Support for "Rules" in OSCAL Models #1058
Comments
|
While reviewing the backlog today, #821 seems related, but specifically focused on |
|
First things we ought to tackle:
|
|
Discussed more with Dave today. Will begin by sketching out the "do rules fit into each of the OSCAL models conceptually?" question as well as gathering consensus on what the the relevant data elements are. |
|
@david-waltermire-nist, I know we will have another backlog refinement in the near future, but you had asked if I am ready to pull this one into Sprint 49 if you and team are ready. |
|
Notes from our last touch-base with interest community members. My current action item: build information model outline with recommended changes to include the concepts of rules. |
|
NOTE: This draft is obsolete, please see the updated draft spec below.
rule |
|
A few questions:
|
I think it will be up operator expertise, unfortunately. I was thinking about this a lot yesterday, and I have no good ideas on how we can determine that without some really complex semantics not in place yet. But back to the actual question, you could use
I think I need to flesh out an example, but that would be the |
|
@aj-stein-nist and @david-waltermire-nist Would a numeric value associated with the |
Personally, I think it would be hard to measure and quantify, your question makes me believe maybe the
I like the idea in principle but I have no idea how we could implement this in practice. Do you have any ideas around this? I too will reflect on it.
My intent with |
|
@aj-stein-nist I agree it allows for more flexibility, but I do not see a mechanism for identifying the completness or coverage of the superset of rules. A superset might still provide only partial coverage. Through the aggregation, the superset comprised of |
|
Personally I think numbers are not a good way to represent such a value space. It is not even one-dimensional. Also, they can't reliably or meaningfully be treated as numbers (does satisfies="50" + satisfies "60" = satisfies "110"?) Simple labels are better in that they do not promise what they cannot deliver. If systems have actual ranked/numeric values in a taxonomy they wish to label things with, the model offers Noting however that the discussion on how to characterize linking semantics is a little different from the discussion on how to describe rules. The problem of describing the rules vs characterizing the relations between rules. For example, we have silently assumed the target of a link from a rule is another rule. But what if we want a link to point to a control or a statement inside a control, for reference (how do we do that)? The discussion about the meaning of values of |
@wendellpiez - Per our initial discussion, rules are associated with controls or statements of controls. I cannot picture a scenario when such a cyclic approach would be necessary (when a rule associated with a control or statement of control needs to link to another control). Do you have an example in mind?
It depends on the numeric value :). If it is 50% added to 60% you can only get 100%. If it is a different numeric value (a score) with a range of 0-200, then 50+60=110. If normalization will be necessary, then that can be done with a simple mathematical operation on the range. Do you have another approach that would support automation for aggregation and quantification of satisfaction degree, something GRC tools can implement? How will a bunch of |
|
I think both of you are making good points, @iMichaela and @wendellpiez, and I will likely adjust my draft recommendation to say the I thought it might add value, for very specific assertions at the statement level, for a system owner or developer (not an assessor) to make very clear what they are and are not claiming about coverage of something. In addition to customer , I thought there might be value for very specific details of an implementation for such personas to point out "passing this rule check covers this specific detail of a statement on an implemented requirement for control AB-1 in its entirety" versus "for AB-1, passing this rule check is a good start, but we are not claiming that is enough and you have more work to do on your own (whether that is something else with the sub-system I provide or someone else, that is for us to discern somewhere else)." I do not think there will be satisfactory answers to these questions at this point and it will get more difficult moving forward. |
|
I have continued trying to formulate examples, and it seems trying to reuse the |
|
Trying to work backwards and come up with some examples now.
|
|
NOTE: This draft is obsolete, please see the updated draft spec below.
rule |
|
Are we allowed to debate names yet? I like the model so far. I like the migration of the settings from Is |
Absolutely!
Great, thanks for saying so.
The reason I moved away from that, @wendellpiez, is it could or could not be an abstraction over an (assessment task), dependent upon other future design decisions about what elements in what models it can refer to; (Ironically, this whole paragraph is a summary of yesterday's thought process around the |
|
Updated some more examples above. More examples to come, and maybe gathering up documents on use cases more concretely over the next week. |
|
@stephenbanghart, last we chatted you had discussed interest in this draft to add recommended features to one or more OSCAL models. The current draft design, with some examples embedded in a component, are available for review and public comment. Feedback welcome! |
|
Added some more examples. I am also tracking https://github.com/aj-stein-nist/oscal-content/tree/issue-1058-rules |
|
In today's developer meeting, Dave discussed an emerging standard around remote attestation of system facts, RATS. I will look into this for potential overlap or improvements that can inform this work, especially around rules and rule checks regarding automated testing to support assessment objectives in some cases. |
I think that is simple. {
"uuid": "8f8439e4-14cd-4bd9-a1aa-3a12e6ad3684",
"metadata": {},
"components": [
{
"uuid": "4a8edd59-57c4-4ed1-bf86-4fcd6cfbb768",
"rule-implementations": [
{
"uuid": "64a4c42c-2591-4305-a497-62078ca6fc75",
"testing-scenario-reference": {
"uuid": "52fb5d82-5c70-40d3-b8e1-1637022493af",
"test-scenario-uuid": "e7e00644-dd4b-409a-ab0c-a7bc76e56963"
}
}
]
}
],
"capabilities": [],
"rules": [
{
"uuid": "e4712689-e7d6-487b-914f-781a2e68ec17",
"description": "Ensure application servers implement encryption at rest with approved methods and approved algorithms."
}
],
"tests": [
{
"uuid": "bf9416a5-8bd2-4346-9374-d8810f463c9e",
"description": "Use OpenSCAP to check 1/N disk encryption settings in RHEL 8.x.",
"comment": "NOTE: yet to be defined elements to structure test executor, arguments, and executor parameters (I don't mean OSCAL params here. This is not complete and important TBD stuff will be here."
}
],
"testing-scenarios": [
{
"uuid": "e7e00644-dd4b-409a-ab0c-a7bc76e56963",
"rule-uuid": "e4712689-e7d6-487b-914f-781a2e68ec17",
"condition": {
"test-reference": {
"uuid": "96e443c1-c611-4cd8-8fe8-407044b3af85",
"test-uuid": "bf9416a5-8bd2-4346-9374-d8810f463c9e"
}
}
}
]
}That took me maybe 2-4 minutes after tripping up on brace expansion and using Is there something about this thus far that is untenable or not simple enough? Please let us know. |
|
How does one find out about the meetings on this topic? |
More, generally, on our community contribution page. More specifically, since I presume you mean this topic being "about the OSCAL Rules and #1058 work" and not other model topics, I will discuss with the team if there is a way we can give advance notice when we do have certain topics planned. :-) |
|
@aj-stein-nist & @pburkholder -- We might be able to also use one of the OSCAL mini-workshop meetings for this topic. Anca will probably touch on it during her talk on June 15 @ 11:00 AM ET |
|
AJ, I think your example is good. Here's a slightly different view from my mind's eye (ie Anca my disagree or not), in trying to keep with what we've done with the current OSCAL thru re-purposing of properties. rule-test-model-proposal.json.gz |
@degenaro We want to be able to share the same rule implementation (combination or rule and tests) across multiple controls. This is the reason for the
Yes. We have the
I have some concerns with allowing these constructs to be defined both inline and by reference, as this greatly complicates writing code that parses, persists, and processes content. Allowing the content inline makes it marginally easier for content creators at a cost to the tool developer that has to deal with this added complexity. We need to weigh such a decision carefully to make sure we address the equities in the right way. |
|
Agreed that |
|
@david-waltermire-nist as discussed during our modeling session, I updated the models in aj-stein-nist/OSCAL@8dc7f35 to:
|
aj-stein-nist
added
Epic
|
@david-waltermire-nist in advance of follow-on work this week on rules, per your requested, I collapsed #1160 and #1168 into the |
Following up the last modeling meeting, here is the slides with updates on rules on today's model meeting. |
|
Just for grins (and possible collaborations though the referenced project seems to have slowed down) here's a project for turning legislation into code and running a rules engine on that: https://www.digital.nsw.gov.au/article/rules-code-test-learn-repeat |
Thank you very much for thinking of our work and providing this feedback, Fen! I reviewed the site and will determine how much I can incorporate into the work (if we can beyond looking at the site; more involvement seems to require we email this group and USG employees interacting with foreign officials is always a challenge, fun trivia). Also, outside of work, I have been following the Linux Foundation/OSSF Alpha Omega project on their approach to how they intend to perform similar work for wrapping different kinds of attestations. But I largely skim and observe the high-level approach. No direct inputs or inspirations yet. It is nice to see a growing, vibrant space around this kind of workflow and process. |
|
Currently we re-purpose properties to hold rules and checks (aka tests), employing namespace and class. We envision the OSCAL "rules" enhancement to allow all that we can express with properties along with the ability to group sets of properties into one rule (or check) and to relate rules and checks to each other. With that in mind...
|
|
This work should go back to user research and discovery, so this will be moved back to DEFINE Research Needed. After that, if it is returned to development as-is, we should consider refinement being needed as this epic, as previously used it, is too large re upcoming #1688 reorganization and needs to be broken down into manageable pieces. |
|
Reviewed on 11/2 at triage meeting. |
User Story:
As an OSCAL tool developer, in order to ensure my software can document testing requirements that an information system must implement as one part of cumulative control implementation requirements, I would like enhancement to the OSCAL models to more explicitly define the concept of a rule as a first-class citizen. Modifications and new additions to OSCAL to tool developers to build software for users to give specific criteria to test for a specific kind of implementation implied by control requirements, and have such criteria expressed in OSCAL.
Goals:
ruleassemblyruleassembly #1339ruleassembly should and should not be used in relevant OSCAL modelsDependencies:
N/A
Acceptance Criteria
The text was updated successfully, but these errors were encountered: