Remove GWS.CHAT.5.1

[jkaufman-mitre]

🗣 Description

Remove Chat.5.1 as Chat apps are now also controlled by the marketplace settings (see CommonControls.11.1).

💭 Motivation and context

Fixes #222
Google Update

🧪 Testing

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• If applicable, All future TODOs are captured in issues, which are referenced in the PR description.
• The relevant issues PR resolves are linked preferably via closing keywords.
• All relevant type-of-change labels have been added.
• I have read and agree to the CONTRIBUTING.md document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• Tests have been added and/or modified to cover the changes in this PR.
• All new and existing tests pass.

✅ Pre-merge Checklist

• This PR has been smoke tested to ensure main is in a functional state when this PR is merged.
• Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge Checklist

• Delete the branch to clean up.
• Close issues resolved by this PR if the closing keywords did not activate.

[jkaufman-mitre]

@adhilto This PR is still waiting to be reviewed.

[buidav]

Going back to the original discussion of this policy. Chat 5.1 is currently contradictory to our current stance with Common Controls 11.1. If Common Controls 11.1 allowlisting is not enforced, then turning this setting on allows any user to install any chat app. Which is insecure.

It seems that we should either delete this baseline and enforce Common Controls as a SHALL but leave the decision to enable this setting up to organizations/agencies

OR

We should rewrite this policy to make it organizational unit specific.
example:

The ability to install Chat apps SHALL be disabled for the top-level organizational unit

_Note:_ The ability to install Chat apps MAY be enabled on a per OU basis.

This is to prevent the default of allowing anyone to install Chat apps if App allowlisting is not enforce but allow flexibility for specific organizational units to install chat applications.

[adhilto]

Going back to the original discussion of this policy. Chat 5.1 is currently contradictory to our current stance with Common Controls 11.1. If Common Controls 11.1 allowlisting is not enforced, then turning this setting on allows any user to install any chat app. Which is insecure.

It seems that we should either delete this baseline and enforce Common Controls as a SHALL but leave the decision to enable this setting up to organizations/agencies

OR

We should rewrite this policy to make it organizational unit specific. example:

The ability to install Chat apps SHALL be disabled for the top-level organizational unit

_Note:_ The ability to install Chat apps MAY be enabled on a per OU basis.

This is to prevent the default of allowing anyone to install Chat apps if App allowlisting is not enforce but allow flexibility for specific organizational units to install chat applications.

I agree with David on this one. I'll also add that per the research you documented here:

• "If the new feature is turned on, but the app IS NOT allowlisted, then only admins are allowed to install the app for the org." Acceptable from a security standpoint.
• "If the feature is turned on and the app IS allowlisted, then both admins and users can install." Acceptable from a security standpoint.
• "If the new feature is off, then the app cannot be installed." Also acceptable from a security standpoint.

Therefore, my vote would be that we delete CHAT.5.1 entirely.

[jkaufman-mitre]

@adhilto @buidav Turning this setting on does not override Common Controls 11.1. In the contrary, turning this off does not allow users to install any chat app. Turning this feature one allows users to install allowlisted chat apps.

Not allowing any user to install any app could be a hinderance to the user.

[jkaufman-mitre]

My vote would be to make this policy a SHOULD because if there is no need for users to have chat apps, then it should be disabled to protect the org.

Removing this policy all together would allow for this setting to be on which is could allow for unauthorized apps to be installed if an admin account gets compromised. We should have a baseline stating that it SHOULD be disabled and add a not that if there is an organizational need for chat apps then it can be enabled.

My recommendation is for the policy to be: "User-level ability to install Chat apps SHOULD be disabled."

[jkaufman-mitre]

@adhilto, Also I realized that the PR changes did not reflect what my recommendation was, so went in ad commited the updated policy statement.

[adhilto]

@adhilto, Also I realized that the PR changes did not reflect what my recommendation was, so went in ad commited the updated policy statement.

Thanks for pointing that out, that completely changes the discussion.

@adhilto @buidav Turning this setting on does not override Common Controls 11.1.

David did not claim that it does. His point was that if Common Controls 11.1 was not implemented and this setting were on, users could install any Chat app. I haven't tested this myself but it certainly seems like that would be the case. Regardless, since you updated it from "SHOULD be enabled" to "SHOULD be disabled," this point is no longer important.

Not allowing any user to install any app could be a hinderance to the user.

Hindrance, yes. Security risk? No. Though it is a reason for why we wouldn't want to require this setting be disabled, which is now the current recommendation.

Weighing both sides of the issue, the reason for including 5.1 "SHOULD be disabled" is as follows:

• Defense in depth. Yes, COMMON.CONTROLS.11.1 would prevent non-approved apps from being installed (per your research here ), but to David's point, what if COMMON.CONTROLS.11.1 is not implemented? Disabling the setting in question for CHAT.5.1 would ensure that even in that case, unapproved Chat apps could not be installed.

Reason for enabling "Allow users to install Chat apps":

• The usability cost in setting that to OFF is quite high, because as you indicated here, this would completely prevent all Chat apps from being installed, even if the app is allow listed.

Weighing both those two points, I'm inclined to think that this is a setting that we need don't need to take a stance on. Since the security benefit is so minimal and the usability cost so high, each agency should be permitted to weigh the tradeoffs themselves and make their own decision. In other words, I'm still in favor of cutting this control.

That said, as the interactions between these two settings isn't immediately obvious, it could be useful to document and explain this somewhere, so that agencies are able to make an informed decision. We should not mandate that this setting be ON or OFF though.

[jkaufman-mitre]

We will go ahead an remove CHAT.5.1v0.2 and make COMMONCONTROLS.11.1v0.2 a SHALL.

[jkaufman-mitre]

Policy Group 5 has been removed. @adhilto Ready for review again.

[adhilto]

Policy Group 5 has been removed. @adhilto Ready for review again.

Just need to update the table of contents. Other than that looks good.

[adhilto]

@buidav I just implemented the Rego changes, ready for your review.

[jkaufman-mitre]

@adhilto @buidav I have updated the Table of Content.

[mdueltgen]

@adhilto @buidav Any finals thoughts on this or are we good to merge? I think all changes requested were handled.