We Need a Newbie Guide to OSCAL

[xee5ch]

@trevorbryant and I chat from time to time, and I talk to him about OSCAL a lot these days. After the 2nd OSCAL Dev Days this month, he still had some really good questions, even after watching some presentations, so that means many others must want these questions answered and the public material and presentations are probably not 100% clear. I totally agree on that front!

From what I understand, OSCAL 1.0 is just a schema.Who will be responsible for maintaining the schema?

Who is responsible for producing solutions to point-and-click and create documentation?

What will get assessors, privacy officers, legal teams, operations, etc to use all of this?

How do I take enterprise scanning and integrate, from engine to engine, configuration settings and map to OSCAL to report current configuration status per system?

What will make OSCAL enterprise ready?

(I talked to him and asked for permission to surface here, so I don't think he'll mind!)

I know he is an experienced security engineer and these are thought provoking questions. I am thinking I will kick off a blog post series on oscal.club and get feedback on gaps and hopefully focus efforts where more follow-on content is needed.

[xee5ch]

Update on this: I will try to learn how to fix the branding and clean up the website generator source to built website build process with Github Actions, then begin work on this!

[gayleb]

@xee5ch
Apologies in advance if I'm intruding on a thread - I am a good candidate for the lowest common denominator in OSCAL newbs.
I have similar request and concern as @trevorbryant. He's the technical side of the coin and I'm the compliance side of the coin.

I am a security / compliance / governance specialist with many many years of deep NIST experience. I really want to embrace OSCAL and automation - but I don't code (not entirely true, I know my way around SQL, HTML, and basic Markup, but JSON, Python, YML, not so much). My concern is that subject matter expertise may become less valuable than the engineering talent it takes to establish and manage these artifacts and their distribution once converted from MS Office to something programmatic.

I think "success" will take BOTH skill sets.
As a result, I need to push my boundaries and develop the necessary technical knowledge to prevent becoming obsolete.
I either need to know how to specify what I need for the technical talent or I need to become technically skilled or maybe both.
Tbh, I'd like to learn enough about this to make it a fun place to take my expertise.

At this time, I have NO idea where to start.
I can write SSPs and POAMs and Control Summaries in my sleep, but getting to even that first step in the OSCAL direction is elusive.

Kinda reminds me when I was a consultant for a software company and the training was basically, "now assuming you have a properly configured web server, let's install the software and script the basic schema" - at the time I had no idea what a web server or a script was or how you would do either. I eventually learned, but it took longer than your average bear to come up to speed.

I have an SSP. and a POAM, and I figure I can start by learning to convert either to OSCAL format, but what does that mean? How do I do that? Why would I do that? What syntax do I need to know, and where can I learn that? Do I need to work in the cloud or on a virtual machine? At least a year ago I started looking around but there is no OSCAL for Dummies that could give me the answers.

I think the strongest resources in the future will have both controls and compliance depth AND the ability to work at a technical level with OSCAL-formatted items. I am eager to learn but totally intimidated at the same time. How do I get there?
Thanks,
Gayle Berkeley

[xee5ch]

@xee5ch
Apologies in advance if I'm intruding on a thread - I am a good candidate for the lowest common denominator in OSCAL newbs.

Excellent, @gayleb, welcome to our fledgling little community!

I am a security / compliance / governance specialist with many many years of deep NIST experience. I really want to embrace OSCAL and automation - but I don't code (not entirely true, I know my way around SQL, HTML, and basic Markup, but JSON, Python, YML, not so much). My concern is that subject matter expertise may become less valuable than the engineering talent it takes to establish and manage these artifacts and their distribution once converted from MS Office to something programmatic.

I think that is an important perspective, and one I have heard before in passing conversation, but not in a forum like this. So this is my personal opinion, but I do not think your subject matter expertise is going away, but it has to change.

For specialists that understand the requirements, I do not think they have to intimately understand the OSCAL information models, XML, and JSON data models. A new generation of collaborative tooling is being created, and extant tooling will evolve. Microsoft Office and PDF will be a final destination, not the primary format for exchanging and reviewing and modifying data.

SMEs, like yourself, will need to work more closely with engineers to negotiate in advance what common technical implementations properly meet the strategic compliance objectives like never before, and make them reusable. OSCAL is designed to aggressively leverage this concept, they call this model components. Other Compliance-as-Code platforms tried this before, sometimes slightly different styles (in the case of OpenControl) and with different names in other standards, but the idea remains.

Build component building blocks, generalizing, and encouraging public exchange of composable capabilities and architectures will be paramount. In short, this just means the SMEs role will be towards a public advocate and community builder, and do more of what they did before, but facing externally instead of internally with agency partners. The tooling will evolve for that purpose, and you will not become a full-stack engineer. You will be required to more deeply interact with them, more frequently, to collaborate on the architectures and how to build validation steps side by side.

Does that make sense?

I think "success" will take BOTH skill sets.
As a result, I need to push my boundaries and develop the necessary technical knowledge to prevent becoming obsolete.
I either need to know how to specify what I need for the technical talent or I need to become technically skilled or maybe both.
Tbh, I'd like to learn enough about this to make it a fun place to take my expertise.

At this time, I have NO idea where to start.
I can write SSPs and POAMs and Control Summaries in my sleep, but getting to even that first step in the OSCAL direction is elusive.

I think that is an important question. But even given your summary of your role and background, I think I need to know more: do you need to support individual information systems in different organizations or agencies, or you need to work at the higher level and work CIO/CISO teams to oversee whole information security programs? I see these as different personalities, or personas in development terms, and think that changes the answer for you, even if they are overlapping.

But for most people, if we talk baby steps, the baselines is always where we start! But, obviously, the answer is far more complicated than that.

Kinda reminds me when I was a consultant for a software company and the training was basically, "now assuming you have a properly configured web server, let's install the software and script the basic schema" - at the time I had no idea what a web server or a script was or how you would do either. I eventually learned, but it took longer than your average bear to come up to speed.

I think that anecdote is very apt. The message leads me to my previous comment: OSCAL data models are notional and it is helpful to understand them, for the sake of mechanical sympathy](https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.concept.mechanical-sympathy.en.html), but not a requirement. We are not there yet, but a whole class of tools will abstract that away from you. To go back to your metaphor with this web application: someone in your position needs to focus on the business case and what that web application should accomplish. To bring that to OSCAL: what are the captabilities you want to standardize on, and what are the most common or sound ways you and technical staff want to see them implemented? What are the different modalities you can use to verify them (through interviews, examination, offensive security testing, et cetera)?

I have an SSP. and a POAM, and I figure I can start by learning to convert either to OSCAL format, but what does that mean? How do I do that? Why would I do that? What syntax do I need to know, and where can I learn that? Do I need to work in the cloud or on a virtual machine? At least a year ago I started looking around but there is no OSCAL for Dummies that could give me the answers.

How do you create, update, and review drafts of SSPs and POA&Ms now? Do you edit collaboratively frequently with a team from the beginning, or periodically at toll-gate meetings? I think these are important first questions, and change the best way for you to begin your path into OSCAL-friendly existence (note I do not say: your first steps into OSCAL development and coding, welcome to developer bootcamp!)

I think the strongest resources in the future will have both controls and compliance depth AND the ability to work at a technical level with OSCAL-formatted items. I am eager to learn but totally intimidated at the same time. How do I get there?

I 100% agree. I think we are at the point in the community I need to start with examples to flesh this out, because it is hard to cogently argue without some straw-men to tear down and constructively critique.

In short, I think it is time to take a page from some like minded-people in the OpenControl community and attempt something like the Freedonia project, with fake agencies, a fake assessment project (FRAMP), and components around common cloud services and notional policies and processes.

Thoughts?