Create a demonstration of using leveraged authorizations #572
Comments
|
This is being worked in a feature branch and will be deployed once we are done. The example we are creating involves two SSPs. The first is a cloud-based IaaS. The second is a SaaS that leverages the IaaS. |
12-Mar-2020 Status@wendellpiez, @brianrufgsa, and @david-waltermire-nist met Friday March 6. We clarified our intended outcomes, and reviewed the sample. We realized @brianrufgsa was taking more of a FedRAMP approach, which focuses at the system level, while @david-waltermire-nist wanted to see a more granular approach, which allows for leveraging individual components within a system that has a leveraged authorization. @david-waltermire-nist took ownership of the sample and intends to update it to better reflect our intended outcomes. |
david-waltermire
modified the milestones:
OSCAL 1.0 Milestone 3,
OSCAL 1.0 (Full Release)
Status 25-June-2020@david-waltermire-nist, @brianrufgsa, and @wendellpiez met this week to review draft example to date, as well as discuss the desired end-state of this scenario and related examples. We had to convert the draft examples from MR2 to MR3 syntax, which is now complete. We also developed the following table:
|
Status 23-July-2020Making good progress. Now have diagrams to illustrate the concepts, and nearly complete updating the examples. Also applying the approach to the FedRAMP SSP guidebook. |
@brianrufgsa are the diagrams available for me to take a look at? Also, where can I find the read aheads for the upcoming guide updates that you previously shared on a Friday call? |
Status 4-Aug-2020From the perspective of an underlying provider, the customer responsibly syntax for the SSP is now well defined and includes examples. From the perspective of a leveraging system, the SSP syntax referring to the leveraged system is now well defined and includes examples. I will polish up the examples and create a PR with them in order to close this issue. We need a new issue to address concepts that have emerged from working this issue. First , we identified a new concept for a leveraged system's SSP to represent content about what is being inherited, suitable for consumption by leveraging customers. Along with this, we need a separate issue related to the creation of an OSCAL-based CRM by extracting the above SSP syntax using a transform or similar. |
|
@jasswalkjr Sorry I missed your request. I just sent you a private message on Gitter. |
7-Aug-2020Presented updated progress and updated slides to OSCAL modeling working group. Edit: corrected month |
Goals include:Perspective of leveraged authorization SSP author
Perspective of leveraging SSP author:
Intended outcomes include:
Follow-On Activity:An OSCAL CRM model will be developed as a separate, follow-on activity. |
david-waltermire
added
model-refactor
|
September 2, 2020 Presentation |
September 18, 2020 PresentationWith updates as discussed in the meeting. |
Status 24-Sept-2020Provided an updated briefing on this to the Modeling Working group last Friday. Following the meeting, I incorporated feedback and improved examples, resulting in the above posted version of the presentation. Complete examples are in the attached ZIP file. IMPORTANT: These examples do not yet validate using the OSCAL SSP schema as the new syntax has not been implemented. Next Steps:
|
24-Sept-2020Per discussion, will implement the LA syntax in the current M3 metaschema and publish ahead of converting all metaschemas to M4. |
Status 1-Oct-2020SSP syntax updated to support leveraged authorization. PR #762 issued with changes. |
2-Oct-2020 Briefing |
|
Hello Brian:
How are you? Hope all is well as we get closer to the holiday season!
Question—have there been any updates about leveraged authorizations since the V6a briefing? Specifically, are there any updates regarding the OSCAL SSP / No Access scenario? If so, where can I find the documentation on this?
Please let me know.
Best,
Jasson Walker, Jr., MCSD, MCSE, CISSP, PMP
President
cFocus Software Incorporated -- Microsoft Gold Certified Partner, 8(a) Certified
https://cfocussoftware.com<https://cfocussoftware.com/>
jasson.walker@cfocussoftware.com<mailto:jasson.walker@cfocussoftware.com>
301.499.2650 office
301.499.2651 fax
301.455.4030 cell (best way to reach me)
From: Brian Ruf <notifications@github.com>
Sent: Friday, October 2, 2020 12:03 PM
To: usnistgov/OSCAL <OSCAL@noreply.github.com>
Cc: Jasson Walker Jr. <jasson.walker@cfocussoftware.com>; Mention <mention@noreply.github.com>
Subject: Re: [usnistgov/OSCAL] Create a demonstration of using leveraged authorizations (#572)
2-Oct-2020 Briefing
OSCAL-Leveraged_Authorization_V6a.pptx<https://github.com/usnistgov/OSCAL/files/5319064/OSCAL-Leveraged_Authorization_V6a.pptx>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#572 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHLIBJKLB6RG6KM5MOFWQ7LSIX2VDANCNFSM4J5LY37Q>.
|
User Story:
As an OSCAL content creator, I need documentation and an example of how to leverage an existing SSP and determine what customer responsibilities I need to address on the leveraging side.
Goals:
Dependencies:
None
Acceptance Criteria
All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
Presentation exists and is published
Examples exist and are published
SSP metaschema is updated and published without errors
The text was updated successfully, but these errors were encountered: