Support for NIST SP 800-161 Appendix F, for Executive Order 14028? #1098
-
Are there any plans to produce OSCAL artifacts for NIST 800-161 Appendix F, supporting Executive Order 14028? |
Beta Was this translation helpful? Give feedback.
Replies: 13 comments 1 reply
-
@rjb4standards - Unfortunately NIST OSCAL team does not have the cycle, any time soon, to generate the requested information.
|
Beta Was this translation helpful? Give feedback.
-
Thank you for the quick response, Michaela. |
Beta Was this translation helpful? Give feedback.
-
I can bring it up to the CNCF supply chain group. Also The Kubernetes
Policy WG is working on Profile alignment, inclusive of supply chain
management policies, so I can discuss if we can contribute back a PR to
OSCAL. No guarantees but we'll discuss options.
…On Fri, Jan 14, 2022 at 6:20 AM Dick Brooks ***@***.***> wrote:
Thanks you for the quick response, Michaela.
—
Reply to this email directly, view it on GitHub
<#1085 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQWTGFDI76QNNRTXO4VS6GLUWAWMFANCNFSM5L4XN6PA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Thanks for offering to research this matter. I know that NIST SCRM is working on update to Appendix F to provide guidance needed to implement EO 14028 and the Senate passed legislation on Wednesday that would also fit into this category, i.e., training regarding cybersecurity supply chain risk assessments. |
Beta Was this translation helpful? Give feedback.
-
Do you have more details on this? You are looking into 800-161 (either appendix) and contributing it back, @sunstonesecure-robert? |
Beta Was this translation helpful? Give feedback.
-
FYI we also have an open call in #1080 for use cases in components/SSPs. Not 100% relevant to this (re catalog, profile creation, and/or catalog mappings), but I am not sure someone has asked about "a component in a def or SSP that shows supporting evidence around 800-161 controls" yet. Just a thought! :-) |
Beta Was this translation helpful? Give feedback.
-
Supporting evidence will be key for SP 800-161, but SBOM vulnerability reporting is also gaining momentum. This week Cyclone DX announced V 1.4 with support for vulnerability reporting in their NTIA supported SBOM standar. I posted an article recently about the various methods for vulnerability reporting after receiving a message from Allan Friedman of CISA: https://energycentral.com/c/um/terminology-confusion-regarding-vulnerability-reporting |
Beta Was this translation helpful? Give feedback.
-
I will have to look later since this requires a membership and I cannot access it even with Javascript disabled. I will have to review from a personal workstation another time. If you see how evidence of 800-161 and/or SBOM vulnerability reporting would fit into documenting an information system for federal government use and would like to experiment with that, I would really appreciate a quick summary of the specific use case in #1080. Eventually the team will vet those requests and try to design examples after we hear from the community are of the most interest. Michaela spoke to the catalog thing, and I agree with that! It is a tall order that would need community effort. :-) |
Beta Was this translation helpful? Give feedback.
-
Thanks, Alexander. The next release of SP 800-161 is expected to come out sometime in February. Then we'll all have a better sense for what those Appendix F EO 14028 requirements will be, then we should be able to construct a use case for EO 14028. |
Beta Was this translation helpful? Give feedback.
-
@aj-stein-nist - we can take it internally at NIST with the authors. If Jon et. all. wants to release the data in OSCAL, and if we can get a little help, we might be able to generate the SP 800-161 Appendix F tables with the mapping to the EO 14028 in OSCAL. Examples, use cases, and SBOM beyond the existing @rjb4standards - BUT if the community can pitch in and become the driving force for this effort, we are here to provide guidance starting today. The lowest hanging fruit would be the Appendix F, F-x tables as profiles with the controls enhanced to capture the mapping to the EO requirements. I believe that the OSCAL 1.1.0's Mapping Model could also be used if waiting for the OSCAL 1.1.0 release is acceptable. |
Beta Was this translation helpful? Give feedback.
-
Thanks, Michaela. |
Beta Was this translation helpful? Give feedback.
-
@rjb4standards - This is great. We can provide guidance to community members interested in rolling sleaves. |
Beta Was this translation helpful? Give feedback.
-
usnistgov/oscal-content#22 is an issue for doing this. As mentioned in this thread, we do not have the cycles to work on this at the moment and there is now SP 800-53 rev5 OSCAL content which contains the privacy-related controls. |
Beta Was this translation helpful? Give feedback.
usnistgov/oscal-content#22 is an issue for doing this. As mentioned in this thread, we do not have the cycles to work on this at the moment and there is now SP 800-53 rev5 OSCAL content which contains the privacy-related controls.