ars-machine-readable icon indicating copy to clipboard operation
ars-machine-readable copied to clipboard

Published 20 hours ago verified publisher icon CMSgov

Resolve logical Catalogs from ARS 5.0 spreadsheet

Open openprivacy opened this issue 2 years ago • 7 comments

This is a subset of #6 as it does not include converting ARS to the SP 800-53 rev5 source with ODPs.

The ARS 5.0 spreadsheet defines nine (9) logical Catalogs:

  1. Low
  2. Moderate
  3. Moderate-HVA (Q overwrites D, S appended to K)
  4. Moderate-PHI (O & P appended to F and K)
  5. Moderate-HVA-PHI (both; K may have two supplements)
  6. High
  7. High-HVA (Q overwrites D, S appended to K)
  8. High-PHI (O & P appended to F and K)
  9. HIGH-HVA-PHI (both; K may have two supplements)

One solution is to create

  • one ARS Catalog (containing all Low-Moderate-High-Supplemental controls)
  • three standard FISMA Profiles (Low, Moderate, High) that resolve to three respective Catalogs
  • one (optional) HVA overlay Profile that overwrites the Control Statement (D) and appends to the Discussion (K)
  • one (optional) PII/PHI overlay Profile that appends to the Implementation Standards (F) and Discussion (K)

Blueprint (or other GRC) imports the resolved Catalogs and manages a System-Specific Profile that can:

  • tailor out non-applicable controls
  • reference and add Supplemental controls

openprivacy avatar May 18 '22 14:05 openprivacy

Cool, so you want to start discussing solutions around profile resolution that does not involve "converting ARS to the SP 800-53 rev5 source with ODPs"? I am interested in that too. :-)

xee5ch avatar May 18 '22 20:05 xee5ch

Yes. I believe it should be straightforward to create the primary Catalog, the three (FISMA) Profiles and two (overlay) Profiles. It ought to be a fairly simple resolution requiring only a small subset of functions (perhaps import.include, merge.use-first and modify.alter.add) - though I've not looked into it very deeply.

openprivacy avatar May 19 '22 01:05 openprivacy

Cool cool. So where would you want to do "that"? Last time I said hey, let's try the NIST approach with CI/CD, and you suggested you would/want to write your own tooling in Python, perhaps around compliance-io, am I remembering correctly?

xee5ch avatar May 19 '22 02:05 xee5ch

The current CMS_ARS_5_0_catalog.json was created with a (messy-but functional) parser using compliance-io:

python complianceio/catalog.py ../ARS\ Full\ Principle_Single_Assessment_Current\ V5.01_0.xlsx -t CMS_ARS_5_0_catalog > ars52.json

I figure the next step is to remove hva_standards and privacy_standards to create the source Catalog, then create the three FISMA Profiles and figure out how to resolve. Finally, create the PII/PHI and HVA overlay Profiles and figure out how to resolve those against the FISMA Catalogs.

Does that seem a reasonable approach?

openprivacy avatar May 19 '22 13:05 openprivacy

I obviously needed my coffee! While the compliance-io "parser" may be useful, I would like to embrace the "NIST approach with CI/CD" that I believe you started in https://github.com/CMSgov/ars-machine-readable/pull/13

openprivacy avatar May 19 '22 14:05 openprivacy

I obviously needed my coffee! While the compliance-io "parser" may be useful, I would like to embrace the "NIST approach with CI/CD" that I believe you started in #13

Sounds great, perhaps I find a way to move forward with the updated JSON catalog you brought into this repo.

I love to see the forward progress and the community advance! Thanks for following up with me.

xee5ch avatar May 19 '22 16:05 xee5ch

Just created https://github.com/CMSgov/ars-machine-readable/pull/18 with new class: "Supplemental" and the associated https://github.com/CivicActions/compliance-io/pull/38 that has flag to not include PII/HVA (as those should e separate overlay (my current thinking))

openprivacy avatar May 19 '22 16:05 openprivacy