26
catalogs baselines

00:16:43:26 - 00:16:47:22
and resolve baselines in the case
internet connection does not work.

00:16:47:22 - 00:16:49:01
application hosts

00:16:49:01 - 00:16:53:13
their local copies of those files silently falls back to the local files.

00:16:53:13 - 00:16:57:20
If internet download was not successful
every downloaded file.

00:16:57:28 - 00:17:01:26
Also application wrong stage you get validation to make sure that got

00:17:01:26 - 00:17:06:01
the logs pulled out over
the internet are actually valid catalogs.

00:17:06:04 - 00:17:07:11
source will become open.

00:17:07:11 - 00:17:11:07
I'm not sure if the repository
already open or will become open.

00:17:11:07 - 00:17:15:07
whenever we consider the project is ready It used to be a private repository.

00:17:15:07 - 00:17:17:21
I'm not sure
because NIST has special procedures

00:17:17:22 - 00:17:21:02
now I'll show a few few screenshots
because,

00:17:21:17 - 00:17:23:11
you start with the tool

00:17:23:11 - 00:17:26:09
or with authoring mode and you have options to pick up,

00:17:26:09 - 00:17:30:25
two catalogs which are available
at our GitHub Revision 4, Revision 5.

00:17:30:25 - 00:17:33:04
in this screen
you can see below the bigger

00:17:33:04 - 00:17:36:08
red frame profiles I was working on before.

00:17:36:08 - 00:17:39:14
And it's tells in the title what they were derived from

00:17:39:20 - 00:17:43:16
which revision of the catalog The authoring mode also has,

00:17:43:16 - 00:17:48:04
because it downloads the catalogs
after a certain timeout,

00:17:48:04 - 00:17:50:29
which is currently set up
at eight hours by default.

00:17:50:29 - 00:17:53:02
But I also added settings

00:17:53:02 - 00:17:55:28
because I was annoyed
that they couldn't test this stuff.

00:17:55:28 - 00:17:58:12
let's say we have stuff application
running for it.

00:17:58:12 - 00:18:00:06
That was to shorten the timeout.

00:18:00:06 - 00:18:03:20
So when the catalog becomes stale the application warns you.

00:18:03:21 - 00:18:07:03
When you select a particular
type of the catalog that you did not

00:18:07:04 - 00:18:11:09
refresh the files from the internet
or from the OSCAL storage.

00:18:11:12 - 00:18:15:17
so catalog baselines and profile baseline.

00:18:15:19 - 00:18:19:06
low moderate
and high for revision 4 or low,

00:18:19:06 - 00:18:25:07
Moderate high and privacy baselines
also can be refresh using this interface.

00:18:25:13 - 00:18:29:05
So metadata information has validation
for the mandatory fields.

00:18:29:12 - 00:18:30:17
if you don't fill them up,

00:18:30:17 - 00:18:34:19
it highlights them with red
that's pretty much typical web UI.

00:18:34:19 - 00:18:38:23
So when you fill them in shows
the validation had passed for the field

00:18:38:23 - 00:18:39:19
while you're in.

00:18:39:19 - 00:18:43:25
If you're out of the field it just turns
regular without special highlights.

00:18:44:01 - 00:18:47:03
currently the regroup controls
because we're in process

00:18:47:03 - 00:18:50:11
of making drag
and drop additions to the tool,

00:18:50:15 - 00:18:54:15
but to select controls I added
and this is new baseline.

00:18:54:18 - 00:18:57:25
So it has options of mark all baselines which basically creates

00:18:57:25 - 00:19:02:01
this highlights to show control belonging a particular baseline.

00:19:02:01 - 00:19:04:23
So right now
we're seeing the Revision 5 catalog.

00:19:04:23 - 00:19:07:27
Actually in this particular time
the application I was making

00:19:07:27 - 00:19:10:27
screenshots
from has some circular reference.

00:19:10:29 - 00:19:14:09
So it does not pull data properly
from the session.

00:19:14:11 - 00:19:16:03
it highlighted every single baseline

00:19:16:03 - 00:19:19:26
present in this particular catalog type which is a Revision five.

00:19:19:27 - 00:19:22:02
it also has an option to project baseline.

00:19:22:02 - 00:19:24:05
So basically
when you have all the controls present

00:19:24:05 - 00:19:28:18
in a particular version of the catalog you have option to project baseline,

00:19:28:18 - 00:19:32:16
and you can pick up
whichever baseline you want to pre check.

00:19:32:18 - 00:19:36:09
after you click the Project
Baseline button basically pulls the check

00:19:36:09 - 00:19:39:25
marks on every single control
which belongs to the baseline.

00:19:40:18 - 00:19:45:08
also you have option to tailor baseline which means you cut out

00:19:45:10 - 00:19:47:25
only controls
which you belong to the baseline,

00:19:47:25 - 00:19:50:28
and you end up
with the effectively resolved profile.

00:19:50:28 - 00:19:52:07
But for project baseline.

00:19:52:07 - 00:19:56:07
when you select let's say high
baseline and project baseline

00:19:56:07 - 00:19:59:28
it selects controls which belongs
to the baseline with the check mark.

00:20:00:04 - 00:20:05:09
basically it allows you to jump faster
because was but personally I was annoyed

00:20:05:09 - 00:20:08:20
for a while that I have to go
and select things with the hand.

00:20:08:20 - 00:20:13:00
And I was thinking okay I have baselines
already anyways so why can't I do it?

00:20:13:00 - 00:20:14:04
I decided to the feature.

00:20:14:04 - 00:20:17:06
So after you select the controls you operate

00:20:17:06 - 00:20:20:13
only on the subset of the controls
you selected and I'll show you

00:20:20:13 - 00:20:23:13
later
on the structures in the profile entity,

00:20:23:16 - 00:20:27:08
how it maps to the particular subsections of the profile.

00:20:27:08 - 00:20:30:07
So when you select them you can modify controls.

00:20:30:07 - 00:20:31:12
using the modified buttons.

00:20:31:12 - 00:20:34:03
I didn't show the group controls
because at the moment.

00:20:34:03 - 00:20:35:09
It's work in progress.

00:20:35:09 - 00:20:39:15
after you're done with the all the tailoring you wanted to do

00:20:39:15 - 00:20:42:28
on the particular draft of the profile you have choices to either

00:20:42:28 - 00:20:47:05
save your workspace and progress and it allows you to make a snapshot

00:20:47:05 - 00:20:51:22
of what you've done of metadata of the selection of the controls of the

00:20:51:24 - 00:20:55:09
Edited controls basically all the work
in progress and drops within the session.

00:20:55:09 - 00:20:58:15
So later on
you can start already from the place

00:20:58:21 - 00:21:00:09
which you already worked on.

00:21:00:09 - 00:21:03:20
unfortunately because it's stored in the application

00:21:03:20 - 00:21:05:15
space it's a web application.

00:21:05:15 - 00:21:08:15
And besides storing cookies there is not much place

00:21:08:19 - 00:21:11:15
I can persist things
because I cannot write back to the server

00:21:11:15 - 00:21:14:19
without having actual web server
and app server behind it.

00:21:14:22 - 00:21:17:28
there is also option to save the whole workspace

00:21:17:28 - 00:21:21:28
locally in the case
somebody decides to clean up browser space

00:21:21:28 - 00:21:26:08
and so on you come at least would be able
in the future to upload the file with

00:21:26:08 - 00:21:30:25
the current state of your editor things
and hopefully resume your work further.

00:21:31:04 - 00:21:33:27
The right red at square
highlighted allows you

00:21:33:27 - 00:21:37:20
to save the actual profile
file on your disk locally,

00:21:37:24 - 00:21:41:09
or you can drop it,  still enough
space already composed profile.

00:21:41:09 - 00:21:45:14
while making presentation and playing
with the authoring mode staleness

00:21:45:26 - 00:21:49:25
particular objects which are downloaded
from the internet like catalogs,

00:21:49:25 - 00:21:53:26
profiles baselines and so on I decided
to share the settings screen.

00:21:53:29 - 00:21:55:26
It's literally app settings.

00:21:55:26 - 00:21:58:26
There are also living right now
in the store.

00:21:58:28 - 00:22:00:17
tried to save them before
because the first.

00:22:00:17 - 00:22:02:21
But cookies
are much more fragile than the store.

00:22:02:21 - 00:22:06:17
So I ended up with the store
and I added this very scary bottom layer

00:22:06:17 - 00:22:08:28
state store
because when I'm debugging things,

00:22:08:28 - 00:22:11:00
sometimes I need to clean the state store

00:22:11:00 - 00:22:12:25
and it's easier to have the button for it.

00:22:12:25 - 00:22:15:27
So just the new thing as well which I added recently.

00:22:16:00 - 00:22:17:11
right now in the application,

00:22:17:11 - 00:22:21:16
I saved the exploration interval
and made it only 9000ths

00:22:21:16 - 00:22:25:20
on an hour which is like few seconds so original envisions features of the,

00:22:25:22 - 00:22:30:08
OSCAL-Cat where today catalog
which has really simple structure

00:22:30:08 - 00:22:33:14
from the outside unless you want into the details inside

00:22:33:14 - 00:22:37:01
of the controls and groups you should be able to fill out a profile.

00:22:37:05 - 00:22:41:17
then once you have profile we were thinking you use some future tools

00:22:41:17 - 00:22:46:00
which will allow you to pick up a Json
object which OSCAL-Cat was the proof

00:22:46:00 - 00:22:50:01
of concept to show that most code
can be worked on using pure Json.

00:22:50:03 - 00:22:53:12
But at the moment we don't know
about any future Json tools

00:22:53:16 - 00:22:56:11
which allow you to resolve
profile expressed in Json.

00:22:56:11 - 00:23:00:07
So it looks like we'll end up taking Json profile converting it to XML,

00:23:00:07 - 00:23:04:17
and then using the Saxon conversion it's
to resolve also what is a result profile.

00:23:04:17 - 00:23:07:05
So basically you build profile
which tells you transformations.

00:23:07:05 - 00:23:09:06
You're applying to your original catalog.

00:23:09:06 - 00:23:12:06
profile contains
essentially three important parts.

00:23:12:10 - 00:23:14:15
One is imports
which tells you which controls

00:23:14:15 - 00:23:17:22
you want to pull in or which controls
you want to exclude.

00:23:17:22 - 00:23:21:13
You have option to let's say include all
and then exclude particular one.

00:23:21:13 - 00:23:24:13
So basically you're tailoring
then it has modifications.

00:23:24:19 - 00:23:27:19
so when you modify controls modify
parameters,

00:23:28:01 - 00:23:31:27
modifications list will contain
modifications you're doing

00:23:32:13 - 00:23:35:28
and then merge will describe
how the modifications will be applied

00:23:35:28 - 00:23:39:12
to the controls which will include
also also regrouping and so on.

00:23:39:15 - 00:23:41:28
So plans for features and enhancements.

00:23:41:28 - 00:23:45:26
Once we started developing the simple tool
there was wish list was growing.

00:23:45:26 - 00:23:49:10
At the moment they have 18
items written on a piece of paper.

00:23:49:10 - 00:23:52:04
But I think the most
commonly discussed ones.

00:23:52:04 - 00:23:53:15
So of course I'm going.

00:23:53:15 - 00:23:57:07
We're going to fix the bugs which was try to make application faster,

00:23:57:07 - 00:24:00:12
or at least make it feel faster
with the synchronous loads and so on.

00:24:00:12 - 00:24:04:06
optimizing memory footprint
out of the browser because sometimes

00:24:04:06 - 00:24:08:17
I noticed that when you work
with a lot of objects and immediately

00:24:08:17 - 00:24:11:28
pull out like all four baselines resolve baselines,

00:24:11:28 - 00:24:14:27
which are pretty big objects catalogs
and so on.

00:24:14:27 - 00:24:20:01
And from the future things were finding
acceptable plugins for markdown editing

00:24:20:01 - 00:24:25:07
and rendering allow editing of the prose
for the controls make it easier.

00:24:25:07 - 00:24:28:11
At the moment the editing looks not for you.

00:24:28:15 - 00:24:29:19
for a grouping controls,

00:24:29:19 - 00:24:32:25
we are planning to drag and drop
to make it simpler at the moment.

00:24:32:28 - 00:24:36:19
The last working version had dropdowns and it's not as user friendly

00:24:36:19 - 00:24:37:27
we want to add possibility

00:24:37:27 - 00:24:41:29
to start with an empty account
and build from scratch everything.

00:24:41:29 - 00:24:43:21
So basically
you start with an empty object

00:24:43:21 - 00:24:46:05
because interfaces are
they are using QuickTime.

00:24:46:05 - 00:24:47:26
So it doesn't matter whether you start

00:24:47:26 - 00:24:51:18
with the full catalog
or with an empty one and just go and add.

00:24:51:18 - 00:24:54:06
But at the moment there is no UI to add.

00:24:54:06 - 00:24:55:22
It's only UI to select.

00:24:55:22 - 00:24:59:14
So that probably will result
in the development of some other screens

00:24:59:18 - 00:25:04:12
and UI plugins
and resolution of the profile probably

00:25:04:12 - 00:25:07:15
will have to go through the path of socks
on them than Json through smell

00:25:07:15 - 00:25:11:23
and the conversion
to Json of XML resolve profile.

00:25:11:23 - 00:25:16:11
and we add this discussing this option of uploading.

00:25:16:11 - 00:25:19:17
you picked up the catalog you built up your profile,

00:25:19:23 - 00:25:23:05
you downloaded your profile but then you used external tooling.

00:25:23:05 - 00:25:26:06
Or in the future you use our tooling to resolve profiles.

00:25:26:06 - 00:25:29:09
Basically you have full catalog all you have right now

00:25:29:09 - 00:25:32:11
in the UI is the original catalogs
of revision 5 revision four.

00:25:32:11 - 00:25:34:03
you have already catalog

00:25:34:03 - 00:25:37:23
or resource profile which is the catalog
you would like to use at the moment.

00:25:37:23 - 00:25:42:23
Because I'm downloading all the catalogs
from online it's

00:25:42:23 - 00:25:47:03
not difficult to let user
to actually upload their own profile,

00:25:47:06 - 00:25:50:29
results profile which is catalog
and start profile with it.

00:25:51:05 - 00:25:55:25
It just we have to strictly verify
the result profile complies to the schema,

00:25:55:25 - 00:25:56:26
and that's all.

00:25:56:26 - 00:26:00:11
basically all uploads of the profiles
and there's all in profiles

00:26:00:12 - 00:26:04:06
validation and everything should be able
to that's another feature.

00:26:04:06 - 00:26:06:13
I'll demonstrate
a little bit of the application.

00:26:06:13 - 00:26:09:01
So I left this application
running overnight.

00:26:09:01 - 00:26:13:15
So the timeout because there are now
the moment you can see that

00:26:13:15 - 00:26:17:04
they selected it doesn't matter which one
I select I select let's say revision 4.

00:26:17:07 - 00:26:21:01
And it prompts me right now
immediately saying to refresh selected.

00:26:21:03 - 00:26:26:01
So if I select catalog baselines
low moderate and high.

00:26:26:17 - 00:26:31:20
So I refresh basically catalog object
baselines all the baselines together.

00:26:31:20 - 00:26:32:27
So this checkbox

00:26:32:27 - 00:26:36:16
basically opens the baselines applicable
to this particular type of catalog.

00:26:36:16 - 00:26:38:09
When I refresh it stops scoping.

00:26:38:09 - 00:26:41:07
But I didn't refresh
revision five. So it again

00:26:43:03 - 00:26:46:10
I can
again select everything under refresh.

00:26:46:22 - 00:26:49:13
I selected Revision five

00:26:49:13 - 00:26:50:17
and go ahead.

00:26:50:17 - 00:26:53:17
And it tells me here
that I selected the revision 5

00:26:53:26 - 00:26:57:08
for the demo purposes I have
but then actually in the settings

00:26:57:15 - 00:27:01:04
when I will show showing new screenshots I have the checkbox box for the demos

00:27:01:04 - 00:27:05:01
enables also two default roles which are defined

00:27:05:01 - 00:27:09:11
inside of specification of the 253 but it's not defined in the catalog.

00:27:09:14 - 00:27:12:15
so I add this by default and I edit the few users,

00:27:12:15 - 00:27:16:21
so I don't need to actually type by hand
and said the time on the presentation.

00:27:16:21 - 00:27:20:03
So I add the responsible party let's say font and text to tell them

00:27:20:03 - 00:27:23:07
if you see the responsible party.

00:27:23:07 - 00:27:25:18
So responsible parties show up here.

00:27:25:18 - 00:27:28:18
not this awful
but still you can add delete and so on.

00:27:28:20 - 00:27:31:05
I will not edit the rest of the things.

00:27:31:05 - 00:27:32:24
So that's the longest operation,

00:27:32:24 - 00:27:35:24
which I will say
and where optimizing the time of the load.

00:27:36:02 - 00:27:38:19
I probably will be forced.

00:27:38:19 - 00:27:41:19
To add some asynchronous things.

00:27:41:26 - 00:27:44:26
So at the moment
this is developers branch.

00:27:45:01 - 00:27:49:05
I have some circular reference which is really annoying things to debug.

00:27:49:05 - 00:27:52:00
And that's great
when we have circular references.

00:27:52:00 - 00:27:53:23
I mean for today's function it,

00:27:53:23 - 00:27:57:18
made this table just for the demo
So when I say mark baselines it's

00:27:57:26 - 00:28:01:08
at the moment
because session has circular reference.

00:28:01:08 - 00:28:03:29
It marked
all the baselines are in existence

00:28:03:29 - 00:28:07:07
this controls are not completely mandatory
into training rights

00:28:07:11 - 00:28:09:28
for all the baselines but they're all marked because of the way

00:28:09:28 - 00:28:12:17
the session is a circle of reference
and does not work.

00:28:12:17 - 00:28:16:15
So it's basically all the same features
as they demonstrated before

00:28:16:18 - 00:28:17:26
with the static snapshots.

00:28:17:26 - 00:28:20:14
So let's say I'm selecting some small.

00:28:20:14 - 00:28:21:21
That's what I was talking about.

00:28:21:21 - 00:28:24:04
It becomes really really small okay.

00:28:24:04 - 00:28:26:23
So basically I'm selecting controls.

00:28:26:23 - 00:28:31:12
And okay But in the end when you select
when you added the controls,

00:28:31:15 - 00:28:35:05
you basically go to the download
file. And.

00:28:35:10 - 00:28:38:29
That's what happens when you leave
application running for eight hours.

00:28:39:06 - 00:28:44:16
So just one last comment, the Json result
profiles are coming from NIST

00:28:44:16 - 00:28:48:24
Actual scope content dynamically
right now the QuickType we're using,

00:28:48:24 - 00:28:52:29
for resolving interfaces we use schemas for validate and agent,

00:28:53:13 - 00:28:56:18
and everything is pulled in dynamically
by the application over time.

00:28:56:18 - 00:29:01:23
You started and also which repository is
this hub uses the double scope here,

00:29:01:23 - 00:29:05:03
but then not hundred percent sure
if it's already published public or not.

00:29:05:03 - 00:29:08:04
And this was an illustration
when we talked about profiles.

00:29:08:08 - 00:29:10:01
Okay if you have any questions.

00:29:10:01 - 00:29:13:12
Please let me know
there is the information or contact us.

00:29:13:14 - 00:29:14:06
Thank you very much.