compliance-trestle
compliance-trestle copied to clipboard
oscal-compass
Question: Leveraging Component Definitions
Question
For example, say i am using the NIST 800-53 catalog, I have established which controls are applicable to my environment, however I need to write additional component definitions (CD) for specific applications inside the environment and have them defined in the appropriate .json format.
How can users have trestle reference these CD within the generated NIST-800-53 profile so that when a SSP is generated, it brings in the CD's as well.
as shown in OSCAL Docs
Reason for question
Documentation & Demos do not provide ample documentation or examples of how a CD custom or otherwise can be referenced and added into the actual generated SSP.
Any support and help on this subject is appreciated.
I'm experiencing the same issue as @HerbBoy. Are there examples of how to assemble an SSP using component models that have been imported into trestle and are satisfying the controls within an imported profile? Or does this functionality not exist?
Hi @HerbBoy and @ride808 Those are good questions. In short, we are going to have a release soon that will include updated documentation. Many recently added features are currently lacking documentation. With regard to CDs - we do not have that hooked into SSP generation yet but that functionality will be added after the release. The current SSP generation involves putting content in the SSP markdown that would be better to have in the CDs. So now that we have functionality to create and edit CDs, we will then add functionality to create SSP's from them.
@fsuits thank you for the response.
Would you be able to provide an expected timeline for the next release or two?
@HerbBoy The next release with updated documentation should be in a few days, and the release involving ssp generation from CDs is perhaps 2 weeks as an estimate.
@fsuits are there development builds and development documentation that are accessible? not full blown releases but is there a dev branch I could clone with the latest? I cloned this and tried to build from source but it ended up being the same version.
I am still looking through everything but figured id post this in case you respond before i figure it out.
@fsuits adding onto what @HerbBoy mentioned - if there are areas/issues we could help develop to get the component to ssp functionality moved forward/implemented we'd definitely consider helping by contributing back to the project.
Hi @HerbBoy @ride808 Sorry for the delay on the release but several unexpected issues came up. We have continuously updated the development branch so you can certainly work with it. In addition there is an initial stab at improved documentation in https://github.com/IBM/compliance-trestle/pull/1185 We expect work for this release to be completed very soon and then begin design for the updated ssp handling based on components. Help would be welcome but it requires breaking development into workable pieces. We will be discussing the needed changes for ssp handling with components and see if well defined items of work are possible.
Hi again @HerbBoy @ride808 Just making sure you are aware of our recent release of trestle 1.2.0 with updates to component handling and documentation. Please give it a try and we welcome feedback. There are a few more things to add to component handling and then we will switch to creating the ssp from the components.
@fsuits Been working with it since it was released. A couple comments:
Docs:
- csv to cd do not have documentation posted, the cli has an information option and i was able to tumble through but not all the answers are available. As in what all the sections are meant to provide in terms of value.
- images are not posting (probably already aware of that one).
Question:
- for CSV, is it not intended to allow for multiple control mappings per line?
- csv to cd do not have documentation posted, the cli has an information option and i was able to tumble through but not all the answers are available. As in what all the sections are meant to provide in terms of value.
Created issue https://github.com/IBM/compliance-trestle/issues/1243. Please add any specific suggestion you might have there. Thx!
- images are not posting (probably already aware of that one).
What images are not posting?
- for CSV, is it not intended to allow for multiple control mappings per line?
Yes.
- images are not posting (probably already aware of that one).
What images are not posting?
One example this is from here:
@HerbBoy thanks for pointing out the image issue. I'll need to look into that. For now you can find the images in the docs/tutorials directory and view them online like this one: https://github.com/IBM/compliance-trestle/blob/develop/docs/tutorials/ssp_profile_catalog_authoring/trestle_ssp_author_options.png
@degenaro Before i make an issue about it, the CSV's appear to have issues with whitespace. Is this intended?
example valid: "I am ok." example invalid: "I am not ok. "
@HerbBoy Please do document the problem in an issue. Ideally, supply an example that fails (to be used to reproduce the problem) and say how it fails - exception, produced OSCAL is incorrect and here's why, etc. Also please indicate the severity. Thanks!
@HerbBoy Please do document the problem in an issue. Ideally, supply an example that fails (to be used to reproduce the problem) and say how it fails - exception, produced OSCAL is incorrect and here's why, etc. Also please indicate the severity. Thanks!
see #1247
@HerbBoy The documents have been fixed and are back online with a slightly different layout. Thanks to @enikonovad for getting them back up! https://ibm.github.io/compliance-trestle/
@HerbBoy @ride808 I can answer briefly your main question because it is currently being developed.
You can create component definitions using trestle now, and imp_reqs should have rules associated per component. If a control has imp_reqs and associated rules, it then means it needs an implementation response. So the component-generate and assemble allows the specification of prose and status for each response.
ssp-generate will then take a profile and a list of comp-defs as input and generate markdown where the prose from the compdefs is filled in, separately for each component. And the implementation status is pulled in from the compdef for each response.
But normally a compdef does not have status associated, and the ssp needs to provide that. So the ssp markdown is used only to provide the overall response for This System - and to set the implementation status for all the responses. Again the only responses shown are those that have rules associated. And the prose that came from the compdef may not be edited, but the status may change. In addition the rule associations may not change by editing the markdown.
I hope this gives a flavor for how it is moving forward. It is a big change to how things worked but I'm hoping for a pr early next week.
@HerbBoy @ride808 This took much longer than expected, particularly with the holidays, but I have just merged the new approach to ssp generation using components. The documentation is also up to date, so the develop branch now has the functionality. It's important to note the role of "rules" in the overall design, so please look at the documentation on how they are defined via props.
Great! Thanks @fsuits. I had a look at the merged feature. I'll work on trying out the new functionality this week. At what point do you think this will make a trestle release?
Thanks @ride808 and I appreciate any feedback you might provide. This is a big change and will bump trestle to 2.0 so we want to make sure no additional breaking changes are needed - including the internal API and not just the CLI functionality. So I expect some weeks of testing - perhaps 2-3 prior to a release.
@fsuits any plan for when you'll be cutting the next release that will have SSP generation from components in place?
@ride808 We are aiming to do a release very soon - hopefully within a week if testing goes well.