The National Institute of Standards and Technology hopes to engage a broader community of stakeholders to drive its Open Security Controls Assessment Language program forward.
The open source “OSCAL” program could be a crucial component in helping agencies speed up the adoption of digital technologies, Department of Commerce Chief Information Officer André Mendes said at NIST’s fourth annual OSCAL workshop on Tuesday.
“We cannot just keep adding cybersecurity experts,” Mendes said. “It doesn’t work. It doesn’t scale. And so cyber defenses and processes must evolve.”
OSCAL is a set of structured data formats that provide “machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results,” according to NIST. The current formats are expressed in XML, JSON, and YAML.
Mendes said OSCAL could be one tool to help agencies speed up the compilation and review of security authorization packages for software, oftentimes a laborious and months-long process.
“This is where something like OSCAL comes in, because the burden relief from something like OSCAL in terms of the old bureaucratic processes for [Authorization to Operate], for example, is enormous,” Mendes said. “The possibilities there are enormous. And they’re being realized, as OSCAL continues to be adopted.”
NIST rolled out version 1.0 of OSCAL in June 2021 and has released additional patches since then.
The program is working toward additional patch releases to “make sure that we can make some changes with bug fixes and feature improvements that do not break backwards compatibility with the old version so people can make reliable software,” Alexander Stein, the acting OSCAL Technical Director at NIST, said during the conference.
The OSCAL team also has a renewed vision for the project. NIST plans to work with stakeholders to develop OSCAL models that can be used by “organizations and cloud service providers to demonstrate seamless, continuous security assessment information exchange among them, by sharing information about the parts of their systems and how those parts should be assessed, without vendor lock-in,” according to Michaela Iorga, the OSCAL Strategic Outreach Director at NIST.
And a key aspect of NIST’s vision is engaging a broader community of stakeholders.
“We will accomplish this vision by increasing the engagement and collaboration with the community, private and public sectors, so OSCAL models reach the desired maturity state faster in support of a broader international adoption,” Iorga said.
Iorga proposed establishing a “community collaboration committee” to better organize and grow the OSCAL community.
“That will help the community to come forward as a one voice, that helps the community to get organized internally,” Iorga said. “It’s something that we thought that this community can do to help also drive the OSCAL program and OSCAL development and maintenance further to a higher level.”
Some agencies have begun to embrace the open source language. The Centers for Medicare and Medicaid Services is putting OSCAL at the center of its plans to implement a continuous ATO process, CMS Chief Information Security Officer Robert Wood said.
“It is really exciting because it is a new and fresh way of doing software in the federal ecosystem, specifically doing compliance around the software we’re building, managing and running in the federal ecosystem,” he said. “And if there’s ever an institution where, ‘we’ve always done it this way,’ is so deeply ingrained, it’s probably the federal government. And this movement, this sort of change, the spearheading of doing compliance differently, is just really exciting to me.”
Elements of industry are also onboard. Amazon Web Services, IBM and Google all presented on OSCAL at this week’s conference, as did representatives from the Cloud Security Alliance and the Center for Internet Security.
Phil Venables, Google Cloud’s chief information security officer, said the open source language will be crucial to scaling security programs effectively across enterprises.
“The more we can kind of outpace attackers, the more we can stay ahead of threats, the more we can invent whole categories of control that defeat whole classes of attacks, and do that faster and faster across our extended enterprises, then ultimately, we win,” Venables said. “OSCAL is the fuel for how we’re going to wire all this stuff together.”
One of the primary federal partners on the OSCAL effort has been the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) for assessing and authorizing cloud services.
“The first step is getting OSCAL and our [Governance Risk and Compliance tool] online to make sure that we can automate the ingestion of packages,” Conrad said. “We’ve already done it once on a test case. We’re really excited about the resource savings across the board, not just for the [Joint Authorization Board] review teams, but for the cloud providers as well. Anything that we can do to make things better, stronger, faster, is going to benefit both government and industry.”
Lawmakers are also pushing agencies to streamline FedRAMP through automation. The FedRAMP Authorization Act of 2022, tucked into last year’s defense policy bill, directed GSA to come up with a plan for the automation of FedRAMP security assessments and reviews within one year.
The legislation also directed GSA to establish a Federal Secure Cloud Advisory Committee comprised of government and industry representatives to offer recommendations on how FedRAMP and related processes could be improved. GSA announced the inaugural members of the committee earlier this month. The board will be led by Technology Transformation Services Director Ann Lewis.
Meanwhile, Stein said OSCAL is a structured data format, meaning NIST needs different organizations to come to the table to help apply it to various frameworks and use cases.
“We really need a community of people to first establish what their controls are in their respective frameworks,” Stein said. “And that’s not just a push button thing. There are different ways you can structure that information. And often, a lot of these requirements are very much focused on human beings and being unstructured. So there’s a lot of work to do in the respective different frameworks before we can work across them.”