Discovery: Responsibility Modeling

[Compton-US]

This is a research effort that is currently in progress.

OSCAL SSP authors need the ability to export particular content pertaining to controls that can be inherited by another system, without exposing all content of the full SSP or of those inheritable controls. This exported content must be suitable for customers to import into a new SSP of the system which inherits controls.

The research effort issue is: #5

Spirals:

• Completed (1-2)
• Latest Draft (4)

Current Focus:

• Discussion of examples, and potential solutions for responsibility model.

[Compton-US]

Due to the upcoming conference, I'm shifting to mapping and the first spiral on that effort. I have a draft started for responsibility modeling, and linked above, but it is far from complete. I still have input from Valinder to process, including documentation of a CDefs > SSP > CDef concept he shared, and an issue of timing and how we envision the use of the CDef as a mechanism for the CRM.

I'm also working through some very important terms around when things happen, and what exists in day-to-day practice, versus ideals in a Matrix/Gitter Thread - Account Required that is open for comment. If you are reading this looking for an opportunity to participate, this is a place to be very opinionated about your experiences around SSP production and implementation of a system.

The goal for delivering this spiral was mid to late June, and to produce a change request for engineering to evaluate by end of June. So this is less of a delay, and more of an expected balancing of priority between the two important modeling concerns I'm working.

The only preliminary theme I can share at this point, is that using the Component Definition seems to be emerging as the place to share this responsibility information, but that we lack a couple of key assemblies to do it effectively. If you have an alternate view that a specific model would be desired, please get in contact with me over the next week or two so I can hear you!

cc @iMichaela @aj-stein-nist @nbg84

[trevor-vaughan]

I believe that this may be related usnistgov/OSCAL#1349

[Compton-US]

Absolutely! Thanks for surfacing this.

[Compton-US]

Input from Gitter.

Am i correct in my understanding that the "export" block, and therefore responsibilities are not part of the "component-definition" document type? So the only way to use them is with the heavier "system-security-plan" type?

---

Use case: we've got an internal PaaS which will take care of applying standardized configuration to things like AWS RDS, so then intent was to model that as a component so systems that leverage it would get the amended responsibilities since they're not the same as the vanilla RDS due to those standadrized configurations

[Compton-US]

Work on this has just started, so the progress is minimal. I have started to frame up assemblies that would impact the SSP and CDef model. The approach at the moment is just to normalize the responsibility related assemblies between the two models. This means it will appear to be a breaking change. Once we've focused on how this should work in general, and ensured we have the terminology/allowed values/cardinalities in an acceptable state, we can go back and look at potential compatibilities. I just do not want us to constrain our thoughts and produce something that is not where we need to be with the concepts.

Staging for all proposed changes (no merges yet, see below for the latest)

• https://github.com/usnistgov/OSCAL/tree/prototype-shared-responsibility-model

Specific Tags (Work in Progress)

• https://github.com/usnistgov/OSCAL/tree/compton-working-shared-responsibility

See the specific changes so far:

• usnistgov/OSCAL@develop...compton-working-shared-responsibility

I have quite a bit of feedback that I have not considered and attempted to apply -- so please be aware this is very early. If you have feedback that is new, please provide below. All is welcome. If you provided feedback and it appears to be ignored, hold those thoughts until the next update.

[Compton-US]

We've started publishing the draft documentation for prototype models. The documentation for mapping can be found here:

https://pages.nist.gov/OSCAL-Reference/models/prototype-shared-responsibility-model/

SSP and Component Definition will have modifications in the /components/control-implementations/implemented-requirements sections. Please note that element names and allowed values, and constraints are very conceptual and still need definition. Cardinalities and constraints are also not defined at the moment. Input is welcome.

Since the expectation is that the provided, satisfied, responsibility and inherited assemblies will all contain an exportable attribute, the export assembly will be flagged as deprecated.