Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customer Responsibility Matrix (CRM) Transform #713

Open
3 tasks
brian-ruf opened this issue Jul 21, 2020 · 8 comments
Open
3 tasks

Customer Responsibility Matrix (CRM) Transform #713

brian-ruf opened this issue Jul 21, 2020 · 8 comments
Labels
Aged A label for issues older than 2023-01-01 enhancement Research Scope: Modeling Issues targeted at development of OSCAL formats Scope: Tooling and APIs Issues targeted at development of tooling and APIs to support OSCAL content creation and use. User Story

Comments

@brian-ruf
Copy link
Contributor

User Story:

As an OSCAL SSP Author, I need to extract customer responsibilities from my OSCAL-based SSP and provide an OSCAL file to customers using the component model syntax.

Two common use cases include:

  1. Leveraged cloud systems, such as where an authorized IaaS or PaaS is selling services to customers who are establishing a SaaS.
  2. Legacy government data centers where an authorized general support system (GSS) is leveraged by several individual systems within the data center - not all of which have the same system owner.

Background

We are considering three possible scenarios for leveraged authorizations:

  1. The downstream customer is entitled to have access to the entire SSP of the leveraged system. (Ideal situation - no transform needed)
  2. The downstream customer is not entitled to have access to the entire SSP of the leveraged system. (The reason for this issue.)
  3. The downstream customer is authoring their SSP using OSCAL, however, the system being leveraged has no OSCAL-based SSP to adopt. (Must be handled another way.)

In other words, this issue assumes:

  • both the leveraged system and leveraging system are using OSCAL for SSP content;
  • the leveraging customer is not entitled to have access to the leveraged system's complete SSP; and
  • a downstream consumer (such as a leveraging agency) is entitled to have access to both the leveraged and leveraging SSPs, thus would benefit from the ability to reconnect the two, such that an individual control can be adjudicated in the context of both the leveraging and leveraged system's implementation.

Goals:

Create a transform to extract customer responsibility statements from an SSP and transform them to component syntax suitable for delivery to customers. This means the resulting file must:

  • Use component syntax, such that the leveraged system's content can be imported into the leveraging client's SSP;
  • Includes only the information from the leveraged system's SSP that the leveraging system's SSP author needs to know (and is entitled to know);
  • Includes linkages to the leveraged system's full SSP such that a downstream consumer can re-connect the two SSPs for holistic adjudication of individual controls.
  • Includes sufficient detail about the leveraged system, to ensure it is identified correctly (system name, authorization date, authorizing official(s), system owner, primary system POC,

Dependencies:

This is related to issue #572.

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
@david-waltermire david-waltermire added Scope: Modeling Issues targeted at development of OSCAL formats Scope: Tooling and APIs Issues targeted at development of tooling and APIs to support OSCAL content creation and use. labels Sep 11, 2020
@brian-ruf brian-ruf changed the title CRM Transform Customer Responsibility Matrix (CRM) Transform Oct 5, 2020
@brian-ruf
Copy link
Contributor Author

brian-ruf commented Oct 5, 2020
edited
Loading

THIS COMMENT WAS MOVED TO ISSUE #722, WHICH IS A MORE APPROPRIATE LOCATION
#722 (comment)

@brian-ruf brian-ruf self-assigned this Oct 5, 2020
@pburkholder
Copy link

pburkholder commented Oct 6, 2020
edited
Loading

Is there support for generating a CRM via transform for any of these three scenarios: full SSP access, CRM only access, or legacy CRM?

@brian-ruf brian-ruf mentioned this issue Oct 8, 2020
Open
3 tasks
@brian-ruf
Copy link
Contributor Author

@pburkholder
Short answer: It's in-plan.

Longer answer:
The plan is to complete the CRM modeling in issue #722. This will become a priority later October and into November.

Once that is complete, NIST intend to create and publish a transform to automatically extract the leveraged authorization content from the SSP and generate the CRM file.

@david-waltermire david-waltermire added this to the OSCAL 1.1.0 milestone Oct 30, 2020
@ohsh6o
Copy link
Contributor

ohsh6o commented Jul 23, 2021
edited
Loading

Is there example code of this CRM transform that was drafted for this or #722? We (FedRAMP) and NIST haD begun work in GSA/fedramp-automation on the CIS and CRM tooling and it appears @wendellpiez maintains a WIP copy of this code in his fork of our code. Is this related or a pure NIST-only CIS/CRM effort?

/cc @GaryGapinski

@wendellpiez
Copy link
Contributor

@ohsh6o it looks like work on presenting a POA&M would be in an XSLT here: https://github.com/wendellpiez/fedramp-automation/blob/oscal-presentation/resources/oscal_poam_html.xsl - it appears to accept POA&M input along with an associated SSP?

However, this is only presentation: a "view". Generating an OSCAL POA&M is a different matter.

@ohsh6o
Copy link
Contributor

ohsh6o commented Jul 28, 2021

@wendellpiez Sorry I'm confused, what does the CRM have to do with the POA&M?

@iMichaela
Copy link
Contributor

@wendellpiez and @ohsh6o The Customer Responsibility Matrix (FedRAMP's approach) or the broader System Security Responsibility Matrix concept are different from the question raised in issue #945 over the potential use of POA&M model to document the system's risks during the categorization, selection, and implementation during the implementation phase, pre-assessment. The CRM transformation should 'export' information related to controls that can be inherited and the customers' responsibilities to complete the inherited controls' implementation.

@ohsh6o
Copy link
Contributor

ohsh6o commented Aug 12, 2021

Now that I heard in today's model meeting, I have a better sense of this work and the implications. Like I said in #722 let me know how I can help out, I have an active need for this tooling!

@iMichaela iMichaela mentioned this issue Mar 24, 2022
Open
3 tasks
@Compton-US Compton-US mentioned this issue Jul 5, 2022
Closed
1 task
@aj-stein-nist aj-stein-nist removed this from the OSCAL 1.1.0 milestone Jul 27, 2023
@aj-stein-nist aj-stein-nist moved this from Todo to DEFINE Research Needed in NIST OSCAL Work Board Sep 21, 2023
@Arminta-Jenkins-NIST Arminta-Jenkins-NIST added the Aged A label for issues older than 2023-01-01 label Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Aged A label for issues older than 2023-01-01 enhancement Research Scope: Modeling Issues targeted at development of OSCAL formats Scope: Tooling and APIs Issues targeted at development of tooling and APIs to support OSCAL content creation and use. User Story
Projects
NIST OSCAL Work Board
Status: DEFINE Research Needed
Milestone
No milestone
Development

No branches or pull requests
8 participants
@pburkholder @wendellpiez @david-waltermire @iMichaela @brian-ruf @ohsh6o @aj-stein-nist @Arminta-Jenkins-NIST