Open Security Controls Assessment Language

The Anatomy of OSCAL Models?

OSCAL 101 Series - Lecture #2

Presenters:
Dr. Michaela Iorga Robert Sherwoode Security
NIST, OSCAL Strategic Director Principal, Credentive Security
THE PRESENTATION IS BEEING RECORDED!

qNIST is hosting a series of monthly educational workshops, on the third Tuesday of each month,
11:00-12:00 EST.
qPurpose: improve OSCAL adoption by expanding the OSCAL community of interest (COI) through the
onboarding of members who have no previous knowledge of OSCAL.
qSchedule and info: https://csrc.nist.gov/Projects/open-security-controls-assessment-language/oscal-education-
workshops

Welcome to the Lecture #2

Agenda
ØBrief Review of OSCAL
ØThe Anatomy of OSCAL models
ØCatalog and Profile Models
ØRob’s Yellow Bricks Road to the FPKI OSCAL
Catalog
 What is OSCAL?
qOSCAL is a standardized, flexible, open-source language designed to express security controls and
their associated implementations and assessment methods in machine-readable formats (XML,
JSON, and YAML). OSCAL content can be easily transformed into human-friendly formats.
qOSCAL:
Ø Enables automated traceability
Ø Provides a standards-based foundation for the next generation GRCs
Ø Helps improve the risk management posture, consistency, and interoperability.

Controls Layer Implementation Layer Assessment Layer

ß Traceability ß
à Information Flow à
IMPORT CATALOG IMPORT PROFILE IMPORT SSP IMPORT AP
OSCAL Assessment
OSCAL SSP Model OSCAL Assessment Results Model
OSCAL OSCAL Plan Model OPEN RISKS
Catalog Model Profile Model Components
IMPORT SSP
OSCAL Plan of OPEN RISKS
ASSOCIATED PROFILES Component Action and
Definition Model Milestones Model
 CATALOG MODEL PROFILE MODEL SSP MODEL
System Security Plan (SSP) Assessment Plan (AP) Assessment Results (AR)
Catalog Profile (Control Baseline)
Profile Metadata Metadata Metadata Metadata
import Title, Version, Date, Document Labels, Title, Version, Date, Document Labels, Title, Version, Date, Document Labels, Title, Version, Date, Document Labels,
Catalog Revision History, Prepared By/For import Revision History, Prepared By/For import Revision History, Prepared By/For import Revision History, Prepared By/For
Roles, People, Teams, Locations Roles, People, Teams, Locations Roles, People, Teams, Locations
Metadata trace
import Import (Catalog or Profile)
Title, Version, Date, Document Labels,
Revision History, Prepared By/For Import (Catalog or Profile) trace Import Profile
trace
import Import SSP trace URI pointingImport
import AP
trace
import URI pointing to a Profile URI pointing to an SSP to an Assessment Plan
Import
Parameter System Characteristics
Parameter Definitions (Global) trace
import URI pointing to a Catalog or Profile System ID, Name, Description
Local Definitions Local Definitions (Overarching)
When information in the linked SSP is When results contain an activity or
Controls to Include Sensitivity/Impact Level missing or inaccurate, assessors may control objective not defined by the
Control Controls to Exclude System Information define it here assessment plan, define it here
Parameter Definitions (by Control) Service & Deployment Models Local Definitions
Control Requirement Definitions Diagrams: Authorization Boundary, Terms and Conditions
When information in the linked AP or SSP is
Result (Current)
Merge Network, Data Flow missing or inaccurate, assessors may define it here
Control Objectives Conflict Directives Rules of Engagement, Disclosures,
Assessment Methods Limitation of Liability, Assumption Local Definitions
Profile Resolution Grouping Directives System Implementation
Reviewed Controls
When information
Statements, and Methodology Controls included inin
thethe linked AP
assessment
Group (Family) Users, Components, Inventory or SSP is missing or inaccurate,
Modify Ports, Protocols, & Services assessorsAssessment
may define it here
Grouping of Parameters Parameter Modifications Reviewed Controls Subject
Grouping of Controls Interconnections Controls to include in the assessment Identifies what was assessed, including:
Control Requirement Modifications Reviewed Controls
Components, Inventory Items, Locations, and User
Control Objective Modifications we well as associated Control Types, as well as Parties to be interviewed
Control Implementation Objectives and Assessment Methods Controls included in the assessment
Back Matter Assessment Method Modifications
Laws/Regulations, Responsible Parties, Status, Origination
Standards/Guidance Parameter Values, Implementation Assessment Subject Attestation
Assessment Assets
Citations and External Links Back Matter Description, Inheritance, Identifies what will be assessed, Assertions made by the assessor
Tools used to perform the assessment

Other Attachments Laws/Regulations, Consumer Responsibilities including: Components, Inventory Attestation

Standards/Guidance Items, Locations, and User Types, as Assessment
Assertions Log
made by the assessor
Citations and External Links Back Matter well as Parties to be Interviewed Log of performed assessment
Other Attachments as Needed Laws/Regulations, Standards/Guidance actions
Assessment Log
January 29, 2021 -- OSCAL Version 1.0.0-RC-1 Citations and External Links Assessment Assets Log of performed assessment actions
Attachments and Embedded Images Tools used to perform the assessment Observation
Individual observations and

Associates configuration settings with baselines

Observation
evidence
The import arrow identifies
n t Plan of Action and Milestones Assessment Action Individual observations and evidence

Associates configuration settings with baselines

nt e
what OSCAL content is linked as a result of Enumerates the actions for performing
(POA&M) RiskRisk
t co
the assessment, including procedures
the import statement. Imported content is Enumerates
Enumeratesand characterizes

import
and characterizes risks and
an

import
Metadata for performing the assessment action
lev
referenced, not copied. provides weaknesses,
status for identified
provides risk statusrisks

rs re Title, Version, Date, Document Labels,

Revision History, Prepared By/For Task Finding
Finding
an sfe Roles, People, Teams, Locations Intended schedule of milestones and
Identified findings, Objective Status
Identified findings, Objective Status
Tr Import SSP
assessment actions
Results (Last Cycle)
Component Definition URI pointing to an OSCAL SSP Back Matter
Laws/Regulations, Results (Earlier Cycle)
Component Definition System Identifier Standards/Guidance
Unique system ID – used when the SSP May include artifacts to review Back Matter
Component Definition is not delivered with the POA&M Other Attachments as Needed Laws/Regulations,
Standards/Guidance
Local Definitions
Metadata
Title, Version, Date, Document Labels, For content not defined in the SSP ASSESSMENT PLAN Evidence Attachments:
Reviewed Artifacts, Interview Notes,
Revision History, Prepared By Screen Shots, Photos, Tool Output

Import Component Definition

Observation
Individual observations and evidence, MODEL Penetration Test Report
Other Attachments as Needed
impacted assets
URI pointing to other component sources/conveys information
definition files Risk
import Component
Individual component information, and
Enumerates, characterizes, identifies
deviations, and provides status for ASSESSMENT RESULTS
identified risks
information about controls the
MODEL

OSCAL Models
component is able to satisfy POA&M Items
POA&M ID, Impacted Controls,
Capability Weakness Details
A grouping of related components into
a larger capability Back Matter
Attachments and Embedded Images
Back Matter DR Evidence

4
Citations and External Links Other Attachments as Needed
Attachments and Embedded Images

COMPONENT MODEL POA&M MODEL 4

https://nist.gov/oscal

5
https://nist.gov/oscal/reference

5
 System Security Plan (SSP) Assessment Plan (AP) Assessment Results (AR)
Catalog Profile (Control Baseline)
Profile Metadata Metadata Metadata Metadata
Title, Version, Date, Document Labels, Title, Version, Date, Document Labels, Title, Version, Date, Document Labels, Title, Version, Date, Document Labels,
Catalog Revision History, Prepared By/For Revision History, Prepared By/For
Roles, People, Teams, Locations
Revision History, Prepared By/For Revision History, Prepared By/For
Roles, People, Teams, Locations Roles, People, Teams, Locations
Metadata
Title, Version, Date, Document Labels, import Import (Catalog or Profile)
Import Profile
Import (Catalog or Profile) import Import SSP import Import AP
Revision History, Prepared By/For URI pointing to a Profile URI pointing to an SSP URI pointing to an Assessment Plan
import

OSCAL Models’ Outline

Import
Parameter URI pointing to a Catalog or Profile System Characteristics Local Definitions Local Definitions (Overarching)
Parameter Definitions (Global) import System ID, Name, Description When information in the linked SSP is When results contain an activity or
Controls to Include Sensitivity/Impact Level missing or inaccurate, assessors may control objective not defined by the
Control Controls to Exclude System Information define it here assessment plan, define it here
Parameter Definitions (by Control) Service & Deployment Models
Control Requirement Definitions Diagrams: Authorization Boundary, Terms and Conditions Result (Current)
Merge Network, Data Flow
Control Objectives Conflict Directives Rules of Engagement, Disclosures,
Assessment Methods Limitation of Liability, Assumption Local Definitions
Profile Resolution Grouping Directives System Implementation When information in the linked AP
Statements, and Methodology
Group (Family) Users, Components, Inventory or SSP is missing or inaccurate,
Modify Ports, Protocols, & Services assessors may define it here
Grouping of Parameters Parameter Modifications Reviewed Controls
Grouping of Controls Interconnections Controls to include in the assessment
Control Requirement Modifications Reviewed Controls
Control Objective Modifications we well as associated Control
Control Implementation Objectives and Assessment Methods Controls included in the assessment
Back Matter Assessment Method Modifications
Laws/Regulations, Responsible Parties, Status, Origination
Standards/Guidance Parameter Values, Implementation Assessment Subject Attestation
Citations and External Links Back Matter Description, Inheritance, Identifies what will be assessed, Assertions made by the assessor
Other Attachments Laws/Regulations, Consumer Responsibilities including: Components, Inventory
Standards/Guidance Items, Locations, and User Types, as Assessment Log
Citations and External Links Back Matter well as Parties to be Interviewed Log of performed assessment
Other Attachments as Needed Laws/Regulations, Standards/Guidance actions
January 29, 2021 -- OSCAL Version 1.0.0-RC-1 Citations and External Links Assessment Assets
Attachments and Embedded Images Tools used to perform the assessment Observation
Individual observations and
evidence
The import arrow identifies Plan of Action and Milestones Assessment Action
Enumerates the actions for performing
what OSCAL content is linked as a result of (POA&M) Risk

https://pages.nist.gov/OSCAL/reference/latest/complete/json-outline/
the assessment, including procedures
the import statement. Imported content is Enumerates and characterizes

import
Metadata for performing the assessment action provides status for identified risks
referenced, not copied.
Title, Version, Date, Document Labels,
Revision History, Prepared By/For Task Finding
Roles, People, Teams, Locations Intended schedule of milestones and Identified findings, Objective Status
assessment actions
Import SSP Results (Last Cycle)
Component Definition URI pointing to an OSCAL SSP Back Matter
Laws/Regulations, Results (Earlier Cycle)
Component Definition System Identifier Standards/Guidance
Unique system ID – used when the SSP May include artifacts to review Back Matter
Component Definition is not delivered with the POA&M Other Attachments as Needed Laws/Regulations,
Standards/Guidance
Metadata Local Definitions Evidence Attachments:
Title, Version, Date, Document Labels, For content not defined in the SSP Reviewed Artifacts, Interview Notes,
Revision History, Prepared By Screen Shots, Photos, Tool Output
Observation Penetration Test Report
Individual observations and evidence, Other Attachments as Needed
Import Component Definition impacted assets
URI pointing to other component
definition files Risk
Enumerates, characterizes, identifies
import Component deviations, and provides status for
Individual component information, and identified risks
information about controls the
component is able to satisfy POA&M Items
POA&M ID, Impacted Controls,
Capability Weakness Details
A grouping of related components into
a larger capability Back Matter
Attachments and Embedded Images
Back Matter DR Evidence
Citations and External Links Other Attachments as Needed
Attachments and Embedded Images

7
Common OSCAL Structure

Root Element & Root UUID

Body (Model Specific)

Root Element & Root UUID

Body (Model Specific)

Root Element & Root UUID

Body (Model Specific)

8
 Common OSCAL Structure
Ø Root Element: The root element of the document indicates the type of
content within the body of the file. The name of this element is unique Every OSCAL File

to the specific model. Root Element

[ catalog | profile | component |
Ø Root UUID: A RFC 4122 Version 4 Universally Unique Identifier (UUID) system-security-plan |
assessment-plan |
that identifies the specific document instance. Changed when the assessment-results |
plan-of-actions-and-milestones ]
document is modified. Universally Unique Identifier (UUID)

Metadata
Ø Metadata: Information about the document (i.e., title, last-modified Must be at the start of every OSCAL file.
Syntax is the same, regardless of root element.
timestamp, OSCAL version). Also used to define roles, parties (people,
• Title, Modified Date, OSCAL Syntax Version
teams and organizations), and locations referenced in the document. • Document Date and Version
• Roles, People, Organizations, Locations

Ø Model-specific Body: The body is specific to each model. Body

Syntax is different for each root element.

Back Matter
Ø Back Matter: Used to link to and attach resources, which may contain May be at the end of any OSCAL file.
Syntax is the same, regardless of root element.
citations. Used to associate graphics, supporting documentation, etc. • External Links and Citations
with the OSCAL document. A reference entry here can be referenced • Attachments and Embedded Images

from within the body of an OSCAL document.

9
 The Metadata Element – Cardinality and Data Type

10
The Back-matter Element – Cardinality and Data Type

11
 OSCAL Controls Layer

12
 OSCAL Catalog Model
Represents a collection of security and privacy controls, which may be used as part of a
risk management program.

Catalog
Ø Metadata: Same for each OSCAL model Metadata
Title, Version, Date, Document Labels,
Revision History, Prepared By/For
Ø Parameter: Provides a global policy variable used by one or more control
Parameter
Parameter Definitions (Global)
Ø Control: An individual control in the catalog.
Control
Ø May contain control-specific parameters, control requirement statements, control Parameter Definitions (by Control)
Control Requirement Definitions
objectives, assessment methods, references Control Objectives
Assessment Methods
Ø Controls can have child controls.
Group (Family)
Grouping of Parameters
Grouping of Controls
Ø Group: Related controls may be grouped. Parameters related to this group may be
defined here. Back Matter
Laws/Regulations,
Standards/Guidance
Citations and External Links
Ø Back Matter: Same for each OSCAL model Other Attachments

13
 OSCAL Catalog
Model

Catalog
Metadata
Title, Version, Date, Document Labels,
Revision History, Prepared By/For

Parameter
Parameter Definitions (Global)

Control
Parameter Definitions (by Control)
Control Requirement Definitions
Control Objectives
Assessment Methods

Group (Family)
Grouping of Parameters
Grouping of Controls

Back Matter
Laws/Regulations,
Standards/Guidance
Citations and External Links
Other Attachments

14
 OSCAL Profile Model
Used to establish a baseline of controls to be implemented with a system.

Ø Metadata: Same for each OSCAL model Profile (Control Baseline)

Metadata
Title, Version, Date, Document Labels,
Ø Import: Identifies an OSCAL catalog or other profile to import controls from Revision History, Prepared By/For

Import (Catalog or Profile)

Ø A control must be imported to be included in a baseline. Import (Catalog or Profile)

Ø All parameters and back-matter resources cited by an imported control are also Import
URI pointing to a Catalog or Profile
imported. Controls to Include
Controls to Exclude

Ø Merge: Provides directives used to organize controls and to resolve conflicts when the Merge
Conflict Directives
same control is imported multiple times Profile Resolution Grouping Directives

Modify
Parameter Modifications
Ø Modify: Allows tailoring of imported controls, including their parameters, control Control Requirement Modifications
Control Objective Modifications
requirement definitions, references, control objectives, and assessment actions. Assessment Method Modifications

Back Matter
Laws/Regulations,
Ø Back Matter: Same for each OSCAL model Standards/Guidance
Citations and External Links
Other Attachments as Needed

15
 OSCAL Profile Model

Profile (Control Baseline)

Metadata
Title, Version, Date, Document Labels,
Revision History, Prepared By/For

Import (Catalog or Profile)

Import (Catalog or Profile)
Import
URI pointing to a Catalog or Profile

Controls to Include
Controls to Exclude

Merge
Conflict Directives
Profile Resolution Grouping Directives

Modify
Parameter Modifications
Control Requirement Modifications
Control Objective Modifications
Assessment Method Modifications

Back Matter
Laws/Regulations,
Standards/Guidance
Citations and External Links
Other Attachments as Needed

16
 OSCAL Profile Model - Inheritance

Catalog Profile (Control Baseline)

Profile Metadata
Title, Version, Date, Document Labels,

A profile can import controls from: Catalog

Metadata import
import
Revision History, Prepared By/For

Import (Catalog or Profile)

Title, Version, Date, Document Labels,

Ø A catalog or multiple catalogs

Revision History, Prepared By/For Import (Catalog or Profile)
import
import
Import
Parameter URI pointing to a Catalog or Profile
Parameter Definitions (Global) import
import

Ø Another profile or multiple profiles Control

Parameter Definitions (by Control)
trace
Controls to Include
Controls to Exclude

Control Requirement Definitions Merge

Control Objectives Conflict Directives
Assessment Methods Profile Resolution Grouping Directives
Group (Family)
This allows a baseline to be established
Modify
Grouping of Parameters Parameter Modifications
Grouping of Controls Control Requirement Modifications
Control Objective Modifications
by customizing another baseline. Back Matter
Laws/Regulations,
Standards/Guidance
Assessment Method Modifications

Citations and External Links Back Matter

Other Attachments Laws/Regulations,
Standards/Guidance
Citations and External Links
Other Attachments as Needed

17
 OSCAL Content Validation
https://pages.nist.gov/OSCAL/concepts/validation/

"well-formed" vs "valid” OSCAL content

XML Schema Validators: JSON Schema Validators:

https://www.w3.org/XML/Schema#Tools https://json-schema.org/implementations.html#validators 18
Rob’s Yellow Bricks Road to the FPKI OSCAL Catalog
 Thank you!
OSCAL is a community-
driven program!
Please join us!
OSCAL Catalog Tutorial:
https://pages.nist.gov/OSCAL/learn/tutorials/control/basic-catalog/

https://www.nist.gov/OSCAL

Contact us at: oscal@nist.gov

Subscribe to our mailing lists: oscal-dev@list.nist.gov or oscal-updates@list.nist.gov
Chat with us on Gitter: https://gitter.im/usnistgov-OSCAL/Lobby
Collaborate with us on GitHub: https://github.com/usnistgov/OSCAL
Join our COI meetings: https://pages.nist.gov/OSCAL/contribute/#community-meetings
 Open Floor Discussion

Ground Rules of Engagement

Ø Keep the discussion respectful by:
ousing welcoming and inclusive language
obeing respectful of differing viewpoints and experiences
ogracefully accepting constructive criticism
owait for one speaker to finish before speaking
Ø Speak from your own experience instead of generalizing.
Ø Do not be afraid to respectfully challenge one another by asking questions
focused on ideas not on the company or presenter.
Ø The final goal is not to always agree but rather gain a deeper understanding.