3rd Open Security Controls Assessment Language (OSCAL) Workshop – Max Aulakh

Max Aulakh, Managing Director at Ignyte, and is focused on automating the NIST Risk Management Framework leveraging the OSCAL data format through cooperative R&D efforts. He’ll talk about components, the main reason why we need components inside of OSCAL, and also some of the modern software factory challenges. The workshop will provide attendees an opportunity to familiarize themselves and build skills in the development and use of OSCAL. We encourage developers of control-oriented security tools and organizations that want to use or create OSCAL-based information to watch this webinar.

Challenges

1. Speed: One of the biggest challenges is the slow approval process for an ATO.
2. Scope: Understanding what we are accrediting — process versus static packages.
3. Methodology: Determining how we are accrediting. Developing a continuous state of monitoring (ConMon).
4. There are other challenges, like inheritance reciprocity and the platform boundary itself.

Key questions

1. What is aggregation?
2. Why should I use aggregation?

Takeaways

1. Take time on your component definitions to ensure they are reusable.
2. In order to build your SSP, know the size and how many components are involved.
3. Automate the language.
4. Generate an initial set of boundary diagrams and an initial taxonomy for ISSMs.