Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for NIST SP 800-161 Appendix F, for Executive Order 14028? #1085

Closed
rjb4standards opened this issue Jan 13, 2022 · 12 comments
Closed
Labels

Comments

@rjb4standards
Copy link

Are there any plans to produce OSCAL artifacts for NIST 800-161 Appendix F, supporting Executive Order 14028?

@iMichaela
Copy link
Contributor

@rjb4standards - Unfortunately NIST OSCAL team does not have the cycle, any time soon, to generate the requested information.
If you are interested in the F-x tables in the Appendix F of SP 800-161, those are good candidates for OSCAL profile(s). There are 2 ways of including the E.O 14028 mapping:

  1. The catalog of controls will have to be first altered to include the E.O.14028 mapping for the listed controls by using props, then the profile will import only the controls listed in the tables, bringing forward the mapping in the process.
  2. Alternatively, one can generate first a resolved profile with the listed controls from the F-x tables and then alter the obtained catalog to add the E.O 14028 using again props. I think I prefer 2), so the 800-53 catalog remains intact.

@rjb4standards
Copy link
Author

rjb4standards commented Jan 14, 2022

Thank you for the quick response, Michaela.

@sunstonesecure-robert
Copy link

sunstonesecure-robert commented Jan 14, 2022 via email

@rjb4standards
Copy link
Author

Thanks for offering to research this matter. I know that NIST SCRM is working on update to Appendix F to provide guidance needed to implement EO 14028 and the Senate passed legislation on Wednesday that would also fit into this category, i.e., training regarding cybersecurity supply chain risk assessments.

@aj-stein-nist
Copy link
Contributor

I can bring it up to the CNCF supply chain group. Also The Kubernetes Policy WG is working on Profile alignment, inclusive of supply chain management policies, so I can discuss if we can contribute back a PR to OSCAL. No guarantees but we'll discuss options.

Do you have more details on this? You are looking into 800-161 (either appendix) and contributing it back, @sunstonesecure-robert?

@aj-stein-nist
Copy link
Contributor

aj-stein-nist commented Jan 14, 2022

FYI we also have an open call in #1080 for use cases in components/SSPs. Not 100% relevant to this (re catalog, profile creation, and/or catalog mappings), but I am not sure someone has asked about "a component in a def or SSP that shows supporting evidence around 800-161 controls" yet. Just a thought! :-)

@rjb4standards
Copy link
Author

Supporting evidence will be key for SP 800-161, but SBOM vulnerability reporting is also gaining momentum. This week Cyclone DX announced V 1.4 with support for vulnerability reporting in their NTIA supported SBOM standar. I posted an article recently about the various methods for vulnerability reporting after receiving a message from Allan Friedman of CISA: https://energycentral.com/c/um/terminology-confusion-regarding-vulnerability-reporting

@aj-stein-nist
Copy link
Contributor

Supporting evidence will be key for SP 800-161, but SBOM vulnerability reporting is also gaining momentum. This week Cyclone DX announced V 1.4 with support for vulnerability reporting in their NTIA supported SBOM standar. I posted an article recently about the various methods for vulnerability reporting after receiving a message from Allan Friedman of CISA: https://energycentral.com/c/um/terminology-confusion-regarding-vulnerability-reporting

I will have to look later since this requires a membership and I cannot access it even with Javascript disabled. I will have to review from a personal workstation another time.

If you see how evidence of 800-161 and/or SBOM vulnerability reporting would fit into documenting an information system for federal government use and would like to experiment with that, I would really appreciate a quick summary of the specific use case in #1080. Eventually the team will vet those requests and try to design examples after we hear from the community are of the most interest.

Michaela spoke to the catalog thing, and I agree with that! It is a tall order that would need community effort. :-)

@rjb4standards
Copy link
Author

rjb4standards commented Jan 14, 2022

Thanks, Alexander. The next release of SP 800-161 is expected to come out sometime in February. Then we'll all have a better sense for what those Appendix F EO 14028 requirements will be, then we should be able to construct a use case for EO 14028.

@iMichaela
Copy link
Contributor

@aj-stein-nist - we can take it internally at NIST with the authors. If Jon et. all. wants to release the data in OSCAL, and if we can get a little help, we might be able to generate the SP 800-161 Appendix F tables with the mapping to the EO 14028 in OSCAL. Examples, use cases, and SBOM beyond the existing inventory is a lot more of work. As of today, we have a full plate with the conference, the workshop and getting the updated for the OSCAL 1.1.0 out.

@rjb4standards - BUT if the community can pitch in and become the driving force for this effort, we are here to provide guidance starting today. The lowest hanging fruit would be the Appendix F, F-x tables as profiles with the controls enhanced to capture the mapping to the EO requirements. I believe that the OSCAL 1.1.0's Mapping Model could also be used if waiting for the OSCAL 1.1.0 release is acceptable.

@rjb4standards
Copy link
Author

Thanks, Michaela.
Reliable Energy Analytics (REA) stands ready to work with any entity in the EO 14028 community that wants to start working/planning their implementation today following NIST SP 800-161 Appendix F and the NTIA SBOM requirements, including the pursuit of an OSCAL artifact, if the EO 14028 community wishes to pursue this effort.

@iMichaela
Copy link
Contributor

@rjb4standards - This is great. We can provide guidance to community members interested in rolling sleaves.

@usnistgov usnistgov locked and limited conversation to collaborators Jan 21, 2022
@david-waltermire david-waltermire converted this issue into discussion #1098 Jan 21, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
Projects
None yet
Development

No branches or pull requests

4 participants