saf icon indicating copy to clipboard operation
saf copied to clipboard

Published 20 hours ago verified publisher icon mitre

Is there an 800-53 control mapping for SAF itself?

Open trevor-vaughan opened this issue 3 years ago • 6 comments

In order to be used on Federal systems, software needs to be mapped to 800-53.

A mapping in OSCAL would be ideal.

trevor-vaughan avatar Jan 20 '22 16:01 trevor-vaughan

  1. All security test results generated from or through SAF tools provide a mapping to the relevant NIST SP 800-53 controls.
  2. For InSpec profiles ("saf scan" - which points to our profiles at https://saf.mitre.org/#/validate), we pass through or code in the related nist tag association. STIGs naturally have the CCI association, which maps to specific NIST tags. We created a mapping from CIS controls to NIST controls to facilitate creation of InSpec profiles for CIS becnhmarks with associated NIST 800-53. How we do this is detailed here: https://saf.mitre.org/#/faq#security-control-associations
  3. This brings us to the HDF format, (based on InSpec's json output format), which has a core nist tag requirement. See the format and schema here: https://saf.mitre.org/#/normalize
  4. Finally for all of the saf convert:{external tool}2hdf converters, we map all test results to relevant NIST SP 800-53 controls. How that happens depends on the original tool's own mappings. If they have NIST associations already, we map them to the HDF NIST tag. If the tool doesn't provide a NIST SP 800-53 reference, we've worked on mappings to other references such as CWE or OWASP Top 10.

Hope that helps to clarify. For more on the SAF framework, please visit https://saf.mitre.org/#/, or email if you'd like to discuss at [email protected]

Thanks!

ejaronne avatar Jan 20 '22 22:01 ejaronne

@ejaronne Thanks for the feedback. I actually meant for SAF itself.

As in, "as a user, I want to deploy SAF but my ISSO is asking for 800-53 control mappings for SAF before it can be deployed."

trevor-vaughan avatar Jan 20 '22 23:01 trevor-vaughan 

	I’m not really tracking what you are asking for here. Can you give an example of a similar mapping on another tool. Are we taking the app dev SRG mapping to make a checklist
	Yours,--------------------Aaron LippoldChief Architect – MITRE Security Automation Framework (SAF)https://saf.mitre.orgPrincipal Cyber Security ***@***.*** https://info.mitre.org/orgs/L521Cyber Assessments 

 From: Trevor Vaughan @.>Sent: Thursday, January 20, 2022 18:01To: mitre/safCc: Aaron L Lippold; AssignSubject: [EXT] Re: [mitre/saf] Is there an 800-53 control mapping for SAF itself? (Issue #43)  @ejaronne Thanks for the feedback. I actually meant for SAF itself.As in, "as a user, I want to deploy SAF but my ISSO is asking for 800-53 control mappings for SAF before it can be deployed."—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were assigned.Message ID: @.>

aaronlippold avatar Jan 20 '22 23:01 aaronlippold

@aaronlippold The compliance as code material for OpenShift is a massively complex example.

I was working under the theory that an application developed under Government contract would be designed for deployment and carry its FISMA-required artifacts along with it.

I suppose, at a minimum, a mapping of the product to the Application Development STIG would work.

trevor-vaughan avatar Jan 20 '22 23:01 trevor-vaughan 

	Given the saf-cli is a set of JavaScript and typescript the ASD would be the most applicable. This work then be folded into the package for the system you would be deploying. Heimdall and Vulcan would have the ASD plus the DB STIG and the webserver STIG. The inspec profiles and hardening content would not need a STIG alignment. Happy to chat on zoom. 
	Yours,--------------------Aaron LippoldChief Architect – MITRE Security Automation Framework (SAF)https://saf.mitre.orgPrincipal Cyber Security ***@***.*** https://info.mitre.org/orgs/L521Cyber Assessments 

 From: Trevor Vaughan @.>Sent: Thursday, January 20, 2022 18:38To: mitre/safCc: Aaron L Lippold; MentionSubject: [EXT] Re: [mitre/saf] Is there an 800-53 control mapping for SAF itself? (Issue #43)  @aaronlippold The compliance as code material for OpenShift is a massively complex example.I was working under the theory that an application developed under Government contract would be designed for deployment and carry its FISMA-required artifacts along with it.I suppose, at a minimum, a mapping of the product to the Application Development STIG would work.—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.>

aaronlippold avatar Jan 21 '22 00:01 aaronlippold

@aaronlippold That sounds reasonable. It sounds like the answer to my question is that there isn't one but there should be.

trevor-vaughan avatar Jan 21 '22 13:01 trevor-vaughan