00:00:00:30 - 00:00:04:24 Hi, my name is AJ Stein and I'm the technical lead of the OSCAL project. 00:00:04:25 - 00:00:09:31 And today I'm here to help you learn how to use OSCAL CLI for better security data. 00:00:10:03 - 00:00:12:03 An important reminder before we continue. 00:00:12:03 - 00:00:15:18 If you want to download the slides and example content you're about to see, 00:00:15:25 - 00:00:19:27 you can use the URL on the left or the QR code on the right if you have a device 00:00:19:27 - 00:00:20:13 that can scan one. 00:00:20:13 - 00:00:22:27 I'm going to help you and follow along right now. 00:00:22:27 - 00:00:24:17 When I click this link, 00:00:24:17 - 00:00:27:16 I visit the releases section for the repository 00:00:27:16 - 00:00:30:47 that contains the examples and the code that generated this presentation. 00:00:31:09 - 00:00:34:31 I recommend you download the all.zip archive file. 00:00:34:36 - 00:00:37:16 It contains a collection of things that we're going to extract, 00:00:37:16 - 00:00:39:39 and you can use and follow along with me today. 00:00:39:39 - 00:00:42:32 When the download is done, I'm going to extract it. 00:00:42:32 - 00:00:44:26 You can see that it's done downloading. 00:00:44:26 - 00:00:46:23 I'm going to right click on the file. 00:00:46:23 - 00:00:51:03 And then I'm going to use this tool to extract all the files in the directory. 00:00:51:22 - 00:00:54:03 You'll see that there's a folder called content 00:00:54:03 - 00:00:55:50 which has the examples we'll see today. 00:00:57:25 - 00:00:58:18 We also will have 00:00:58:18 - 00:01:02:11 generated which contains the final version of the presentation 00:01:02:11 - 00:01:06:04 you're watching in HTML and PDF and a variety of other supporting files. 00:01:06:18 - 00:01:08:03 Let's get back to the presentation. 00:01:08:03 - 00:01:10:00 So what are the goals of today's presentation? 00:01:10:00 - 00:01:12:51 We hope to help wonderful community members like you understand 00:01:12:51 - 00:01:16:29 how you would locate, download and install OSCAL CLI releases, 00:01:16:49 - 00:01:20:02 how you would use the tool for its 4 high level functionalities 00:01:20:22 - 00:01:25:14 and for advanced usage, how you can use the different components of the OSCAL 00:01:25:14 - 00:01:30:46 CLI to extend or adapt its currently implemented features for your own needs. 00:01:31:04 - 00:01:33:11 Although we really enjoy helping our users, 00:01:33:11 - 00:01:36:15 we don't have time to present on certain topics that I've listed below. 00:01:36:33 - 00:01:41:13 We can't walk you through setting up the prerequisites for OSCAL CLI in detail. 00:01:41:15 - 00:01:42:49 We're only going to summarize it. 00:01:42:49 - 00:01:47:05 We can't help you write a significant amount of Java code to extend or adapt 00:01:47:05 - 00:01:51:27 the OSCAL CLI during the presentation, and we can't go through complex 00:01:51:27 - 00:01:56:32 examples of OSCAL data and usage patterns, whether it is with or without the OSCAL CLI. 00:01:56:46 - 00:01:58:07 We hope you understand. 00:01:58:07 - 00:02:02:14 At the end we'll have Q&A, and if we can't address it during the live presentation, 00:02:02:28 - 00:02:06:20 feel free to use our community resources and contact methods. 00:02:06:22 - 00:02:08:20 We look forward to hearing from you. 00:02:08:20 - 00:02:10:11 And who is this presentation for? 00:02:10:11 - 00:02:13:09 Although we welcome everyone and there will be a lot more to learn. 00:02:13:09 - 00:02:16:35 If you are not a software developer, system engineer, or generalist 00:02:16:35 - 00:02:19:16 technologist, we did designed this for them 00:02:19:16 - 00:02:21:47 so that you can understand how to quickly bootstrap 00:02:21:47 - 00:02:25:24 and use tools and libraries of this reference implementation 00:02:25:29 - 00:02:28:42 that you can adapt and use OSCAL for different 00:02:28:42 - 00:02:31:11 use cases in your environment as soon as possible. 00:02:31:11 - 00:02:32:29 If you are not one of them, 00:02:32:29 - 00:02:34:41 you are more than welcome to stay and hopefully you will learn. 00:02:34:41 - 00:02:36:02 But there will be many questions 00:02:36:02 - 00:02:40:12 you'll have. Again, we’ll be willing to address them at the end in Q&A 00:02:40:25 - 00:02:45:25 or long term in our many community contact methods and through our resources. 00:02:45:29 - 00:02:49:30 Maybe this is your first time ever hearing about OSCAL from the NIST OSCAL team. 00:02:49:30 - 00:02:51:01 So if you don't know what it is, 00:02:51:01 - 00:02:54:17 it is a set of formats expressed in XML, Json, and Yaml, 00:02:54:20 - 00:02:58:12 and those formats provide machine readable representations of catalogs, 00:02:58:19 - 00:03:02:08 baselines, system security plans, assessment plans, and results. 00:03:02:30 - 00:03:05:10 This is the official definition from our wonderful website 00:03:05:10 - 00:03:08:09 that is pages.nist.gov/OSCAL 00:03:08:15 - 00:03:11:14 If you download the presentation, you can even click on the link. 00:03:11:18 - 00:03:12:46 So what is the OSCAL CLI? 00:03:12:46 - 00:03:17:12 If OSCAL a set of data formats and software uses data formats for inputs 00:03:17:12 - 00:03:20:45 and outputs, what kind of software is the OSCAL CLI particular? 00:03:20:45 - 00:03:24:40 Well, the OSCAL CLI is a reference software implementation for OSCAL 00:03:24:46 - 00:03:27:00 with four high level functionalities. 00:03:27:00 - 00:03:30:13 It helps you do data validation OSCAL data. 00:03:30:25 - 00:03:33:30 It helps you convert OSCAL data from one of the three 00:03:33:30 - 00:03:36:39 formats XML, Json, and Yaml to one another. 00:03:37:05 - 00:03:40:04 It helps you do data processing for specific models, 00:03:40:19 - 00:03:44:18 and also helps you do data modeling so that you can help the OSCAL 00:03:44:19 - 00:03:48:31 community recommend derivative or completely new OSCAL models. 00:03:48:32 - 00:03:52:03 We'll go through each of these with examples later on in the presentation. 00:03:52:30 - 00:03:55:16 So let's learn how we can set up your OSCAL CLI. 00:03:55:16 - 00:03:58:47 You can set up the OSCAL on different kinds of operating systems. 00:03:59:05 - 00:04:02:39 We support Linux, macOS or windows in alphabetical order. 00:04:02:39 - 00:04:04:16 We have no strong preference. 00:04:04:16 - 00:04:06:28 We like cross-platform software. 00:04:06:28 - 00:04:09:04 And how do we achieve that with the Java runtime? 00:04:09:04 - 00:04:12:15 To use the OSCAL CLI, you will have to separately install 00:04:12:15 - 00:04:16:39 JRE or JDK with a major version of 11 or newer on your computer 00:04:16:43 - 00:04:20:15 We use the Eclipse Temerin Java runtime releases, 00:04:20:15 - 00:04:23:29 but that doesn't stop you from trying other certified Java releases. 00:04:23:46 - 00:04:25:43 Let us know what challenges you have 00:04:25:43 - 00:04:28:43 or questions you have by using our community resources. 00:04:29:00 - 00:04:29:51 So to move forward, 00:04:29:51 - 00:04:32:48 we're going to follow the project's instructions from the GitHub 00:04:32:48 - 00:04:36:21 source code repository URL in the previous slide and review 00:04:36:21 - 00:04:40:02 that we can download development snapshots or more importantly, stable releases. 00:04:40:02 - 00:04:44:35 For this demo, we build versions of the OSCAL CLI for you 00:04:44:35 - 00:04:48:31 and you can download them from the Maven open source software repository. 00:04:48:45 - 00:04:52:07 This is so that people can use the OSCAL CLI and its embedded 00:04:52:07 - 00:04:55:21 Java libraries, both from NIST and other trusted third parties. 00:04:55:38 - 00:04:58:07 As part of a larger open source ecosystem. 00:04:58:07 - 00:05:01:24 You can use this with a Maven dependency package manager 00:05:01:24 - 00:05:03:45 if you write OSCAL software, but we're going to show you 00:05:03:45 - 00:05:06:01 how you can download it separately of that. 00:05:06:01 - 00:05:09:38 Even if you're a casual user or a developer who needs to use the CLI 00:05:09:38 - 00:05:11:44 in a different runtime environment or context. 00:05:11:44 - 00:05:16:01 if you follow along or read the Readme on the GitHub repository 00:05:16:01 - 00:05:19:03 for the OSCAL CLI, you can visit and find the latest version 00:05:19:12 - 00:05:20:42 at the time of this presentation. 00:05:20:42 - 00:05:22:08 That's 1.0.1. 00:05:22:08 - 00:05:24:20 We recommend that you download the zip file 00:05:24:20 - 00:05:27:22 because this is easily extracted on most operating systems. 00:05:27:32 - 00:05:31:51 And then the zip.asc file, this is the PGP sign signature 00:05:31:51 - 00:05:35:09 that we're going to verify before we extract and then install 00:05:35:09 - 00:05:38:42 and test a running version of the OSCAL CLI on our computer. 00:05:38:51 - 00:05:43:45 To do that, I'm going to switch to a Linux terminal in the VS code IDE 00:05:44:17 - 00:05:47:01 that we used to write software, but can also show you 00:05:47:01 - 00:05:49:38 running commands on a Linux computer. Here we go. 00:05:49:38 - 00:05:53:50 In this IDE, I have already downloaded a copy of the OSCAL CLI. 00:05:55:22 - 00:05:57:22 You'll see, like I said before, 00:05:57:22 - 00:06:01:03 we have a digital signature file and a copy of the zip file. 00:06:01:03 - 00:06:05:13 If you've not done this before, you can use the GPG key server systems 00:06:05:14 - 00:06:09:25 to download a copy of our current NIST OSCAL Engineering release key. 00:06:09:32 - 00:06:14:03 You can find more information in the presentation or ask questions later. 00:06:14:34 - 00:06:17:42 To double check, I'm going to install and make sure that I have a copy 00:06:17:42 - 00:06:21:32 of the current NIST OSCAL Release Engineering key, so you can follow along with me. 00:06:21:50 - 00:06:25:35 Once I've done that, I can use that key to verify 00:06:25:35 - 00:06:29:11 that I have valid copy of the zip file before I extract it, 00:06:29:35 - 00:06:33:05 and we can see that the key has already been pre-installed, but 00:06:33:05 - 00:06:36:03 I wanted to make sure I did it with you just so you would understand. 00:06:36:33 - 00:06:38:45 And then I can use it to verify the zip files. 00:06:38:45 - 00:06:39:10 Correct. 00:06:39:10 - 00:06:43:32 Now that I know that it's correct, I can extract my copy of the OSCAL CLI. 00:06:45:51 - 00:06:47:19 This includes the libraries 00:06:47:19 - 00:06:50:45 and scripts that can help us run it on our respective operating systems. 00:06:50:45 - 00:06:56:07 If we look, there is a dot bin directory and this contains OSCAL CLI 00:06:56:16 - 00:06:59:28 that's compatible running the OSCAL CLI on Linux 00:06:59:28 - 00:07:02:34 and macOS and the dot dat file that's for windows. 00:07:02:34 - 00:07:04:20 I'm going to choose to run the former. 00:07:04:20 - 00:07:06:11 And to do that I would do this. 00:07:06:11 - 00:07:09:12 And then I would run our first command to make sure that we have successfully 00:07:09:12 - 00:07:12:28 downloaded and configured the latest stable release, checking the version. 00:07:13:23 - 00:07:14:17 Fantastic. 00:07:14:17 - 00:07:18:08 We can see that the OSCAL CLI with its version argument has told us 00:07:18:14 - 00:07:21:06 what version of OSCAL CLI we are using. 00:07:21:06 - 00:07:22:03 When it was built, 00:07:22:03 - 00:07:26:03 and what different libraries from the NIST OSCAL team and other projects 00:07:26:03 - 00:07:30:24 that OSCAL depends upon their versions and their commit information in history. 00:07:30:24 - 00:07:34:03 We can use this to get very precise information of not just the OSCAL 00:07:34:03 - 00:07:38:30 CLI tool, but the version of OSCAL that's used and its relative dependencies. 00:07:38:50 - 00:07:39:27 It's important 00:07:39:27 - 00:07:43:16 to note several functionalities of OSCAL CLI function the same way. 00:07:43:16 - 00:07:46:50 Regardless of what model you use moving forward in this demonstration, 00:07:46:50 - 00:07:49:34 you're going to notice that I focus on system security plans. 00:07:49:34 - 00:07:51:24 So with the notion dollar sign model 00:07:51:24 - 00:07:55:02 name, you should understand that if I show an example with SSP, 00:07:55:13 - 00:07:59:36 you can substitute this with a valid OSCAL model being assessment 00:07:59:36 - 00:08:04:11 plan, assessment result, catalog, component definition, profile system, 00:08:04:11 - 00:08:08:43 security plan or POAM and give it a valid data example and it will work. 00:08:08:43 - 00:08:13:03 The application is coded to be consistent with how conversion and validation 00:08:13:03 - 00:08:14:22 work across the different models. 00:08:14:22 - 00:08:16:40 Data processing is specific to each model. 00:08:16:40 - 00:08:20:25 At this time, we only have one data processing specification 00:08:20:37 - 00:08:22:34 and that one is profile resolution. 00:08:22:34 - 00:08:25:47 The OSCAL CLI does implement this already. 00:08:25:47 - 00:08:30:13 You can only use this by saying the OSCAL CLI should use profile 00:08:30:13 - 00:08:33:50 in place of dollar sign model name, and then the relevant subcommand resolve. 00:08:33:50 - 00:08:35:31 That will not work for the other models, 00:08:35:31 - 00:08:38:35 and you will see that the command will not be respected. In the future, 00:08:38:35 - 00:08:40:16 We reserve the right to make other 00:08:40:16 - 00:08:42:12 processing specifications of the community, 00:08:42:12 - 00:08:44:33 but this is the only one that's implemented at this time. 00:08:44:33 - 00:08:48:13 And finally, there's the data modeling, which is a complex generic subsystem 00:08:48:13 - 00:08:52:09 that allows you to change and enhance OSCAL models 00:08:52:09 - 00:08:55:19 and then test different OSCAL data instances as you 00:08:55:19 - 00:08:58:18 edit them and modify them, or completely new and novel 00:08:58:28 - 00:09:01:09 metaschema base. In this case, we'll focus on ones 00:09:01:09 - 00:09:03:22 that are from the tutorial from the meta schema project, 00:09:03:22 - 00:09:07:09 so you can best understand how you can do advanced OSCAL modeling. 00:09:07:43 - 00:09:11:44 Now let's try the first functionality of the OSCAL CLI data validation. 00:09:12:01 - 00:09:14:41 To start, we will use this example here. 00:09:14:41 - 00:09:17:40 Your paths might look different but you can do a similar thing here. 00:09:17:40 - 00:09:21:00 I use the OSCAL CLI to validate an example system 00:09:21:00 - 00:09:24:37 security plan in the Json format and its default configuration. 00:09:25:01 - 00:09:28:24 The CLI will process it and validate that the SSP is correct 00:09:28:24 - 00:09:30:30 and give output on the command line. 00:09:30:30 - 00:09:32:07 Telling me that it's correct. 00:09:32:07 - 00:09:35:43 That doesn't mean that we only can use it for the OSCAL Json format. 00:09:35:43 - 00:09:38:42 We can also use it for the OSCAL XML format. 00:09:39:13 - 00:09:44:36 Here we use a similar converted SSP from the Json format in XML. 00:09:44:36 - 00:09:46:09 We'll see that functionality later. 00:09:46:09 - 00:09:50:00 Additionally, maybe you have very custom requirements in your environment, 00:09:50:00 - 00:09:54:40 and you wish to validate a file that is either Json or Yaml or XML, 00:09:54:40 - 00:09:59:50 but might have a custom file extension, and it might not be obvious to outsiders 00:09:59:50 - 00:10:03:01 or even your own staff that that file, with its custom 00:10:03:01 - 00:10:07:18 format, is a Json file or Yaml file or XML file. 00:10:07:18 - 00:10:09:16 Fortunately for you in the community, 00:10:09:16 - 00:10:13:32 you can use the “as” argument to say that a file with a custom extension perhaps dot 00:10:13:34 - 00:10:17:20 custom is XML or Json, or in this case Yaml. 00:10:20:23 - 00:10:21:06 Fantastic. 00:10:21:06 - 00:10:24:36 We validated that all three of these ssps are valid. 00:10:24:45 - 00:10:28:19 Unfortunately, in the real world with AWS, CLI or other tools, 00:10:28:29 - 00:10:32:26 we cannot always expect that conveniently all OSCAL data will be validated. 00:10:32:26 - 00:10:36:33 Sometimes we'll have to deal with validation errors, it from the ACL 00:10:36:33 - 00:10:40:39 schemas, in XML or Json form, or the more advanced beyond the schema 00:10:40:39 - 00:10:41:27 constraint mechanisms. 00:10:41:27 - 00:10:45:19 Let's go through an example of a file that's erroneous, an SSP with an 00:10:45:20 - 00:10:46:22 intentional error, 00:10:46:22 - 00:10:49:21 and learn how we can interpret the error messages that are given 00:10:49:22 - 00:10:53:03 to help us better develop content and debug our own systems that rely 00:10:53:03 - 00:10:54:00 on such tooling. 00:10:54:00 - 00:10:56:51 I'm going to bring back the IDE with a Linux terminal. 00:10:57:00 - 00:11:00:41 Here I'm going to use the OSCAL CLI that we've downloaded and configured 00:11:01:00 - 00:11:02:27 to validate a SSP 00:11:02:27 - 00:11:05:15 that's XML with the error, and see if it tells us 00:11:05:15 - 00:11:08:13 that there is a potential problem we need to fix. 00:11:08:13 - 00:11:10:41 Oh, it looks like we already found a problem. 00:11:10:41 - 00:11:14:15 If we look at the CLI it has color coded error messaging. 00:11:14:33 - 00:11:17:45 And it tells us in a specific place that a certain element 00:11:17:45 - 00:11:21:44 of a certain item is missing, and it tells us the path to the file, 00:11:22:08 - 00:11:25:18 and it even tells us what line of the file it is. 00:11:25:18 - 00:11:26:43 Let's look at that file now. 00:11:34:48 - 00:11:38:03 If we look, it tells us that on line 260 00:11:39:08 - 00:11:42:07 we can find that there is an error. 00:11:44:27 - 00:11:47:26 Oh, look, we were missing the state. 00:11:51:31 - 00:11:54:30 That attribute is important. 00:11:55:32 - 00:11:56:31 If we add this, 00:11:56:31 - 00:11:59:38 we'll see that we can go back and rerun the validation. 00:11:59:46 - 00:12:02:44 And it should be successful. 00:12:03:02 - 00:12:03:37 Wonderful. 00:12:03:37 - 00:12:06:38 We can get line and row numbers with the OSCAL CLI 00:12:06:40 - 00:12:08:30 to tell us how we can fix potential errors. 00:12:08:30 - 00:12:12:20 Hopefully this will be of great benefit to you as you continue to use OSCAL. 00:12:12:38 - 00:12:16:24 The second core functionality of the OSCAL CLI is Data Conversion. 00:12:16:30 - 00:12:20:28 Given a document in one of the OSCAL formats, be it 00:12:20:46 - 00:12:24:17 XML or Json or Yaml, you can convert to one of the other two. 00:12:24:28 - 00:12:28:17 And that is not only exclusively with XML as the origin format, 00:12:28:17 - 00:12:31:28 you can actually use Yaml or Json as the source origin 00:12:31:28 - 00:12:35:21 format and convert it into the other respective formats. 00:12:35:33 - 00:12:36:45 Let's go through an example. 00:12:36:45 - 00:12:39:44 We’re going to bring back the IDE with the Linux terminal where 00:12:39:44 - 00:12:42:44 we've been practicing before, and let's try another one again. 00:12:43:01 - 00:12:48:19 As shown in the first example, we can take an XML SSP and convert it into Json. 00:12:48:26 - 00:12:49:47 We do not have to save it to a file. 00:12:49:47 - 00:12:52:46 We can actually show it through the standard output. 00:12:52:49 - 00:12:56:05 And we can also similarly do the same by taking an example 00:12:56:05 - 00:12:59:14 SSP in the OSCAL Yaml format and converting that to Json. 00:12:59:18 - 00:13:01:50 We also will send that to standard out. 00:13:01:50 - 00:13:05:10 And if we can do this after this completes we can actually show that we can 00:13:05:10 - 00:13:08:09 redirect it to a temporary file. 00:13:08:15 - 00:13:09:34 Instead of showing it on the screen. 00:13:10:33 - 00:13:13:12 And then we can look at the resulting output. 00:13:13:12 - 00:13:16:11 The first 24 lines of the command. 00:13:17:22 - 00:13:20:13 Head to see what the file looks like. 00:13:20:13 - 00:13:21:19 And there we have it. 00:13:21:19 - 00:13:25:04 Successful conversion from two different formats back and the third 00:13:25:04 - 00:13:28:06 core functionality of the OSCAL is data processing. 00:13:28:10 - 00:13:32:11 When we talk about data processing with OSCAL software implementations, 00:13:32:25 - 00:13:36:27 we mean that a tool like the OSCAL CLI has implemented the ability 00:13:36:31 - 00:13:41:12 to process one or more document instances of an OSCAL model 00:13:41:15 - 00:13:45:04 in one or more of the data formats, and make some form of enhancement 00:13:45:04 - 00:13:48:04 or customization or modification to meet 00:13:48:07 - 00:13:51:04 the use case of one or more users 00:13:51:04 - 00:13:54:49 in a security or privacy or related domain at this time. 00:13:55:04 - 00:13:59:42 With the latest release of the OSCAL models 1.1.0 and the latest 00:13:59:42 - 00:14:04:46 release of the OSCAL CLI version 1.0.1, there is only one draft 00:14:04:46 - 00:14:09:14 specification for processing OSCAL data, and that is profile resolution. 00:14:09:32 - 00:14:15:19 Profile resolution is where a developer or tool builder can use a profile, 00:14:15:30 - 00:14:19:49 which is in a declarative expression of how to customize an existing 00:14:19:49 - 00:14:23:42 OSCAL catalog, and you can use a tool to take that profile 00:14:23:42 - 00:14:27:46 and resolve it into a new, customized catalog with modifications 00:14:27:46 - 00:14:31:37 and redactions and added material for specific controls. 00:14:31:44 - 00:14:35:45 Let's look at two examples that are on this slide in more detail. 00:14:36:05 - 00:14:39:44 I'm going to return to the IDE with the Linux terminal To start, 00:14:40:07 - 00:14:44:19 we will see that I can take a OSCAL profile in Json format, 00:14:44:19 - 00:14:49:08 and I can use that to resolve a profile that only selects one control. 00:14:49:22 - 00:14:52:33 That one control will be a AC-61, which is from 00:14:52:33 - 00:14:55:37 the Special Publication 800-53 catalog. 00:14:55:37 - 00:14:59:14 That Json profile will then be used with the CLI 00:14:59:14 - 00:15:02:23 to make a new resolve catalog 00:15:02:32 - 00:15:05:33 in a totally separate data format, being XML. 00:15:05:33 - 00:15:06:23 Let's run that now. 00:15:08:28 - 00:15:09:03 And there we 00:15:09:03 - 00:15:12:01 have the XML catalog with that single control. 00:15:12:01 - 00:15:16:25 Next we can take an XML catalog and profile which will take the same 00:15:16:25 - 00:15:20:37 control, albeit with a profile in this different OSCAL XML data format. 00:15:21:01 - 00:15:24:44 And then conveniently it will be able to convert that 00:15:24:44 - 00:15:29:06 into the Json version of an OSCAL catalog with the result. 00:15:29:23 - 00:15:30:43 Again, we will show that by 00:15:30:43 - 00:15:33:42 rendering it to the screen with standard out instead of a file. 00:15:35:13 - 00:15:36:19 And there we have it. 00:15:36:19 - 00:15:39:45 We have resolved two different profiles in different formats with different 00:15:40:02 - 00:15:41:35 output formats as well. 00:15:41:35 - 00:15:45:07 The last core functionality of the OSCAL CLI is data modeling. 00:15:45:07 - 00:15:46:05 All data modeling. 00:15:46:05 - 00:15:48:31 Some commands are provided under the meta schema command. 00:15:48:31 - 00:15:52:11 If you are not aware, the meta schema Information Modeling Framework 00:15:52:18 - 00:15:57:02 is developed by colleagues at NIST to allow people to use an XML based syntax 00:15:57:02 - 00:15:59:13 to define an information model 00:15:59:13 - 00:16:03:22 and expose the relationship between different data elements into data formats 00:16:03:22 - 00:16:06:15 and data models like we have, and ask how we make it 00:16:06:15 - 00:16:09:26 generous use of the meta schema information modeling framework 00:16:09:39 - 00:16:15:13 and its two implementations, one in Java like used by the CLI and one in XSLT 00:16:15:24 - 00:16:20:18 to generate or respective schemas, be it in Json schema and XML schema 00:16:20:47 - 00:16:24:34 to perform code generation to make easily maintainable libraries 00:16:24:34 - 00:16:28:13 for processing OSCAL content like you can see, and also for 00:16:28:13 - 00:16:33:01 documentation generation pipelines that can be dynamically generated 00:16:33:13 - 00:16:36:39 from the meta schema definitions themselves, which we call modules. 00:16:36:39 - 00:16:40:09 For the first example, I will show how you can use the generate schema 00:16:40:09 - 00:16:43:22 subcommand of the meta schema command in CLI. 00:16:43:34 - 00:16:47:04 To first take a self-contained example 00:16:47:13 - 00:16:50:11 meta schema that is far less complex than the OSCAL 00:16:50:11 - 00:16:53:17 models, respectively, in their meta schema definitions, 00:16:53:31 - 00:16:57:32 and first configure it to emit a Json schema 00:16:57:37 - 00:17:00:47 and in the subsequent command, take the meta schema computer module 00:17:00:47 - 00:17:04:12 and omit an XML schema for that respective module. 00:17:04:12 - 00:17:08:32 Now let's go to the IDE with the Linux terminal try that. 00:17:08:43 - 00:17:12:09 First I will bring over that command with the meta schema command. 00:17:14:00 - 00:17:15:40 And the generate schema sub command to. 00:17:15:40 - 00:17:18:39 First we will generate a Json schema. 00:17:20:46 - 00:17:23:03 And then we will generate 00:17:23:03 - 00:17:26:02 an XML schema from the same meta schema module. 00:17:27:41 - 00:17:28:34 Great. 00:17:28:34 - 00:17:32:13 And now we know we can generate schemas directly from the CLI. 00:17:32:19 - 00:17:35:18 Let's look at some other functionality for data modeling. 00:17:35:31 - 00:17:38:49 Additionally, we can use the meta schema command of the OSCAL CLI 00:17:38:49 - 00:17:43:26 with the validate sub command to actually look at the meta schema XML syntax, 00:17:43:32 - 00:17:46:22 and make sure that the meta schema modules are well-formed. 00:17:46:22 - 00:17:47:27 We will do that. Now. 00:17:47:27 - 00:17:50:06 As an example, I will use the validate command. 00:17:50:06 - 00:17:55:40 To test the meta schema computer module that we use for the meta schema tutorials. 00:17:55:51 - 00:17:57:30 Here with the OSCAL CLI. 00:17:57:30 - 00:18:01:39 If this is syntactically valid meta schema, it will be valid like it is. 00:18:01:39 - 00:18:05:39 This makes sure that we can check that a document can be validated 00:18:05:39 - 00:18:07:37 with a resulting Json schema, 00:18:07:37 - 00:18:11:21 XML schema, or later that we can actually generate schemas 00:18:11:21 - 00:18:16:16 and interactively validate instances, which we will do And now finally, knowing 00:18:16:16 - 00:18:20:06 that we can check the syntactic validity of the meta schema modules itself, 00:18:20:06 - 00:18:23:19 and also generate schemas, we could even interactively 00:18:23:19 - 00:18:28:02 make our own meta schema based models, just like OSCAL, or by deriving 00:18:28:02 - 00:18:32:21 the existing OSCAL models and dynamically compile validations for them and test it. 00:18:32:21 - 00:18:33:14 for instance. 00:18:33:14 - 00:18:36:25 We have two examples here, and we'll go further through them in the demo 00:18:36:37 - 00:18:42:07 We can take the simplified teaching models, the computer meta schema module in XML, 00:18:42:10 - 00:18:46:50 and we can take an example XML instance document with that computer. 00:18:47:35 - 00:18:51:45 And we can have another computer instance document written in Json. 00:18:51:45 - 00:18:56:43 And we can dynamically generate the schema validations and super schema 00:18:57:08 - 00:19:00:34 validations and constraints as discussed before on the fly. 00:19:00:34 - 00:19:04:25 And then test that the instance itself, not just the schema, is valid. 00:19:04:47 - 00:19:05:50 Let's try that now. 00:19:05:50 - 00:19:09:25 I will return to the IDE with the Linux terminal, and I will first attempt 00:19:09:25 - 00:19:13:42 to take the computer meta schema module as shown here with the argument 00:19:14:21 - 00:19:18:33 of the validate content subcommand of the schema command, and I will 00:19:18:33 - 00:19:21:50 then use that to generate the necessary code 00:19:21:50 - 00:19:25:32 to validate whether the document instance of a computer. 00:19:25:32 - 00:19:28:14 This instance of the computer model is in fact valid. 00:19:33:01 - 00:19:33:34 And look, 00:19:33:34 - 00:19:36:51 we are able to determine that there are two errors with this document, 00:19:37:06 - 00:19:40:01 all without having to actually pre compile the code. 00:19:40:01 - 00:19:43:46 As you can see here, this application was able to take a meta schema module 00:19:43:46 - 00:19:47:39 and dynamically generate the code and generate an libraries 00:19:47:39 - 00:19:52:19 for serialization and deserialization, and also was able to validate on the fly. 00:19:52:19 - 00:19:56:05 We can even take that same computer meta schema module 00:19:56:27 - 00:20:01:11 and check another instance that is in a Json document, not XML document. 00:20:01:27 - 00:20:06:01 It will quickly recompile the required classes and then validate for us. 00:20:06:12 - 00:20:10:35 We will probably notice that this is the same file with similar 00:20:10:35 - 00:20:15:38 errors, albeit syntactically relevant to the Json variant, not the XML. 00:20:15:43 - 00:20:19:03 And with that, we have shown the last of the core functionalities 00:20:19:03 - 00:20:20:14 and the more advanced feature 00:20:20:14 - 00:20:23:17 set of the meta schema command and its various sub commands. 00:20:23:34 - 00:20:26:25 So you've seen a lot of functionality of the calculi today. 00:20:26:25 - 00:20:30:17 You may be wondering how many people have to write software like this. 00:20:30:17 - 00:20:33:11 It must be so complex and we must have to write a lot by hand. 00:20:33:11 - 00:20:34:37 Right? Well, the reality is no. 00:20:34:37 - 00:20:39:41 There is a three layer architecture to the OSCAL CLI, as you see from the base 00:20:39:41 - 00:20:43:16 of it, at the top of the list to the bottom of OSCAL CLI itself. 00:20:43:21 - 00:20:47:25 At its core is meta schema Java, an independent library base from work 00:20:47:25 - 00:20:51:31 with the meta schema developers that will read the meta schema. 00:20:51:31 - 00:20:56:43 Information modeling frameworks XML syntax either at compile time or, as you saw 00:20:56:43 - 00:21:00:47 at the last demonstration, dynamically to build classes to read 00:21:00:47 - 00:21:04:47 and write meta schema based content in XML or Json or Yaml, 00:21:05:15 - 00:21:10:00 and is able to perform serialization, deserialization and code generation. 00:21:10:06 - 00:21:14:06 Next, the liboscal-java library depends on this. liboscal-kava library 00:21:14:11 - 00:21:19:08 takes auto generated reader and writer classes for meta schema modules, in 00:21:19:08 - 00:21:23:41 this case used for the seven OSCAL models, and is able to add utility functions 00:21:23:41 - 00:21:27:24 and library classes and certain reusable components 00:21:27:41 - 00:21:31:35 of the core of the command line functionality to allow people 00:21:31:35 - 00:21:36:04 to write their own distinct versions of OSCAL CLI functionality 00:21:36:13 - 00:21:40:43 at the top, we allow for the bottom rather the complete user interfaces. 00:21:40:43 - 00:21:44:27 The OSCAL-CLI, which combines the generated classes 00:21:44:44 - 00:21:47:49 from metaschema-java and the liboscal-Java project, 00:21:48:20 - 00:21:51:27 and as the finalized command line interface 00:21:51:41 - 00:21:56:02 in a way that can be both reusable but also removable 00:21:56:05 - 00:22:00:23 from the core logic of the liboscal-java library 00:22:00:23 - 00:22:04:02 with things such as utility functions and profile resolution. 00:22:04:02 - 00:22:05:48 Implementation and metaschema-java 00:22:05:48 - 00:22:10:30 which handles the serialization, deserialization and core processing 00:22:10:30 - 00:22:14:44 of IO of the meta schema modules and the data instances themselves. 00:22:14:48 - 00:22:18:06 So if we're going to talk about advanced usage of the OSCAL CLI, 00:22:18:06 - 00:22:21:25 can I use OSCAL features in your in my own software? 00:22:21:25 - 00:22:23:20 If you're one of those users in the community 00:22:23:20 - 00:22:24:39 and you're impressed by what you see 00:22:24:39 - 00:22:28:04 and you wish to adapt it for your own cases, yes, yes you can. 00:22:28:12 - 00:22:28:48 At its core, 00:22:28:48 - 00:22:33:42 the OSCAL CLI just uses the metaschema-java and liboscal-java libraries. 00:22:33:42 - 00:22:37:15 You can see that are all of our projects are public domain and open source. 00:22:37:26 - 00:22:41:04 And you can find example files in the liboscal-java 00:22:41:24 - 00:22:45:36 and OSCAL CLI projects to see how these examples could be written, 00:22:45:36 - 00:22:48:35 and how you could adapt the existing code to your own use cases. 00:22:49:00 - 00:22:54:05 You could write a very similar or very dissimilar OSCAL client or alternative. 00:22:54:23 - 00:22:57:47 If anything, we welcome it and we encourage it, and we look forward 00:22:57:47 - 00:22:59:22 to seeing what you accomplish. 00:22:59:22 - 00:23:02:48 If you wish to give back to the OSCAL or make your own or add 00:23:02:48 - 00:23:06:33 something in between, is very simple to give back in a way that we would find 00:23:06:33 - 00:23:10:02 meaningful in the social team, please use it. 00:23:10:20 - 00:23:14:32 Please provide feedback and by feedback we mean documenting use cases. 00:23:14:50 - 00:23:18:29 We mean running the command with bugs issues 00:23:18:29 - 00:23:21:20 and bug behavior and use the show stack trace command. 00:23:21:20 - 00:23:24:41 This shows us the full detail of the feature that is not functioning 00:23:24:41 - 00:23:30:22 properly, and helps us more effectively fix it in a routine and expedited manner. 00:23:30:29 - 00:23:34:41 And most importantly, if you have watched this and you see a functionality 00:23:34:41 - 00:23:38:19 you think very applicable to the CLI or the underlying components 00:23:38:33 - 00:23:41:31 and you would like to have it added, please request a new feature. 00:23:41:33 - 00:23:46:45 Again, all three of those are something you can do through visiting the GitHub US 00:23:46:46 - 00:23:51:35 NIST.gov OSCAL CLI repository for code and issue management on GitHub. 00:23:52:01 - 00:23:52:40 And of course, 00:23:52:40 - 00:23:56:05 we will continue to ask you to rinse and repeat and incrementally enhance 00:23:56:17 - 00:24:00:15 this great piece of software, not just for us, but for you, the community at large. 00:24:00:32 - 00:24:02:50 That's the end of this presentation today. 00:24:02:50 - 00:24:06:12 If you wish to know more about OSCAL overall and not just the CLI, 00:24:06:14 - 00:24:08:20 please visit the project website. 00:24:08:20 - 00:24:10:30 Please visit the code repository. 00:24:10:30 - 00:24:14:09 Please be sure to look on the website for contribution information 00:24:14:09 - 00:24:15:21 and recommendations. 00:24:15:21 - 00:24:17:37 And of course, if you're not sure what you need 00:24:17:37 - 00:24:21:41 or what you want to do with OSCAL for OSCAL by OSCAL or 00:24:21:41 - 00:24:24:31 With OSCAL, we strongly recommend that you reach out to us. 00:24:24:31 - 00:24:27:17 Our contact methods are at the last link. 00:24:27:17 - 00:24:28:45 Thank you and have a very good day.