00:00:00:19 - 00:00:04:05 So again, welcome to our 16th workshop. 00:00:04:10 - 00:00:09:20 I would like to pass the microphone to JJ Contessa, the CTO from C1secure. 00:00:10:13 - 00:00:14:25 So, first off, Michaela and the rest of NIST team, 00:00:14:25 - 00:00:17:26 thank you for the opportunity for to present today. 00:00:17:26 - 00:00:21:09 And thank you to all the attendees for taking time out of the day to join us. 00:00:21:12 - 00:00:23:07 My name is JJ Contessa. 00:00:23:07 - 00:00:26:17 I'm a chief operating officer for C1secure. 00:00:26:27 - 00:00:29:10 I am joined today by a few of my colleagues 00:00:29:10 - 00:00:32:04 who will be participating and or, also, 00:00:32:04 - 00:00:35:24 just supporting the Q&A section of today's presentation. 00:00:36:05 - 00:00:39:10 VP of professional Services, Steve Grogan. 00:00:39:10 - 00:00:44:06 as well as, our senior platform architect, Vijay Addicam. 00:00:44:11 - 00:00:46:22 and I don't believe, unfortunately, Todd was able to join us. 00:00:46:22 - 00:00:50:15 but, he can also provide some insights after the call, if necessary, 00:00:50:20 - 00:00:54:06 Just to, dive in and provide a little bit of an overview of the agenda 00:00:54:06 - 00:00:57:06 as well as just to set some expectations for today. 00:00:57:12 - 00:01:01:06 We C1secure are security and compliance practitioners. 00:01:01:08 - 00:01:05:05 So, as we deliver today's presentation, it's really going to be from 00:01:05:05 - 00:01:10:00 that point of view and, how we have come about to understand OSCAL. 00:01:10:13 - 00:01:11:29 I'll give a little bit of lineage of 00:01:11:29 - 00:01:15:24 our journey from a FedRAMP perspective and an end to OSCAL. 00:01:16:01 - 00:01:18:18 and how we've been brought this to life. 00:01:18:18 - 00:01:20:18 within the enterprise grade platform that, 00:01:20:18 - 00:01:24:13 we support, manage, which is, happens to be within ServiceNow. 00:01:24:17 - 00:01:27:02 but as we go throughout this, we'll just provide 00:01:27:02 - 00:01:30:04 our vision initially as we started down this path. 00:01:30:24 - 00:01:33:08 Some of the lessons learned, and hopefully we can impart 00:01:33:08 - 00:01:35:03 that, you know, upon the community here 00:01:35:03 - 00:01:38:09 for those that are, you know, might be at earlier stages of OSCAL. 00:01:38:14 - 00:01:42:17 but our broader objective is to be a contributor to this community 00:01:42:20 - 00:01:47:04 in helping to evangelize and democratize, what we believe to be a significant 00:01:47:04 - 00:01:51:02 and transformational capability, that can transcend the security 00:01:51:02 - 00:01:52:18 and compliance marketplace. 00:01:52:18 - 00:01:56:18 Just to dive in as far as our preliminary objectives 00:01:56:22 - 00:01:58:27 as we started to approach OSCAL. 00:01:58:27 - 00:02:00:14 To provide some context 00:02:00:14 - 00:02:02:04 I need to rewind the tapes a little bit to 00:02:02:04 - 00:02:03:17 almost a decade ago. 00:02:03:17 - 00:02:06:14 We were delivering a portfolio of professional 00:02:06:14 - 00:02:08:00 and managed security services. 00:02:08:00 - 00:02:13:01 So, predominantly helping customers to, build and optimize their security 00:02:13:01 - 00:02:17:11 and compliance programs, providing risk assessments, vulnerability, 00:02:17:14 - 00:02:20:14 scanning, security and awareness training. 00:02:20:16 - 00:02:24:13 And, concurrently, we had a sister organization, 00:02:24:13 - 00:02:27:23 that was in pursuit of developing, at least initially, 00:02:28:03 - 00:02:31:06 a Fisma compliant, infrastructure as a service. 00:02:31:14 - 00:02:36:00 And they were at the early stages of also then pursuing a FedRAMP compliant 00:02:36:06 - 00:02:37:23 infrastructure as a service. 00:02:37:23 - 00:02:40:17 The sister company, autonomic resources. 00:02:40:17 - 00:02:44:19 and along that journey in that path, we played a significant role 00:02:44:19 - 00:02:48:28 in helping autonomic to, develop their system security plan. 00:02:49:20 - 00:02:53:15 a lot of the other artifacts that go into the package, 00:02:53:15 - 00:02:57:03 helping them implement the continuous monitoring, 00:02:57:03 - 00:03:01:08 processes working alongside of the GSA and their three PAO. 00:03:01:08 - 00:03:05:02 And autonomic became the very first to receive an authority 00:03:05:02 - 00:03:06:09 to operate from FedRAMP. 00:03:06:09 - 00:03:10:11 that's initially how we, C1secure got ingrained into this 00:03:10:14 - 00:03:13:27 community from a federal compliance, perspective. 00:03:14:01 - 00:03:17:20 Our first objective here, as highlighted from an automation of US 00:03:17:20 - 00:03:20:20 government regulatory reporting and continuous monitor requirements, 00:03:21:00 - 00:03:24:21 really came as a derivative of our experience 00:03:24:21 - 00:03:28:20 a decade ago. Shortly after, autonomic received their ATO 00:03:29:00 - 00:03:34:03 initial excitement soon faded as they entered into continuous monitoring 00:03:34:03 - 00:03:38:08 and having to produce artifacts for the podium on a monthly basis. 00:03:38:12 - 00:03:41:26 We could see immediately, the cost of compliance, 00:03:41:26 - 00:03:44:08 it was very labor intensive, 00:03:44:08 - 00:03:45:20 highly manual. 00:03:45:20 - 00:03:49:00 I think, like many, we were using a very hammer and chisel approach. 00:03:49:05 - 00:03:52:05 So using spreadsheets, calendar reminders, chats, 00:03:52:23 - 00:03:54:26 you know, just to produce the POAM. 00:03:54:26 - 00:03:57:25 And, you know, we knew that this process was not scalable. 00:03:57:25 - 00:04:01:20 We also knew that, frankly, it was going to be a challenge for all cloud 00:04:01:20 - 00:04:02:17 service providers. 00:04:02:17 - 00:04:06:00 So we went to the market to see if there was anything 00:04:06:00 - 00:04:09:14 at the time that could help us to automate these processes. 00:04:09:27 - 00:04:11:11 And there really wasn't. 00:04:11:11 - 00:04:14:24 Now, we had made some preexisting investments into ServiceNow, 00:04:15:03 - 00:04:17:03 to support IT service management. 00:04:17:11 - 00:04:21:01 But, our analysis concluded that it would really be the best foundational platform 00:04:21:01 - 00:04:25:25 for us to build capabilities that we felt were necessary to help autonomic 00:04:25:25 - 00:04:28:28 as well as, you know, the broader cloud service provider community 00:04:29:06 - 00:04:32:26 in supporting their CONMON and, reporting obligations. 00:04:33:12 - 00:04:37:10 Many of you in this platform, or in this call today may be familiar with ServiceNow. 00:04:37:16 - 00:04:40:20 if you weren't familiar with it a decade ago, it was a vastly different 00:04:40:20 - 00:04:41:10 platform. 00:04:41:10 - 00:04:44:22 But it did have really great foundational capabilities 00:04:45:02 - 00:04:48:17 that we felt would hold us in good stead even till today. 00:04:48:17 - 00:04:50:19 And that certainly has come to fruition. 00:04:50:19 - 00:04:51:28 Key elements that we look for 00:04:51:28 - 00:04:56:11 from the enterprise platform standpoint, first, the core foundation of the CMDB. 00:04:56:15 - 00:04:58:16 You can't protect what you don't know that you have. 00:04:58:16 - 00:05:02:04 the CMDB provides dynamic discovery capabilities, 00:05:02:10 - 00:05:06:25 enabled us to build and monitor the security boundary very effectively. 00:05:07:00 - 00:05:11:25 Furthermore, the service mapping provided terrific contextual business impact 00:05:11:25 - 00:05:15:17 of incidents and vulnerabilities that were taking place inside of a cloud 00:05:15:17 - 00:05:16:29 service provider environment. 00:05:16:29 - 00:05:20:09 Building on top of that was the integration into change management. 00:05:20:14 - 00:05:21:21 So we have one platform 00:05:21:21 - 00:05:25:21 where we can execute changes, associating that to our control catalogs. 00:05:25:25 - 00:05:29:14 and then also being able to see, okay, we're raising changes. 00:05:29:14 - 00:05:31:15 These are going to be the assets that are impacted. 00:05:31:15 - 00:05:33:17 These are then the associated services. 00:05:33:17 - 00:05:36:23 So again having that unified context is very important. 00:05:37:11 - 00:05:41:10 And then a significant element was also the fact that it was a low code 00:05:41:10 - 00:05:42:28 citizen development environment. 00:05:42:28 - 00:05:45:10 We needed to build a lot of the capabilities 00:05:45:10 - 00:05:47:02 that were not natively supported. 00:05:47:02 - 00:05:48:15 ServiceNow has terrific 00:05:48:15 - 00:05:51:27 risk and security products today, they didn't exist a decade ago. 00:05:52:07 - 00:05:55:00 And so we needed to build a lot of those foundational capabilities 00:05:55:00 - 00:05:56:00 into the platform. 00:05:56:00 - 00:05:58:03 So just a quick flash forward to today. 00:05:58:03 - 00:05:59:20 And again, I provide all this context 00:05:59:20 - 00:06:02:13 because it'll give you insight into how we've approached OSCAL. 00:06:02:13 - 00:06:05:25 We are an implementation partner and consulting partner of ServiceNow 00:06:05:25 - 00:06:09:19 exclusively focused on their integrated risk and security operations products. 00:06:10:01 - 00:06:11:27 We're also a technology development partner. 00:06:11:27 - 00:06:13:01 So, we've built 00:06:13:01 - 00:06:16:25 a lot of purpose built capabilities to support cloud service providers. 00:06:16:25 - 00:06:20:26 And, the DoD contracting base in support of CMMC compliance 00:06:20:29 - 00:06:21:23 published a lot of those 00:06:21:23 - 00:06:25:20 apps in the ServiceNow App Store, and we're also a managed service provider. 00:06:25:23 - 00:06:29:06 We provide professionally managed and administered instances of ServiceNow 00:06:29:06 - 00:06:32:06 and both their commercial and their GCC accredited clouds. 00:06:32:18 - 00:06:34:28 And that's a credit to FedRAMP Pi. 00:06:34:28 - 00:06:37:28 Now ServiceNow has made, as I mentioned, some 00:06:38:00 - 00:06:41:00 significant investments into their risk and security products. 00:06:41:00 - 00:06:43:06 In the event that you're unfamiliar, the risk products 00:06:43:06 - 00:06:46:28 or security products now really provide enterprise vulnerability response 00:06:47:04 - 00:06:51:16 across infrastructure, container and application, vulnerabilities. 00:06:51:16 - 00:06:53:28 A full security incident response workflows, 00:06:53:28 - 00:06:57:05 and having automated playbooks and working with SIM platforms 00:06:57:19 - 00:07:02:14 and an IRM, or integrated risk management, really provides complement comprehensive 00:07:02:14 - 00:07:05:14 GRC across policy, compliance, 00:07:05:14 - 00:07:09:02 risk registers, third party risk management and business continuity. 00:07:09:10 - 00:07:13:03 and our goal and objective has been to, continue to operationalize and, 00:07:13:11 - 00:07:16:25 optimize customer security and compliance programs within ServiceNow. 00:07:16:28 - 00:07:18:04 Many of our customers have these 00:07:18:04 - 00:07:22:08 preexisting investments into ServiceNow and managing their control catalogs 00:07:22:08 - 00:07:26:02 and all of their program evidence, running their audits out of the platform. 00:07:26:02 - 00:07:30:08 So, as we started to approach OSCAL, you know, we were very cognizant 00:07:30:08 - 00:07:32:24 of the preexisting investments customers have made. 00:07:32:24 - 00:07:35:25 And how do we help to realize these capabilities 00:07:35:25 - 00:07:38:27 within a platform, take advantage of those preexisting records 00:07:38:27 - 00:07:42:19 that exist there and, you know, ultimately conformant to this, 00:07:42:19 - 00:07:45:19 you know, new transformative capability around OSCAL. 00:07:45:24 - 00:07:48:24 Our approach, initially from a persona perspective, 00:07:48:29 - 00:07:51:25 has been very focused on cloud service providers. 00:07:51:25 - 00:07:54:20 How do we help make their jobs easier? 00:07:54:20 - 00:07:58:12 Really focused on the common elements, but then also transforming that 00:07:58:12 - 00:08:01:15 and taking a lot of those, operational elements that exist 00:08:01:15 - 00:08:04:16 in the platform making sure that we can easily produce 00:08:04:26 - 00:08:07:29 all of the requirements that are necessary to comply 00:08:08:05 - 00:08:11:04 with the regulatory reporting requirements that they have. 00:08:11:04 - 00:08:12:29 POAM is just one artifact. 00:08:12:29 - 00:08:14:10 but there are several others. 00:08:14:10 - 00:08:17:08 We've built a lot of, capabilities on top 00:08:17:08 - 00:08:20:12 of a ServiceNow for security and compliance products. 00:08:20:16 - 00:08:22:27 We have a mechanism to automate the production 00:08:22:27 - 00:08:25:16 and plan of actions and milestones where we convert 00:08:25:16 - 00:08:29:07 the vulnerable items inside the system to the GSA prescribed format. 00:08:29:08 - 00:08:32:01 We also convert all of the higher issues. 00:08:32:01 - 00:08:36:02 So any control attestation failures or any control testing failures 00:08:36:06 - 00:08:39:27 where recently we felt, in the gap assessments for Rev 00:08:39:27 - 00:08:42:28 five and producing those to the POAM extracts. 00:08:43:01 - 00:08:45:22 We built adjudication onboarding processes. 00:08:45:22 - 00:08:49:00 automating the production of roles and responsibilities matrices. 00:08:49:02 - 00:08:52:29 so again, all of this is very focused on, taking advantage of a lot of the platform 00:08:52:29 - 00:08:56:23 records that exist and just making sure that they can conform to the extract 00:08:56:23 - 00:09:00:11 requirements or reporting extracts that the CSPs also have to produce. 00:09:00:14 - 00:09:02:26 Okay, I'll get into more of the OSCAL element in just a minute. 00:09:02:26 - 00:09:06:28 But, we started down this path, over 18 months ago at this time. 00:09:06:28 - 00:09:09:28 And when we started to pursue that, you know, it was really focused on 00:09:10:02 - 00:09:11:09 building the prototype 00:09:11:09 - 00:09:15:00 with a goal of getting that completed by the middle of this year 00:09:15:11 - 00:09:18:25 and then ultimately starting to extend that to the broader stakeholders, 00:09:18:25 - 00:09:22:25 you know, being the three PAOs and the FedRAMP PMO standpoint. 00:09:23:05 - 00:09:26:21 So, jumping into our journey specifically with OSCAL, 00:09:26:25 - 00:09:30:08 and I'll share with you one of the first landmines that we stepped on. 00:09:30:12 - 00:09:33:12 I'll start in the top left with the OSCAL relational model. 00:09:33:15 - 00:09:36:17 As I shared, we had intimate knowledge the POAM. 00:09:36:28 - 00:09:41:01 given the frequency of reporting required there, the labor intensive nature 00:09:41:01 - 00:09:42:16 of putting it together. 00:09:42:16 - 00:09:44:14 that's what we thought we could start. 00:09:44:14 - 00:09:46:18 you know, with our skills, like, we know this. 00:09:46:18 - 00:09:47:26 We know the process. 00:09:47:26 - 00:09:50:13 might be axiomatic to several of you on this call. 00:09:50:13 - 00:09:53:15 Really, when we started this process, almost two years ago now. 00:09:53:15 - 00:09:54:08 we didn't know that 00:09:54:08 - 00:09:56:18 we didn't know. In short, that was a mistake. 00:09:56:18 - 00:09:57:28 What we really focused on 00:09:57:28 - 00:10:02:04 was assessing the schema, understanding the components of OSCAL, 00:10:02:05 - 00:10:04:27 understanding their dependencies and those relationships. 00:10:04:27 - 00:10:07:27 And, making sure that we had a really sound architecture 00:10:08:08 - 00:10:09:25 before we endeavored any further. 00:10:09:25 - 00:10:12:06 We use that, those initial learnings to then, 00:10:12:06 - 00:10:15:00 you know, put together, formulate a plan of implementation. 00:10:15:00 - 00:10:16:10 we started building out the 00:10:16:10 - 00:10:19:28 appropriate structures inside of ServiceNow to support this model, 00:10:20:03 - 00:10:23:02 that is now almost 150 plus custom tables 00:10:23:02 - 00:10:26:07 that we've introduced inside of the ServiceNow environment. 00:10:26:10 - 00:10:29:20 As we've done that, we've also been cognizant of 00:10:29:28 - 00:10:32:20 looking at the current records that exist in the system 00:10:32:20 - 00:10:35:25 not only being focused on how do we produce and OSCAL SSP, 00:10:35:29 - 00:10:39:26 but how do we then make sure that it can seamlessly integrate back in 00:10:39:26 - 00:10:44:01 from an ongoing operations standpoint and integrates to the records 00:10:44:01 - 00:10:47:23 that customers are using to continuously monitor their environment. 00:10:47:23 - 00:10:51:10 So they have all those control implementations and all the back matter there. 00:10:51:10 - 00:10:54:10 So, we looked at how do we integrate those records? 00:10:54:24 - 00:10:58:01 What potential enrichments do we need to do to make sure 00:10:58:01 - 00:11:01:27 that those records can conform to the metadata requirements of OSCAL? 00:11:02:02 - 00:11:05:19 One of the big elements that we also identified during this process, 00:11:05:22 - 00:11:09:22 ServiceNow IRM is built on top of really the UCF. 00:11:09:22 - 00:11:11:11 So the unified control framework. 00:11:11:11 - 00:11:15:28 And while that delivers a lot of benefits from a common control perspective, 00:11:16:01 - 00:11:19:08 that implemented a lot with that create a lot of challenges for us, namely 00:11:19:08 - 00:11:23:17 in the fact that, trying to get to that lowest common denominator on the common controls, 00:11:23:19 - 00:11:26:19 did not conform with the OSCAL schema whatsoever. 00:11:26:26 - 00:11:29:00 So, we had to implement custom 00:11:29:00 - 00:11:32:25 control catalogs for each of the, FedRAMP impact levels. 00:11:32:29 - 00:11:36:09 We also had to make updates to the controls templates 00:11:36:09 - 00:11:39:22 where there was missing metadata attributes that we would need, 00:11:39:29 - 00:11:43:08 to make sure that we could conform again to the schema. 00:11:43:12 - 00:11:47:00 And what we've also learned later on as we started to do validations that, 00:11:47:02 - 00:11:50:15 we had to make sure that our naming conventions around the controls 00:11:50:24 - 00:11:54:12 didn't have or utilize, specific, special characters. 00:11:54:12 - 00:11:56:14 So, a lot of these were some of the things 00:11:56:14 - 00:11:59:19 that we recognized as we were trying to conform the schema 00:11:59:19 - 00:12:03:04 to the preexisting relational model inside of ServiceNow. 00:12:03:17 - 00:12:04:13 What we've also done 00:12:04:13 - 00:12:07:19 from an ease of adoption or making the customer experience better. 00:12:07:23 - 00:12:12:00 We built out a full front end GUI that then complements the control catalogs. 00:12:12:03 - 00:12:15:04 The front end GUI really supports the sections 00:12:15:04 - 00:12:18:04 1 through 12 of the SSP today. 00:12:18:07 - 00:12:21:02 Again, makes it much easier and more of a plug and play environment 00:12:21:02 - 00:12:24:15 for the cloud service provider to manage. 00:12:24:19 - 00:12:27:07 Those sections and make updates to that. 00:12:27:07 - 00:12:30:23 And then, we created a synchronous process that then takes 00:12:30:23 - 00:12:34:19 those front end elements and merges that to the back end OSCAL tables. 00:12:34:25 - 00:12:38:10 Where we are today, through that process, we've successfully 00:12:38:10 - 00:12:43:09 produced OSCAL SSP, and really, the full relational model is built. 00:12:43:09 - 00:12:47:14 And now we're just working on finalizing all of the OSCAL extracts. 00:12:47:18 - 00:12:50:27 So being able to produce the POAMs, we do POAMs today. 00:12:50:29 - 00:12:54:17 Now just, you know, working on that from an OSCAL compatibility standpoint. 00:12:54:22 - 00:12:58:15 Also, continuing to make sure that those are validated through 00:12:58:22 - 00:13:01:23 the three levels of conformance from a file conformance 00:13:02:08 - 00:13:06:04 NIST validations and FedRAMP schema standpoint. 00:13:06:07 - 00:13:09:12 And, as we get into the roadmap elements, we’re starting to embed some 00:13:09:12 - 00:13:12:28 of those validations and then also making sure that we can work seamlessly 00:13:13:06 - 00:13:16:13 with the new factory automation portal that is forthcoming. 00:13:16:26 - 00:13:19:26 A little bit into the engine ecosystem itself. 00:13:19:26 - 00:13:25:02 So, one of the big pieces of ServiceNow that we really like is its ability 00:13:25:02 - 00:13:28:19 to take in data from multiple sources 00:13:28:28 - 00:13:33:02 in various different forms, create a standard process for importing, 00:13:33:07 - 00:13:35:04 translating those and normalizing 00:13:35:04 - 00:13:38:25 that data, and then putting it into an operational workflow. 00:13:39:00 - 00:13:40:21 when we highlight the digital elements 00:13:40:21 - 00:13:43:21 here, it's a combination of several different sources. 00:13:43:21 - 00:13:46:11 So bringing data in from several third parties. 00:13:46:11 - 00:13:51:04 again, in different various formats, whether that be API, CSV, Excel, 00:13:51:08 - 00:13:55:12 and then also creating a digital environment where 00:13:55:13 - 00:13:58:05 we can translate some of these preexisting, 00:13:58:05 - 00:14:01:06 unstructured data objects and creating more 00:14:01:06 - 00:14:04:06 of an environment to manage them through a more efficient way. 00:14:04:09 - 00:14:08:11 Other things that we're focused on from an ongoing development standpoint is, 00:14:08:11 - 00:14:10:18 streamlining the conversion 00:14:10:18 - 00:14:14:17 of a lot of these manual objects into the OSCAL format. 00:14:14:17 - 00:14:19:01 So, we have preliminary prototypes built to translate 00:14:19:04 - 00:14:23:01 various either unstructured or semi-structured objects and being able 00:14:23:01 - 00:14:27:26 to push those into the, relational model inside of ServiceNow. 00:14:27:26 - 00:14:32:01 and then also being able to do that in a bi directional way. 00:14:32:04 - 00:14:34:06 Being able to bring in the data is one thing. 00:14:34:06 - 00:14:35:25 to extract the data is another. 00:14:35:25 - 00:14:38:17 Extraction is actually proven to be much easier. 00:14:38:17 - 00:14:40:06 But then taking these objects 00:14:40:06 - 00:14:44:18 back from OSCAL and pushing those into the relational model has proven to be 00:14:44:19 - 00:14:47:19 a bit more time intensive than initially forecasted but 00:14:47:23 - 00:14:50:25 once it comes into the engine framework 00:14:50:25 - 00:14:53:27 here, it's a lot of the mapping of the metadata attributes. 00:14:54:05 - 00:14:56:10 We have the core OSCAL tables 00:14:56:10 - 00:15:00:00 and then again that then feeds into the operational workflow. 00:15:00:03 - 00:15:04:03 As customers continue to update or modify or test their controls 00:15:04:03 - 00:15:08:10 or measure their risk or, perform vulnerability assessments, the platform 00:15:08:10 - 00:15:12:02 is dynamically updating and monitoring not only the operational workflow 00:15:12:02 - 00:15:15:10 elements, but concurrently keeping the OSCAL model up to date. 00:15:15:14 - 00:15:19:12 And then on the right hand side here from a OSCAL reporting standpoint, 00:15:19:18 - 00:15:21:11 this is a relatively new element 00:15:21:11 - 00:15:24:22 where, being able to automatically and dynamically push 00:15:25:08 - 00:15:28:27 the OSCAL artifacts to the FedRAMP Automation portal 00:15:29:15 - 00:15:31:17 and that, of course, being able to support 00:15:31:17 - 00:15:35:20 other agnostic outputs from the CSP storage standpoint. 00:15:35:23 - 00:15:38:25 This stage, I'm going to turn it over to, my colleague Steve. 00:15:38:28 - 00:15:40:27 and he's just going to give some insights into- [part two continued]