openrmf-docs icon indicating copy to clipboard operation
openrmf-docs copied to clipboard
verified publisher icon Cingulara

[Question] Does OSCAL look like it could / should be integrated in the future?

Open neoakris opened this issue 4 years ago • 5 comments

Is your feature request related to a problem? Please describe. I don't have a problem, this is more of a question that could turn into a feature?

I recently discovered 2 tools openrmf.io and OSCAL and they sound like they might be a good fit for integrating together, so I was curious if any of the developers were aware of OSCAL and if they have any thoughts on if it might be integrated in the future. Note: I'm ignorant on the deep end of the rabbit hole of security controls, RMF, NIST, etc, but I'm also mildly interested in them as the idea of automating compliance sounds cool, which lead me to some googling.

https://pages.nist.gov/OSCAL/ From their page: "NIST, in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results."

It sounds like it's supposed to help automate NIST RMF documentation, just like openrmf.io, that made me check the openrmf-docs again, but I saw no mention of it.

neoakris avatar Nov 09 '21 23:11 neoakris

We track the OSCAL GitHub repo https://github.com/usnistgov/oscal-content for changes and such yes. We are aware of that. For the producing of SSP and assessment plans and results, we do have that as a future feature in the professional version of OpenRMF over at https://www.soteriasoft.com/ for sure. The OSCAL can get you the formats for the documentation. It is not a tool necessarily but a format and model and structure to use and share for those documentation artifacts.

DaleBinghamSoteriaSoft avatar Nov 10 '21 11:11 DaleBinghamSoteriaSoft

we do have that as a future in the professional version of OpenRMF over at https://www.soteriasoft.com/ for sure.

I think future was a typo and you meant feature.

If the OSCAL format is supported today, it might be worth updating your documentation in the readme / website to point it out that integration with the OSCAL format is supported. (It's also true that many folks check issue tickets, so feel free to close this if you want this to be the documentation that points out that it's supported.)

Thanks for the fast and accurate answer.

neoakris avatar Nov 10 '21 12:11 neoakris

A "future feature" :) yes haha. I had not had my coffee yet.

OSCAL is not supported in the OSS version as of yet so we cannot say that. We read in SCAP 1.2 and 1.3, CKL, and .nessus and export XLSX and .CKL for now. We have this in the future but right now, we are putting effort into the Professional version to get a few more major features set for what people are asking.

DaleBinghamSoteriaSoft avatar Nov 10 '21 12:11 DaleBinghamSoteriaSoft

Is this still a "future feature"? Or has it made it into the Professional version at this point? If it is not yet implemented, do you have a roadmap for when it is expected to land?

the-real-jeremy-coleman avatar Feb 16 '24 14:02 the-real-jeremy-coleman

OSCAL will take a lot of work. Realistically it will be in Professional but not in there yet. I think we have that pegged for v2.11 summertime.

But for OSS here, we won't be putting that working into a free tool that anyone can use. That does not mean others cannot fork the repo, do the work, and do P/Rs for basic OSCAL stuff to go into the OSS application. Just realize this is OSS so free to use, cannot charge for it, support is via GH or Slack.

The one thing we do know we will put in here is the .cklb JSON that the powers-that-be decided to move to versus the XML standard that has been a working standard for 15+ years on checklist files.

DaleBinghamSoteriaSoft avatar Feb 16 '24 14:02 DaleBinghamSoteriaSoft