Collaboration?

[flickerfly]

I'm working with a team working with PEO IWS who wants to build out tools around the OSCAL format. We've been looking at what is here and wondering if there might be an opportunity to discuss our work and try to align with your objectives as we move forward. I could have a gov lead contact you if appropriate.

We'd like to be creating catalogs, poams, etc. in OSCAL and maybe converting OSCAL format documents into other formats on the fly for AO review including integration with eMASS.

If you are interested, could you let us know how to proceed?

[sunstonesecure-robert]

I would suggest having eMASS consume oscal first The tools exist to (roughly) convert oscal to word or excel but ingesting oscal into the GRC is 99% of the benefit since then the agency can use the information in their flows.

…

On Thu, Oct 28, 2021 at 10:37 AM Josiah Ritchie ***@***.***> wrote: I'm working with a team working with PEO IWS who wants to build out tools around the OSCAL format. We've been looking at what is here and wondering if there might be an opportunity to discuss our work and try to align with your objectives as we move forward. I could have a gov lead contact you if appropriate. We'd like to be creating catalogs, poams, etc. in OSCAL and maybe converting OSCAL format documents into other formats on the fly for AO review including integration with eMASS. If you are interested, could you let us know how to proceed? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1048>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQWTGFCVUKQWCBYFE7G6DPDUJGC4RANCNFSM5G5OFBCQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[flickerfly]

That would be inconsistent with our objective.

[sunstonesecure-robert]

Well, If AO review is one of the objectives, and they are using eMASS, how would eMASS consuming OSCAL be incongruent with that objective? Happy to take onto the dev lunch or other forum if this is a more involved conversation

…

On Thu, Oct 28, 2021 at 11:10 AM Josiah Ritchie ***@***.***> wrote: That would be inconsistent with our objective. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1048 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQWTGFDNAQSTV3UXQEZLWXDUJGGYTANCNFSM5G5OFBCQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[flickerfly]

We're looking at Continuous ATO objectives where these things are changing potentially daily or more in various environments. eMASS has no automated means of submission at this point, that's outside our objective with expectation that the manual process needs to be supported for now, but hopefully not forever and current limitations shouldn't drive design. We want to support on demand documentation of security posture upon the completion of a pipeline triggered by any change to any of a group of environments around an IaC, CaC, or application code base. I'm not familiar with dev lunch, but would be glad to talk more.

[ohsh6o]

Are you all in communication with the eMASS developers? If not, I have talked to some of them in a formal capacity (very recently the FedRAMP OSCAL dev/engineer here) and I am sure if we put the right people in contact they will brief you, but they can tell you what OSCAL support they have in an official capacity. (I do not think that is public information at this time, so not for me to divulge; if it was my work I would not be shy!)

[iMichaela]

Are you all in communication with the eMASS developers? If not, I have talked to some of them in a formal capacity (very recently the FedRAMP OSCAL dev/engineer here) and I am sure if we put the right people in contact they will brief you, but they can tell you what OSCAL support they have in an official capacity. (I do not think that is public information at this time, so not for me to divulge; if it was my work I would not be shy!)

@xee5ch and @flickerfly - In 2021, prior to the 2nd OSCAL Workshop, Brian Ruf polled the FedRAMPS's OSCAL collaborators if they want to be included officially in our list of adopters. eMass was one of them. Please see the slide in my recorded presentation. The level of OSCAL support or limitations is something we (NIST) could not assess.

[flickerfly]

We have not, but that is a connection I’d be really interested in. Could you pass on whom to connect with? From: Alexander Stein ***@***.***> Sent: Monday, November 1, 2021 9:40 AM To: usnistgov/OSCAL ***@***.***> Cc: Josiah Ritchie ***@***.***>; Author ***@***.***> Subject: Re: [usnistgov/OSCAL] Collaboration? (Issue #1048) [External: This message originated outside SOLUTE. Click links or open attachments only if you recognize the sender and know the contents are safe.] Are you all in communication with the eMASS developers? If not, I have talked to some of them in a formal capacity (very recently the FedRAMP OSCAL dev/engineer here) and I am sure if we put the right people in contact they will brief you, but they can tell you what OSCAL support they have in an official capacity. (I do not think that is public information at this time, so not for me to divulge; if it was my work I would not be shy!) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1048 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA5JFLZBYBNJY3SDN5ZQQTUJ2KDXANCNFSM5G5OFBCQ> . <https://github.com/notifications/beacon/AAA5JFJMQMRC3UQ4RW6UOXTUJ2KDXA5CNFSM5G5OFBC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHD7R2DY.gif>

[xee5ch]

@flickerfly is the email address associated with your GitHub Account a good email to use to coordinate. I will need to solicit an audience with the relevant contacts. As far as I know they do not collaborate publicly on GitHub or Gitter.

[flickerfly]

[email protected] would be the best option. I'd appreciate the introduction!

[sunstonesecure-robert]

[email protected] is mine - would also appreciate the into (either separate thread or same) - Kubernetes Policy Workgroup is working on OSCAL policy support (open source) and having eMASS devs validate the approach would be very helpful

thanks @ohsh6o @xee5ch

[xee5ch]

@sunstonesecure-robert, is there any info about the participation, inputs, and/or outputs of this k8s Policy Work group if one wants to participate?

Back on point: I will try to get everyone in an email and explain what you want. Just keep in mind these are eMASS developers, so I am not sure what they can validate for you.

[sunstonesecure-robert]

@sunstonesecure-robert, is there any info about the participation, inputs, and/or outputs of this k8s Policy Work group if one wants to participate?

open to all - every other Wed 8AM PT/11AM ET - https://docs.google.com/document/d/1ihFfEfgViKlUMbY2NKxaJzBkgHh-Phk5hqKTzK-NEEs

[xee5ch]

@sunstonesecure-robert will definitely check it out, too bad I missed this week. 😞