Fen Labalme

icon indicating a website link https://civicactions.com icon indicating an email [email protected]

icon company @CivicActions icon location Pittsburgh, PA icon location CISSP. CISO at @CivicActions working to transform government by automating and enhancing the Authority to Operate (ATO) process with FOSS.

Results 25 comments of Fen Labalme

OSCAL XML and YAML Version of CMS ARS 3.1 Controls

@tohch4 We would like someone to build profile resolution tooling in Python and JSON. If that ends up being us, we'll do it. ;-) We have not started yet (we're...

OSCAL XML and YAML Version of CMS ARS 3.1 Controls

@tohch4 - We're building tools in several places: several repos under github.com./CivicActions, several in CMS-branded github. Goal is to make everything that we can FOSS and useful for all toolsets/applications/GRCs...

OSCAL XML and YAML Version of CMS ARS 3.1 Controls

This is great. Yes, we see standard sets of controls (like the cmscloud-inherited controls from the compliance as a service team) being made available across CMS and ideally sanitized so...

OSCAL XML and YAML Version of CMS ARS 3.1 Controls

A couple ideas... We're pulling the ARS Moderate profile into Blueprint now. As 800-53rev4 -> rev5 OSCAL transformations are being worked on (see e.g. http://xml.garygapinski.com/OSCAL/800-53-compare.html) I'd like to see us...

[WIP] Automate Building Catalogs Declaratively with OSCAL Profiles

@xee5ch - From Leslie on the ARS team: > Above Baseline are the non-mandatory controls (in future iterations referred to as Supplemental) that systems can select as additional controls above...

Resolve logical Catalogs from ARS 5.0 spreadsheet

Yes. I believe it should be straightforward to create the primary Catalog, the three (FISMA) Profiles and two (overlay) Profiles. It ought to be a fairly simple resolution requiring only...

Resolve logical Catalogs from ARS 5.0 spreadsheet

The current [CMS_ARS_5_0_catalog.json](https://github.com/CMSgov/ars-machine-readable/blob/main/5.0/oscal/CMS_ARS_5_0_catalog.json) was created with a (messy-but functional) parser using [compliance-io](https://github.com/CivicActions/compliance-io): ``` python complianceio/catalog.py ../ARS\ Full\ Principle_Single_Assessment_Current\ V5.01_0.xlsx -t CMS_ARS_5_0_catalog > ars52.json ``` I figure the next step is...

Resolve logical Catalogs from ARS 5.0 spreadsheet

_I obviously needed my coffee!_ While the compliance-io "parser" may be useful, I would like to embrace the "NIST approach with CI/CD" that I believe you started in https://github.com/CMSgov/ars-machine-readable/pull/13

Resolve logical Catalogs from ARS 5.0 spreadsheet

Just created https://github.com/CMSgov/ars-machine-readable/pull/18 with new `class: "Supplemental"` and the associated https://github.com/CivicActions/compliance-io/pull/38 that has flag to not include PII/HVA (as those should e separate overlay (my current thinking))

Develop Profile Resolution and Baselines Publication CD Pipeline

@tohch4 Are you suggesting that ARS be an overlay on top of default 800-53? This is what I would like to see...