00:00:01:02 - 00:00:03:21 So, thank you so much for coming to the FPKI 00:00:03:21 - 00:00:05:23 OSCAL deep dive. 00:00:05:23 - 00:00:07:11 With regard to our agenda, 00:00:07:11 - 00:00:10:10 First, I want to introduce the communities to each other. 00:00:10:10 - 00:00:13:16 I want my friends in the federal PKI 00:00:13:16 - 00:00:14:19 to learn about OSCAL 00:00:14:29 - 00:00:17:21 And I would like my friends from the OSCAL community 00:00:17:21 - 00:00:21:02 to understand what the federal PKI is and how it operates. 00:00:21:13 - 00:00:24:22 I'd like to, talk about how to apply OSCAL. 00:00:24:22 - 00:00:26:20 in the context of FPKI 00:00:26:20 - 00:00:30:09 Then talk about the benefits of adopting OSCAL FPKI. 00:00:30:17 - 00:00:33:25 Why we would want to apply OSCAL to FPKI. 00:00:33:25 - 00:00:39:07 then we want next steps So, I will identify what I see as the next steps. 00:00:39:15 - 00:00:42:13 that might be interesting us as two communities 00:00:42:13 - 00:00:45:13 to capture the benefits, that we think may be available. 00:00:45:14 - 00:00:46:28 But I have to start with a disclaimer. 00:00:46:28 - 00:00:50:20 I am not here officially representing federal PKI. 00:00:50:20 - 00:00:55:01 I'm just a friend of OSCAL and FPKI who likes to solve problems. 00:00:55:10 - 00:00:58:27 So nothing that I say should be seen as an official pronouncement 00:00:58:27 - 00:01:02:13 by Fed PKI or by the community or by, GSA. 00:01:02:14 - 00:01:03:14 So All right. 00:01:03:14 - 00:01:06:27 Without further ado, let's introduce OSCAL to the federal community. 00:01:06:29 - 00:01:08:15 What is OSCAL? 00:01:08:15 - 00:01:09:20 So OSCAL, 00:01:09:20 - 00:01:12:22 is a technical specification developed by NIST 00:01:12:26 - 00:01:16:09 to represent information about security controls, components 00:01:16:09 - 00:01:17:04 that implement security 00:01:17:04 - 00:01:21:05 controls, and security assessments that validate security controls. 00:01:21:05 - 00:01:24:15 it's important also to start by explaining what OSCAL is not. 00:01:24:15 - 00:01:26:11 OSCAL is not a tool. 00:01:26:11 - 00:01:27:29 you can't download OSCAL. 00:01:27:29 - 00:01:29:11 There's no interface. 00:01:29:11 - 00:01:33:02 Although there are many tools that do support the OSCAL specification. 00:01:33:02 - 00:01:34:22 OSCAL is not an API. 00:01:34:22 - 00:01:40:04 there are of course, APIs available and tools, and there is even, a proposed 00:01:40:04 - 00:01:43:04 standard for a Rest API for OSCAL, 00:01:43:07 - 00:01:46:07 but OSCAL itself is not, an API. 00:01:46:23 - 00:01:50:06 And finally, it is not a documentation format for humans. 00:01:50:08 - 00:01:53:12 it's not a replacement for, existing specification 00:01:53:12 - 00:01:55:21 of how to describe requirements. 00:01:55:21 - 00:02:00:26 it's not going to replace if you're from the FPKI community, our beloved RFC 3647. 00:02:01:01 - 00:02:04:07 What OSCAL really is, a format that allows us to translate 00:02:04:07 - 00:02:09:07 existing documents into a consistent, standardized and machine readable format. 00:02:09:27 - 00:02:14:12 So OSCAL has been adopted by FedRAMP, they believe that there is 00:02:14:14 - 00:02:18:27 significant benefit to automating and digitizing compliance packages. 00:02:19:20 - 00:02:22:16 FedRAMP managed compliance for hundreds of services 00:02:22:16 - 00:02:24:18 and more are being added all the time. 00:02:24:18 - 00:02:27:18 they chose OSCAL because they can reduce the time 00:02:27:18 - 00:02:30:18 taken for reviews while improving qualities, 00:02:30:18 - 00:02:33:18 and they don't have to implement their own proprietary standard. 00:02:34:14 - 00:02:38:01 there are three major parts to the OSCAL standard. 00:02:38:16 - 00:02:40:22 First of all, we have to talk about controls. 00:02:40:22 - 00:02:43:21 A control is simply a security requirement. 00:02:43:21 - 00:02:45:23 You can take a set of security requirements 00:02:45:23 - 00:02:47:28 and assemble them into a catalog 00:02:48:00 - 00:02:52:09 The most famous catalog you probably are all aware of is 800-53. 00:02:52:23 - 00:02:56:28 You can tailor a catalog, using the profile specification. 00:02:57:08 - 00:03:02:05 So if you know 800-53, you'll know that there are low, moderate, and high baselines. 00:03:02:15 - 00:03:08:01 Each of those represent subsets of the controls from 800-53. Low, moderate, or high 00:03:08:01 - 00:03:11:01 Baseline would be a profile in OSCAL terms. 00:03:11:18 - 00:03:16:13 So the catalog and the profile together represent the control layer. 00:03:16:14 - 00:03:19:14 in OSCAL. When we start to talk about implementation. 00:03:19:21 - 00:03:21:29 We start the concept of a component. 00:03:21:29 - 00:03:26:22 A component is anything that can satisfy a security requirement. 00:03:27:06 - 00:03:30:06 So, it could be a system or a piece of software, 00:03:30:08 - 00:03:34:06 but it could also be a person or a process or a building or a document. 00:03:34:11 - 00:03:38:03 Any entity that can, satisfy any security requirement. 00:03:38:11 - 00:03:44:01 A component definition is an OSCAL specification for defining how a component 00:03:44:01 - 00:03:48:14 or a set of components addresses some set of security requirements. 00:03:48:19 - 00:03:52:01 system owners can document how their components address 00:03:52:09 - 00:03:56:25 security requirements, or software vendors who are releasing components 00:03:57:06 - 00:04:00:19 and provide component definitions with their software 00:04:00:29 - 00:04:04:02 so that, their customers can more easily 00:04:04:02 - 00:04:07:08 implement the security documentation that's required of them. 00:04:07:21 - 00:04:10:22 A system security plan is information 00:04:10:22 - 00:04:13:22 about how the set of components that create a running system. 00:04:13:22 - 00:04:18:01 address the complete set of controls in the context of the profile 00:04:18:01 - 00:04:18:28 that they're worried about. 00:04:20:10 - 00:04:21:09 So if we take component 00:04:21:09 - 00:04:25:21 definition and system security plan together, we get the implementation layer. 00:04:26:01 - 00:04:27:23 we need someone to make sure the controls 00:04:27:23 - 00:04:29:19 are operating the way they're intended to. 00:04:29:19 - 00:04:31:26 And that begins with an assessment plan. 00:04:31:26 - 00:04:34:26 An assessment plan talks about the scope of an assessment, 00:04:34:26 - 00:04:37:26 how often it will be performed and the exact process 00:04:37:29 - 00:04:41:03 the assessor will follow. When the assessment has been completed, 00:04:41:08 - 00:04:42:27 an assessment result is produced, 00:04:42:27 - 00:04:47:07 which is just a documentation of the outcome of the assessment. 00:04:47:11 - 00:04:52:15 the system owner has problems or findings from the assessment, 00:04:52:19 - 00:04:54:29 they will have to produce a plan of action and milestones. 00:04:55:03 - 00:04:58:15 So these three things assessment plan, assessment result 00:04:58:23 - 00:05:02:12 and plan of action milestones are the assessment layer. 00:05:02:20 - 00:05:04:01 of the OSCAL specification. 00:05:04:01 - 00:05:06:24 in case anyone needs to print this slide out as a reference later, 00:05:06:24 - 00:05:09:02 I've included the text, so it's there for you. 00:05:09:02 - 00:05:10:22 So that's awesome. 00:05:10:22 - 00:05:14:11 hopefully my FPKI friends have been introduced to OSCAL, 00:05:14:18 - 00:05:17:18 and now I would like to talk about FPKI 00:05:18:02 - 00:05:20:07 First of all, what is the federal PKI? 00:05:20:07 - 00:05:23:17 The federal PKI is a network of certification authorities. 00:05:23:17 - 00:05:26:03 Primarily we issue certificates to people. 00:05:26:03 - 00:05:29:10 The most famous example would be the certificates that are on the PIV card. 00:05:29:12 - 00:05:32:15 But there are also a small number of device identity certificates 00:05:32:15 - 00:05:35:20 that are issued from that network of certification authorities. 00:05:35:26 - 00:05:38:28 This is a picture of what FPKI looks like today. 00:05:39:01 - 00:05:40:24 It's a complicated diagram. 00:05:40:24 - 00:05:42:27 but the main thing, I want you to understand 00:05:42:27 - 00:05:47:17 is that it's a very big network, and that the relationships are quite complex. 00:05:47:23 - 00:05:49:17 Every circle you see here 00:05:49:17 - 00:05:53:11 on this picture represents an independent certification authority. 00:05:53:22 - 00:05:57:23 And each arrow going from one circle to another represents 00:05:57:23 - 00:05:59:25 what we call a cross certificate. 00:05:59:25 - 00:06:01:13 We'll go into more detail about that. 00:06:01:13 - 00:06:04:23 But basically a certificate issued from one CA to another, 00:06:04:23 - 00:06:06:03 certification authority. 00:06:06:03 - 00:06:08:00 Inside the bubble there's a system. 00:06:08:00 - 00:06:11:11 The system is composed of a bunch of subcomponents. 00:06:11:11 - 00:06:12:12 And you can see, kind of a 00:06:12:12 - 00:06:17:01 proposed high level architecture of a of a typical certification authority here. 00:06:17:01 - 00:06:18:29 Some of the components are optional. 00:06:18:29 - 00:06:23:11 But one important thing to notice here is that we have some idea 00:06:23:20 - 00:06:26:21 of what the components are. In the 800-53 realm., 00:06:26:27 - 00:06:30:01 you might be describing any sort of generic information system, 00:06:30:01 - 00:06:32:25 and you might not know anything about what the components are. 00:06:32:25 - 00:06:36:17 In this context, we're always talking about a certification authority. 00:06:36:22 - 00:06:38:04 So that's the bubble. 00:06:38:04 - 00:06:40:00 Now we need to talk about the arrow. 00:06:40:00 - 00:06:41:00 The arrow. 00:06:41:00 - 00:06:44:15 The cross certificate represents a trust relationship 00:06:44:15 - 00:06:47:09 between two certificate authorities. 00:06:47:09 - 00:06:51:10 cross certificate itself represents technical trust and basically allows 00:06:51:10 - 00:06:55:06 for example, Department of Defense system to accept a certificate 00:06:55:06 - 00:06:59:02 issued by Veterans Affairs. That technical trust 00:06:59:04 - 00:07:02:20 depends on what we might call organizational trust. 00:07:02:23 - 00:07:05:26 The reason why that cross certificate exists is because 00:07:06:05 - 00:07:10:06 the Department of Defense believes that Veterans Affairs 00:07:10:06 - 00:07:13:28 follows some acceptable processes to issue and manage certificates. 00:07:14:13 - 00:07:16:29 the infrastructure is at an appropriate level. 00:07:16:29 - 00:07:20:19 processes used to issue certificates, to revoke certificates 00:07:20:19 - 00:07:24:00 and all of the things you have to do when you issue and manage credentials. 00:07:24:04 - 00:07:27:19 They believe that all those things are done properly, and that is the organizational 00:07:27:19 - 00:07:32:18 trust that allows us to issue cross certificates. So as you can imagine, 00:07:32:18 - 00:07:36:17 there's quite a lot involved in establishing organizational trust. 00:07:37:00 - 00:07:39:22 But it can be broken down into two big 00:07:39:22 - 00:07:42:22 categories artifacts and processes. 00:07:42:28 - 00:07:44:19 Artifacts are just documents. 00:07:44:19 - 00:07:48:00 And the most important artifact is the certificate policy. 00:07:48:16 - 00:07:52:11 The certificate policy is a set of security controls. 00:07:52:12 - 00:07:55:17 It's a document that describes the requirements for operating 00:07:55:17 - 00:07:58:17 certification authority and issuing certificates. 00:07:58:23 - 00:08:01:20 Each certification authority has to implement 00:08:01:20 - 00:08:05:00 a document called a Certification Practices Statement. 00:08:05:03 - 00:08:08:19 This document, we call it a CPS, describes 00:08:08:19 - 00:08:12:19 how an individual certification authority implements 00:08:12:26 - 00:08:16:14 the requirements that are documented in a certificate policy. 00:08:16:28 - 00:08:21:18 In some cases, an entity may not operate a certificate authority. 00:08:21:19 - 00:08:24:20 They may leverage third party certificate authority, 00:08:24:20 - 00:08:26:19 but they may do their own certificate 00:08:26:19 - 00:08:27:19 lifecycle management,. 00:08:27:24 - 00:08:31:10 In that case, they'll define a shorter document called a registration 00:08:31:10 - 00:08:35:26 practices statement that just describes how they do registration. 00:08:35:26 - 00:08:37:29 it's a description of practices 00:08:37:29 - 00:08:41:24 that meet the requirements defined in a certificate policy. 00:08:42:25 - 00:08:43:11 In terms of 00:08:43:11 - 00:08:47:13 processes, one of the most important is the independent audit assessment. 00:08:47:16 - 00:08:51:12 Every certification authority has to have an independent third party auditor 00:08:51:15 - 00:08:55:10 come to their environment validate, that the infrastructure 00:08:55:10 - 00:08:59:12 that they operate complies with the practices 00:08:59:17 - 00:09:02:10 defined in their certification practice statement. 00:09:02:10 - 00:09:04:17 So they'll describe a process here. 00:09:04:17 - 00:09:07:25 The auditor actually goes to the infrastructure to verify 00:09:08:01 - 00:09:11:01 that the processes are being followed as described. 00:09:11:06 - 00:09:16:09 And periodically because the federal PKI represents a network community. 00:09:16:12 - 00:09:17:24 On an annual basis, 00:09:17:24 - 00:09:21:18 every certification authority has to submit an annual review package. 00:09:21:20 - 00:09:26:08 there's an annual review process in which the federal PKI itself 00:09:26:08 - 00:09:31:04 validates that the audit occurred and that the results were what we all expected 00:09:31:06 - 00:09:35:01 so that we can maintain a level of trust across an entire community. 00:09:35:15 - 00:09:38:03 That artifact is the annual review package. 00:09:38:03 - 00:09:42:00 And that submitted by every certification authority in the federal PKI. 00:09:42:00 - 00:09:44:15 again, there's a lot of detail back here. 00:09:44:15 - 00:09:45:24 we'll go through it a few more times. 00:09:45:24 - 00:09:48:08 So hopefully everybody is not overwhelmed. 00:09:48:08 - 00:09:51:08 because now we have to talk about both of those pieces. 00:09:51:09 - 00:09:54:17 We've discussed OSCAL and we've talked about federal PKI. 00:09:54:18 - 00:09:58:02 So now the question is how would we go about applying 00:09:58:02 - 00:10:01:27 the concept of OSCAL in the federal PKI environment? 00:10:01:27 - 00:10:05:19 Starting with the FPKI and the certification authorities 00:10:05:19 - 00:10:07:16 that are members of the FPKI. 00:10:07:16 - 00:10:10:13 We can basically break them into three categories. 00:10:10:13 - 00:10:13:13 There are shared service providers, there are independent 00:10:13:13 - 00:10:15:22 certification authorities, and there are bridges. 00:10:15:22 - 00:10:18:22 A bridge represents a group of certificate authorities 00:10:18:26 - 00:10:22:26 that want to interact, as a community with the federal PKI. 00:10:22:29 - 00:10:26:00 it's important to understand that the same artifacts and processes 00:10:26:00 - 00:10:29:25 are followed, adapted to each, communities specific requirements, 00:10:30:08 - 00:10:34:12 Shared service providers and certification authorities have infrastructure. 00:10:34:12 - 00:10:39:19 It'll be people, processes, buildings, systems, servers, all of those things. 00:10:40:06 - 00:10:42:26 Bridges, because they represent community, 00:10:42:26 - 00:10:45:22 will have community members. These are each 00:10:45:22 - 00:10:48:29 sets of certificate authorities that are underneath the bridge. 00:10:49:09 - 00:10:51:02 those elements are in place. 00:10:51:02 - 00:10:54:00 the next layer to to, think about is the governance layer. 00:10:54:00 - 00:10:57:28 within the federal PKI, there is a federal PKI policy authority 00:10:57:28 - 00:11:03:13 that is the entity that has overall responsibility for the federal PKI. 00:11:03:19 - 00:11:06:03 it's composed of members of the federal PKI, 00:11:06:07 - 00:11:11:04 And it maintains the organizational trust across the entire community. 00:11:11:15 - 00:11:17:08 A shared service provider has a management layer, but primarily, The interaction 00:11:17:08 - 00:11:22:14 between the federal PKI and a shared service provider is via the auditor. 00:11:22:18 - 00:11:26:10 An independent CA has their own independent policy authority, 00:11:26:23 - 00:11:29:11 but they also have an auditor because everybody needs to do 00:11:29:11 - 00:11:32:22 an annual review and everybody needs to submit an annual review package. 00:11:32:25 - 00:11:36:23 And finally, a bridge will also have a policy authority and an auditor. 00:11:36:28 - 00:11:40:12 those are the elements, Now we can talk about the artifacts. 00:11:40:27 - 00:11:43:22 We've already presented them, but I want to show you 00:11:43:22 - 00:11:46:00 how they all fit into this picture. 00:11:46:00 - 00:11:49:11 The most important artifacts are the certificate policies. 00:11:49:21 - 00:11:54:16 And the federal PKI Policy Authority manages 2. One that's called the common 00:11:54:19 - 00:11:58:21 certificate policy, and one that's called the Federal Bridge Certificate Policy. 00:11:58:26 - 00:12:01:26 A shared service provider will publish 00:12:02:00 - 00:12:06:01 Certification Practices statement and a registration practices statement. 00:12:06:07 - 00:12:09:18 if a customer of theirs, performs registration 00:12:09:24 - 00:12:11:20 and uses their certificate authority. 00:12:11:20 - 00:12:13:15 An independent certification authority 00:12:13:15 - 00:12:16:15 will have their own independent certificate policy. 00:12:16:15 - 00:12:19:15 They'll also publish CPSs and RPSs. 00:12:19:19 - 00:12:22:11 Finally, bridge will maintain 00:12:22:11 - 00:12:26:00 its own certificate policy and the bridge members will 00:12:26:00 - 00:12:30:26 publish whatever is required by the bridge's own governance structure. 00:12:30:28 - 00:12:34:09 So we understand the participants and we understand the artifacts. 00:12:34:09 - 00:12:37:16 Of course, trust is based on artifacts and processes. 00:12:37:29 - 00:12:40:22 So we need to talk about the processes. 00:12:40:22 - 00:12:44:09 We mentioned the audit and that is very important. 00:12:44:09 - 00:12:48:08 But there is another important process that we include 00:12:48:08 - 00:12:51:04 as part of this overall governance structure. 00:12:51:04 - 00:12:55:24 Because remember a certification practice statement describes 00:12:55:24 - 00:13:00:15 how an individual shared service provider or any kind of certification authority 00:13:00:23 - 00:13:05:16 implements a set of requirements documented in a certificate policy. 00:13:05:22 - 00:13:08:18 In the case of the shared service provider, the federal PKI 00:13:08:18 - 00:13:11:29 policy authority itself, will perform an analysis of that 00:13:13:03 - 00:13:15:00 to verify that indeed, 00:13:15:00 - 00:13:20:08 the practices described in the CPS meet the intent of the policy. 00:13:20:13 - 00:13:22:08 That's called a compliance analysis. 00:13:22:08 - 00:13:27:06 And if a CPS meets the intent of the policy, it's referred to as compliant. 00:13:27:17 - 00:13:29:00 It's a little bit different 00:13:29:00 - 00:13:32:22 for entities that maintain their own certificate policies. 00:13:33:02 - 00:13:36:10 So for independent CAs or bridges, there is 00:13:36:10 - 00:13:38:29 what's called a comparability analysis. 00:13:38:29 - 00:13:42:21 In that case we basically look at the two policies side by side. 00:13:43:03 - 00:13:47:09 We look at each requirement in each policy and we make an assessment. 00:13:47:18 - 00:13:50:17 Is the requirement in this policy as strong 00:13:50:17 - 00:13:53:07 as the requirement in another policy? 00:13:53:07 - 00:13:55:06 That's called comparability analysis. 00:13:55:06 - 00:13:59:19 And if the CPs are basically the same from a security perspective, 00:13:59:29 - 00:14:02:20 we refer to them as comparable. 00:14:02:20 - 00:14:06:18 the auditor will perform a compliance assessment of 00:14:06:18 - 00:14:07:16 the infrastructure. 00:14:07:16 - 00:14:10:29 and that will happen for all of the entities in this picture. 00:14:11:14 - 00:14:15:17 A small wrinkle is that the auditor in an independent CA performs 00:14:15:17 - 00:14:18:13 the compliance analysis, but that's not really important. 00:14:18:13 - 00:14:20:05 The main thing is that that happens. 00:14:20:05 - 00:14:21:23 And of course, bridges are a little bit 00:14:21:23 - 00:14:23:10 different because they represent a community. 00:14:23:10 - 00:14:26:17 But at least the policy authority will do the comparability 00:14:26:17 - 00:14:29:17 analysis between all of the bridge members and the bridge itself. 00:14:29:24 - 00:14:33:08 Now, the question is, how does all of that map to OSCAL. 00:14:33:12 - 00:14:34:03 first of all, 00:14:34:03 - 00:14:37:03 we have the concept of a set of security requirements. 00:14:37:03 - 00:14:38:08 We have two terms for it. 00:14:38:08 - 00:14:40:21 We can call it a catalog or a profile. 00:14:40:21 - 00:14:45:00 So obviously a certificate policy can be represented by a catalog or a profile. 00:14:45:02 - 00:14:50:28 We also have a term for document that describes how an an individual system 00:14:51:07 - 00:14:54:20 implements the requirements That's called a system security plan. 00:14:55:00 - 00:15:00:03 Very clearly we would map the CPS and RFPs to the system security plan. 00:15:00:09 - 00:15:03:14 A couple of of structures in the OSCAL standard 00:15:03:14 - 00:15:07:15 that aren't really discussed in detail in federal PKI, but are important. 00:15:07:15 - 00:15:11:18 So for example, the component definition, every certificate authority 00:15:11:18 - 00:15:12:24 has some infrastructure. 00:15:12:24 - 00:15:15:10 They have people processes, systems. 00:15:15:10 - 00:15:18:03 So each of those things can have a component definition. 00:15:18:03 - 00:15:20:24 And of course we mentioned the audit process. 00:15:20:24 - 00:15:23:12 The auditor could rely on the OSCAL 00:15:23:12 - 00:15:27:07 specification for systemic security assessment plans, 00:15:27:13 - 00:15:31:02 security assessment results and plan of action and milestones. 00:15:31:11 - 00:15:35:19 So you can see processes might be a little bit different in detail. 00:15:35:19 - 00:15:38:03 And we have our own terminology for everything. 00:15:38:03 - 00:15:41:08 The concepts of OSCAL can be applied very cleanly 00:15:41:12 - 00:15:44:21 as an overlay to the federal PKI processes. 00:15:44:21 - 00:15:47:02 There's one more important distinction. 00:15:47:02 - 00:15:50:03 we had mentioned catalogs and profiles, and it's something that I think 00:15:50:03 - 00:15:55:13 is very interesting in the context of, federal PKI and could be very useful. 00:15:55:20 - 00:15:56:24 Say on the left. 00:15:56:24 - 00:15:59:05 The blue box might be the common policy. 00:15:59:05 - 00:16:02:07 it describes requirements for a whole bunch of different functions, 00:16:02:18 - 00:16:06:08 all of the different functions that are identified in that architecture diagram 00:16:06:19 - 00:16:10:07 And it also defines requirements for a whole bunch of different types 00:16:10:07 - 00:16:15:01 of certificates that might be issued by an individual shared service provider. 00:16:15:15 - 00:16:16:09 Well, a shared service 00:16:16:09 - 00:16:19:13 provider isn't necessarily going to implement all those functions, 00:16:19:22 - 00:16:23:15 and they may not be interested in issuing all of the different types 00:16:23:15 - 00:16:24:15 of certificates. 00:16:24:15 - 00:16:28:17 So we can imagine a profile of the common policy 00:16:28:22 - 00:16:33:10 that only contains the elements that are relevant for a shared service 00:16:33:10 - 00:16:36:21 provider, only contains the types of certificates 00:16:36:21 - 00:16:39:25 that that shared service provider is interested in issuing. 00:16:39:29 - 00:16:42:25 Similarly, the registration practice statement and also be 00:16:42:25 - 00:16:45:25 a tailored perspective, a tailored view of a common policy 00:16:46:02 - 00:16:50:05 that's targeted toward those functions and those certificate types. 00:16:50:21 - 00:16:54:04 We've talked about how OSCAL could support FPKI 00:16:54:04 - 00:16:58:17 and we've shown that there's a a basic alignment between the artifacts 00:16:58:17 - 00:17:01:24 that we produce in support of the processes that we follow. 00:17:02:01 - 00:17:06:04 But I want to talk about why Fed PKI I should go to the trouble 00:17:06:14 - 00:17:08:05 of adopting OSCAL. 00:17:08:05 - 00:17:09:20 But before I do that, I have to talk one 00:17:09:20 - 00:17:13:12 note. The formula for a perfect technical presentation, The rule is, 00:17:14:01 - 00:17:17:17 a perfect technical presentation has about 70% hard technical data. 00:17:17:27 - 00:17:21:05 20% of it is complaining about how everything is broken, which And then 00:17:21:05 - 00:17:25:03 the final 10% is is totally irresponsible speculation about the future. 00:17:25:12 - 00:17:29:06 But I would like to say that some of the details I present 00:17:29:06 - 00:17:32:07 are going to be subject to change as we start talking 00:17:32:07 - 00:17:35:13 about implementation don't take all of this as gospel. 00:17:36:00 - 00:17:38:10 So let's keep that footnote at the bottom. 00:17:38:10 - 00:17:43:01 Some details are subject to change, Here's the view of the OSCAL participants. 00:17:43:01 - 00:17:45:10 And you can see the federal PKI participants and 00:17:45:14 - 00:17:46:23 artifacts at the bottom. 00:17:46:23 - 00:17:49:26 We can overlay the OSCAL artifacts that we discussed. 00:17:49:26 - 00:17:53:14 Remember that OSCAL is a machine readable representation. 00:17:53:14 - 00:17:55:28 And of course, the benefit of using a machine readable 00:17:55:28 - 00:17:59:23 representation is you can start to introduce tooling to help 00:17:59:25 - 00:18:04:19 with development and management of all of these artifacts that you have to produce. 00:18:04:21 - 00:18:09:15 So you can imagine tooling that can convert a CP or CPS 00:18:09:26 - 00:18:12:24 to its equivalent OSCAL artifact, 00:18:12:24 - 00:18:15:24 catalog, profile, or system security plan. 00:18:15:28 - 00:18:21:04 You can imagine tooling that allows you to define how the individual components 00:18:21:04 - 00:18:24:22 in your certification authority meet the requirements. 00:18:24:25 - 00:18:29:20 Those component definitions can enhance your system security plan. 00:18:29:24 - 00:18:34:18 Great part about that is as the component definitions change, as the system 00:18:34:18 - 00:18:39:09 configuration changes, the system security plan is automatically updated 00:18:39:16 - 00:18:42:14 because it incorporates those component definitions. 00:18:42:14 - 00:18:47:18 We can imagine tooling that will allow us to compare independent policies. 00:18:47:23 - 00:18:51:04 To do that comparability analysis. And of course once 00:18:51:04 - 00:18:56:01 we start using automation to compare structured representations, 00:18:56:07 - 00:19:00:21 suddenly we have the possibility of tool assisted management. 00:19:00:21 - 00:19:04:16 and tool assistance for the processes of comparability 00:19:04:16 - 00:19:09:18 not just development, can imagine a tool that can take a system security plan, 00:19:10:02 - 00:19:13:22 incorporating the requirements from the appropriate catalog or profile 00:19:13:29 - 00:19:18:15 and allow an auditor to do that comparison in a very structured way. 00:19:18:23 - 00:19:22:19 Of course, that same tool, if it's being used by an auditor, can be used to generate 00:19:22:23 - 00:19:23:21 the security assessment 00:19:23:21 - 00:19:27:21 plan, security assessment results and the plan of action and milestones. 00:19:27:21 - 00:19:30:21 And of course, then, if all of this automation is in place, 00:19:30:29 - 00:19:36:10 then the production of the annual review package should just be somebody 00:19:36:12 - 00:19:39:12 pressing an export button, and you get a nice package. 00:19:39:28 - 00:19:43:05 But before I go into that part, I've already started talking 00:19:43:05 - 00:19:44:09 about the benefits. 00:19:44:11 - 00:19:45:06 But I really want to 00:19:45:07 - 00:19:46:21 and describe them in more detail. 00:19:46:21 - 00:19:48:17 So for agencies. 00:19:48:17 - 00:19:51:22 you can have a tool assist you in creation and management 00:19:51:22 - 00:19:54:02 of those compliance artifacts that you have to produce. 00:19:54:02 - 00:19:55:14 Once you've got them in place, 00:19:55:14 - 00:19:58:04 You can have tool assisted compliance verification. 00:19:58:04 - 00:20:01:28 you have a tool that tells you that this particular part of your document 00:20:02:04 - 00:20:05:11 is out of alignment with this, and that means that you have to fix these 00:20:05:11 - 00:20:08:27 particular parts of your document, rather than you as a human 00:20:09:03 - 00:20:11:27 Going through the entire document and doing that analysis. 00:20:11:27 - 00:20:13:23 this is a very important benefit. 00:20:13:23 - 00:20:15:20 Remember, we're talking about OSCAL. 00:20:15:20 - 00:20:19:16 And OSCAL is a generic framework to support machine 00:20:19:16 - 00:20:23:25 readable representations of all sorts of different compliance requirements. 00:20:23:27 - 00:20:27:01 No agency that operates a shared service 00:20:27:01 - 00:20:31:03 provider is subject only to our policy requirements. 00:20:31:13 - 00:20:37:05 Those same systems are almost certainly also subject to 800-53. 00:20:37:14 - 00:20:40:10 And there's a very high likelihood that they're subject 00:20:40:10 - 00:20:44:06 to a number of other security compliance regimes. 00:20:44:10 - 00:20:48:26 The benefit of OSCAL is once you define component definition, 00:20:49:00 - 00:20:53:07 you can use the same data to create compliance artifacts 00:20:53:07 - 00:20:57:12 for any number of compliance regimes, as long as they have 00:20:57:12 - 00:20:59:10 some kind of OSCAL representation. 00:20:59:10 - 00:21:04:02 So we know 800-53 has it because OSCAL developed originally for 800-53. 00:21:04:07 - 00:21:07:07 If fed PKI has it then you get that as well. 00:21:07:14 - 00:21:10:17 And as other compliance regimes start implementing OSCAL, 00:21:10:26 - 00:21:14:14 suddenly that same data that you're already collecting for purposes of this 00:21:14:14 - 00:21:17:14 audit can be applied to these other compliance regimes. 00:21:17:14 - 00:21:21:20 And that's a real time saver and a real labor saver for commercial partners. 00:21:21:24 - 00:21:26:11 You'll get the same benefits as the entities that are in FedRAMP, 00:21:26:11 - 00:21:30:06 like Microsoft, Amazon, They can produce component definitions 00:21:30:06 - 00:21:33:23 that describe their services, and they can give those to their customers. 00:21:33:23 - 00:21:37:25 Their customers can then leverage those directly to produce 00:21:37:25 - 00:21:39:10 compliance documentation. 00:21:39:10 - 00:21:44:11 So it saves customers a lot of time, But also it saves the, implementers 00:21:44:11 - 00:21:44:29 a lot of time 00:21:44:29 - 00:21:48:26 because you don't have to develop custom documentation for each of your customers. 00:21:49:05 - 00:21:54:02 You have standard documentation that you can provide that can be converted 00:21:54:02 - 00:21:57:25 into the appropriate documentation, depending on what that customer needs. 00:21:58:19 - 00:21:59:29 for the whole community. 00:21:59:29 - 00:22:02:19 we talked about standardized package submission. 00:22:02:24 - 00:22:07:09 We can expect the effort and expense of validating annual review packages 00:22:07:21 - 00:22:10:09 to decrease, because we have a lot of tooling 00:22:10:09 - 00:22:13:17 to assist us in managing all these artifacts. 00:22:13:23 - 00:22:17:20 It's not humans looking at different kinds of documents in different formats. 00:22:17:28 - 00:22:21:13 We can turn around annual review submissions much more quickly. And then a 00:22:21:13 - 00:22:25:07 human only has to look at the subsets that's relevant in that particular year. 00:22:25:14 - 00:22:28:12 And of course, I know there's a lot of interest in implementing 00:22:28:12 - 00:22:31:12 things like, artificial intelligence or machine learning. 00:22:31:14 - 00:22:35:10 it'll be a journey for sure, but it'll be a much easier journey if 00:22:35:10 - 00:22:40:15 we're starting with structured documents than if we feed ChatGPT or whatever. 00:22:40:25 - 00:22:45:04 a whole bunch of unstructured data blobs representing 00:22:45:06 - 00:22:48:19 different representations of all of these artifacts. 00:22:48:29 - 00:22:53:16 Just to sum it up: Before we've got a process, it's time consuming. 00:22:53:21 - 00:22:56:15 It's very manual and somewhat error prone. 00:22:56:15 - 00:22:59:27 After: we've got an efficient process that's tool 00:22:59:27 - 00:23:03:01 assisted not manual and very predictable. 00:23:03:04 - 00:23:07:25 Before: we have a whole bunch of documents in a whole bunch of different formats. 00:23:08:07 - 00:23:11:25 Some of them have some defined structure, but a lot of them are 00:23:12:06 - 00:23:13:25 some undefined structure. 00:23:13:25 - 00:23:17:08 In the end, every single artifact has a standard 00:23:17:13 - 00:23:20:13 structured representation across the entire community. 00:23:20:18 - 00:23:25:20 Nowadays, appliance management is a is a pretty expensive process, 00:23:25:20 - 00:23:29:03 both for the agencies and for community at large. 00:23:29:05 - 00:23:32:24 We expect that the automation and the standardization 00:23:32:24 - 00:23:35:24 will reduce the time which reduces the cost, 00:23:36:00 - 00:23:39:29 which makes an entire process much less expensive for everybody. 00:23:40:07 - 00:23:40:21 Finally, 00:23:40:22 - 00:23:42:24 right now we do an annual review. 00:23:42:24 - 00:23:46:16 And really the reason we do an annual review is that, once a year 00:23:46:19 - 00:23:49:23 If we can automate, if the turnaround becomes faster, if, 00:23:49:28 - 00:23:51:27 if we're not looking at so much documentation 00:23:51:27 - 00:23:54:27 and trying to identify the, needles of change 00:23:55:05 - 00:23:58:07 we could even imagine a situation where we have some sort 00:23:58:07 - 00:24:01:07 of continuous compliance within the community. 00:24:01:08 - 00:24:03:28 FPKI and OSCAL, I really think they go together like 00:24:03:28 - 00:24:04:29 chocolate and peanut butter. 00:24:04:29 - 00:24:06:26 I think it's a fantastic combination. 00:24:06:26 - 00:24:08:14 Next, now, 00:24:08:14 - 00:24:12:03 I hope you're all sold on the concept, what would actually have to happen? 00:24:12:17 - 00:24:16:03 Well, the good news is, OSCAL, in its current form, 00:24:16:03 - 00:24:20:13 can support FPKI policy without any change 00:24:20:16 - 00:24:24:04 to either the OSCAL standard or to any of the policies. 00:24:24:04 - 00:24:26:08 I'll show you an example. this is something I cooked up. 00:24:26:08 - 00:24:26:28 It's not official. 00:24:26:28 - 00:24:29:11 And remember, the asterisk this is a representation 00:24:29:11 - 00:24:32:18 of a certificate policy as an OSCAL catalog. 00:24:32:18 - 00:24:34:07 we took a subset of it. 00:24:34:07 - 00:24:37:20 We picked section three we applied all of the elements 00:24:37:20 - 00:24:40:28 of this into the OSCAL catalog specification. 00:24:40:28 - 00:24:45:13 And it it seems to work. We can represent this fictional CPS 00:24:45:13 - 00:24:49:15 I made up, as an OSCAL system security plan. The good news is 00:24:49:28 - 00:24:52:24 there are a couple of things that we could do even better 00:24:52:24 - 00:24:55:26 if we made some small very selective changes. 00:24:56:03 - 00:25:01:08 First of all, the policy documents are presented is almost like a narrative text. 00:25:01:08 - 00:25:03:10 You read them, they've got chapter headings. 00:25:03:10 - 00:25:04:13 And you read it from beginning 00:25:04:13 - 00:25:08:10 to end, and it's very designed for a human to look at and absorb. 00:25:08:12 - 00:25:11:28 Translating that unstructured text into a structured representation 00:25:12:02 - 00:25:15:14 is something that I think the community could do. 00:25:15:24 - 00:25:18:20 and it might be best if the community as a whole agreed 00:25:18:20 - 00:25:20:21 on what that structured representation looks like. 00:25:20:21 - 00:25:24:22 So we take the document and we break it into individual requirements. 00:25:25:00 - 00:25:26:06 There are components. 00:25:26:06 - 00:25:29:22 Remember I talked about the concept of catalogs and profiles. 00:25:29:22 - 00:25:33:13 So within the existing FPKI 00:25:33:14 - 00:25:36:29 policy documents, there are high level components that are identified. 00:25:37:06 - 00:25:39:03 Of those high level components, 00:25:39:03 - 00:25:42:28 which ones are really interesting to think about in the context of profiles? 00:25:43:23 - 00:25:45:13 One kind of stretch goal: 00:25:45:13 - 00:25:49:24 one of the great things that 800-53 does is to identify areas 00:25:49:24 - 00:25:54:16 where requirements have some flexibility, where we can parameterize them. 00:25:54:16 - 00:25:58:08 For example, certificate policy has to be owned by a governing entity. 00:25:58:12 - 00:25:59:07 called 00:25:59:07 - 00:26:01:01 Certificate authority insert name here. 00:26:01:01 - 00:26:02:21 but there are some requirements where we know 00:26:02:21 - 00:26:04:00 people are going to plug in their own thing. 00:26:04:00 - 00:26:07:15 So it would be interesting for us to consider turning those into parameters 00:26:07:27 - 00:26:09:28 There are also some open questions 00:26:09:28 - 00:26:13:08 that I've been discussing and presenting with the OSCAL team 00:26:13:21 - 00:26:16:10 So one of those is do we specify 00:26:16:10 - 00:26:19:06 the results of a comparability assessment? 00:26:19:06 - 00:26:19:22 Right now? 00:26:19:22 - 00:26:24:12 Remember we have a CP published by federal FPKI Policy Authority. 00:26:24:18 - 00:26:29:02 We have a CP published by some independent certification authority. 00:26:29:10 - 00:26:34:05 And the federal PKI Policy authority does a comparability analysis 00:26:34:05 - 00:26:36:02 to make sure that all the requirements are the same. 00:26:36:02 - 00:26:39:22 That kind of policy comparison is not something that a lot of entities 00:26:39:22 - 00:26:40:28 have to do. 00:26:40:28 - 00:26:44:27 and so there's an open question, what's the most effective way to do it? 00:26:44:29 - 00:26:48:29 There is some work being done, in the GitHub, we're having a discussion 00:26:48:29 - 00:26:52:23 with the OSCAL community about the best way to represent the result 00:26:52:23 - 00:26:56:25 of that kind of assessment in OSCAL, The second element is, 00:26:56:27 - 00:27:02:06 remember in the 800-53 world, we're talking about some generic information system. 00:27:02:06 - 00:27:03:24 We don't know very much about it. 00:27:03:24 - 00:27:06:08 It could be anything in federal PKI. 00:27:06:08 - 00:27:08:29 We know that we're talking about a certification authority. 00:27:08:29 - 00:27:14:05 So we really have a pretty good idea of elements are inside that box. 00:27:14:12 - 00:27:17:23 We have a component definition, which is a fantastic way to describe that. 00:27:18:02 - 00:27:21:13 But the component definition is associated with the implementation layer. 00:27:21:13 - 00:27:22:22 And we're kind of trying to figure out 00:27:22:22 - 00:27:27:07 how would you associate a required component in the control 00:27:27:07 - 00:27:30:14 layer associated with a catalog or maybe a profile. 00:27:31:06 - 00:27:33:18 So, this is my wish list. 00:27:33:18 - 00:27:34:12 First of all, 00:27:34:13 - 00:27:37:27 I've started talking with NIST, but it would be interesting for the community 00:27:37:27 - 00:27:40:28 as a whole to engage with NIST to validate 00:27:41:05 - 00:27:47:03 some proposed translation of federal PKI policies into the OSCAL format. 00:27:47:03 - 00:27:48:12 The objective is 00:27:48:12 - 00:27:52:16 to try to make sure that we do it in a way that allows us to benefit 00:27:52:16 - 00:27:56:02 as much as possible from the good stuff that has been built into the OSCAL 00:27:56:03 - 00:27:57:03 specification. 00:27:57:03 - 00:27:59:27 Second, I would really love to see common policy 00:27:59:27 - 00:28:03:08 and the Federal Bridge certificate policy published as OSCAL catalogs. 00:28:04:26 - 00:28:05:29 Third, the 00:28:05:29 - 00:28:09:29 process of doing CP to CPS comparison has a lot of peculiarities. 00:28:10:04 - 00:28:13:01 I would like to see some sort of proof of concept of, 00:28:13:01 - 00:28:17:05 tooling or something, that can support, those kinds of processes. 00:28:17:11 - 00:28:20:23 I think being able to demonstrate that proof of concept would one 00:28:20:23 - 00:28:23:23 not only allow us to find all of those unusual things, 00:28:23:24 - 00:28:27:15 validate that, they can be done using the OSCAL standard as is, 00:28:27:23 - 00:28:31:20 but would also provide us with very useful feedback as a community 00:28:31:25 - 00:28:36:06 for entities that want to implement OSCAL to support these processes. 00:28:36:09 - 00:28:38:04 One of the big benefits of OSCAL 00:28:38:04 - 00:28:42:02 is you can leverage tools that are already in existence. 00:28:42:02 - 00:28:46:07 There are a number of vendors that are either writing OSCAL tools 00:28:46:16 - 00:28:50:14 or that are putting OSCAL out into their existing tools. 00:28:50:23 - 00:28:53:15 So we need to coordinate with those people because we want to make sure 00:28:53:15 - 00:28:55:20 that whatever representation we come up, as a 00:28:55:20 - 00:28:56:21 document, 00:28:56:25 - 00:28:59:25 that can be accepted, imported and used by tools. 00:29:00:06 - 00:29:03:07 finally, the big payoff would be to be able 00:29:03:07 - 00:29:06:07 to demonstrate, an end to end proof of concept, 00:29:06:10 - 00:29:10:25 able to submit an annual review package in an OSCAL format. 00:29:11:15 - 00:29:14:21 so anyone who's interested in, thinking about OSCAL 00:29:14:21 - 00:29:18:02 should definitely, ask questions there are a few links in here. 00:29:18:11 - 00:29:21:00 places where you can reach out to the OSCAL team. 00:29:21:00 - 00:29:24:05 Of course if you have questions for me there's my email address. 00:29:24:05 - 00:29:26:16 And that's a QR code with my card. 00:29:26:16 - 00:29:29:00 So you can get my phone number if you want. 00:29:29:00 - 00:29:30:22 but that concludes my presentation.