The National Institute of Standards and Technology is partnering with the Federal Risk Authorization Management Program or FedRAMP to remove some of the arduous parts of the cloud security certification process.
Through the development of a common machine-readable language known as the Open Security Controls Assessment Language (OSCAL), NIST is bringing automation to the program.
David Waltermire, the technical lead for OSCAL at NIST, said by using the language in the certification packages, it can reduce the time and effort to get companies FedRAMP certified.
“Typically that review involves an assessor looking into the information that is provided, and prior to OSCAL, a lot of that review requires sometimes a week or more of that assessor’s time to really dig in and look at the information provided in the assessments. A lot of that information that they are analyzing is really checking to see if required information is being provided within the package that the cloud service provider is submitting. This requires a lot of book keeping, which is something computers are good at,” Waltermire said on Ask the CIO. “The approach with OSCAL is representing this information in a way that computer programs can analyze the package and they can do a lot of the counting and quality checking on behalf of the assessor saving a significant amount of time. What normally would take an assessor weeks to do, an OSCAL tool can perform in seconds.”
He said OSCAL lets machines do machine-worthy tasks and frees up the employee to focus on improving the security of systems.
Ashley Mahan, the FedRAMP director, said at a recent event sponsored by FCW, that if the security materials can be put into this machine readable language, it will set the stage for future automation efforts to reduce time and effort to get to authorization.
She said in mid-August FedRAMP posted the language and schema to public repositories to gather feedback.
“We released some guidebooks. There are a lot of questions out there on ‘if I’m the end user and I want to develop these materials and use OSCAL, how do I go about that?’ So we developed some guidebooks to help train end users in how to use OSCAL,” she said. “We are working on converter tools. We are looking to meet stakeholders where they are at and provide some open source tools that will also help enable cloud service providers and agencies to use OSCAL as well. We will post those and open sourcing [for] them for the community to use and make them better.”
OSCAL uses seven models to express security control information, how controls are implemented and assessed and the results of that assessment. It formats the information in multiple languages, XML, JSON, and YAML, and provides a common means to identify and version shared resources and standardize assessment information.
Version 1.0 coming soon
Waltermire said NIST has been working on OSCAL for about four years and is about to release Version 1.0.
“We are looking to do a pilot of the draft,” he said. “FedRAMP has been a great collaboration partner. They have provided OSCAL with a lot of development resources and a rich set of use cases, system implementation examples and various process artifacts we have been working to support. We are working with FedRAMP and handful of cloud service providers who are interested in submitting their FedRAMP packages directly in the OSCAL format.”
Milica Green, a compliance subject matter expert with Telos Corporation, said OSCAL will help decrease the complexity of cloud environments that can be multi-tenant and multiple owners within the cloud stack.
“Each of these environments are tracking vulnerabilities and their continuous compliance that use different tools with different ways to output data. There is no easy way look at data from one tool to another tool, which means you need to export something out of your tool and import it into another one. You immediately are introducing human error plus it’s not real-time reviewing of the evidence,” Green said. “So now having a standard way of moving this data between different tools saves a tremendous amount of time and effort for vendors and customers. The ability to easily and quickly move it between tools brings more context to fighting the threats within the cloud.”
Green said vendors providing governance, risk and compliance (GRC) tools will use OSCAL as will the authorizing official to assess the authorization package.
If the security controls and compliance information is exported to XML using the OSCAL schema, she said it can easily move between third party assessors or FedRAMP’s Joint Authorization Board or an agency analyst.
“The authorization package is quite a complex process because you have supporting documents to talk about your systems and describe how you are implementing security controls, but you are also providing evidence that comes from different tools like vulnerability scans or penetration testing, and then you are reporting it into FedRAMP templates,” Green said. “Now we are going away from having templates and Word documents and use a machine readable format that anyone can easily assess through or write a script that can assess against this OSCAL package.”
Waltermire said the pilot will help NIST continue to iterate OSCAL and add features on an ongoing basis.
Industry incorporating OSCAL
Waltermire said he believes the time savings in using OSCAL will be significant, but the pilots will help bring real data to his thesis.
“We recognize we are in a transition period where organizations are working to adopt OSCAL, which means there will be a mixture of tools that are capable of importing OSCAL and others who will continue to use Excel spreadsheets and Word documents like they have been,” he said. “Part of what we are working with FedRAMP on producing are generators that can take OSCAL data and build Word documents and Excel spreadsheets as part of the transition strategy.”
Green added industry is looking at how it can incorporate OSCAL. She said Telos’ product, Xacta, supports an XML format to make data movement easier, and plans to accept OSCAL as well in the future.
“When you take a look at our customers, they usually are not complying with one regulatory framework, but multiple different ones they have to comply with,” she said. “If you have an OSCAL catalog to show how you can comply with multiple frameworks, that will save time when you assess your system.”