SESSION ID:#RSAC David WaltermireSECURITY AUTOMATION SIMPLIFIED VIA NIST OSCAL: WE’RE NOT IN KANSAS ANYMOREGRC -F01 Security Automation Architect National Institute of Standards and Technology (NIST)Anil Karmel Co-Founder and CEO C2 Labs @anilkarmel#RSAC Agenda 2We’re not in Kansas anymore NIST OSCAL: Technical Overview Where does the yellow brick road lead? Live Demo Why does this matter? Q&A #RSAC WE’RE NOT IN KANSAS ANYMORE#RSAC Why OSCAL? 4Information Technology is complex Security Vulnerabilities are everywhere Regulatory Frameworks are burdensome Risk Management is hard Documentation is out of date#RSAC Major challenges in security controls assessment 5Security controls and profiles are represented in proprietary ways Profile mappings to catalogs are often imprecise, not machine -readable Systems with many components require different profiles per component Multi -tenant and mixed ownership of components complicate assessment A single system may be subject to several regulatory frameworks Security control assessment is a complex, largely manual process SESSION ID:#RSAC #RSAC NIST OPEN SECURITY CONTROLS ASSESSMENT LANGUAGE (OSCAL) Technical Overview#RSAC What is OSCAL? 8New “Standard of Standards” normalizing how system security controls and corresponding assessment information are represented; Standardized: Provide security control, control implementation, and assessment information in an open, standardized way that can be used by both humans and machines Interoperable: Ensure OSCAL is well -defined so tools using OSCAL information are interoperable and use information consistently Easy to use: Promote developer adoption of OSCAL so tools are available for organizations to build, customize, and use OSCAL information Improve the efficiency, accuracy, and consistency of system security assessments.#RSAC OSCAL goals 9Have OSCAL -enabled tools (existing and new) and OSCAL -formatted content widely available Have OSCAL use enable: A large decrease in assessment -related labor The ability to assess a system’s security much more often, ideally continuously The ability to assess a system’s compliance with several sets of requirements simultaneously The consistent performance of assessments, regardless of system type #RSAC A note about terminology 10OSCAL Term Meaning Control A safeguard or countermeasure designed to satisfy a set of defined security requirements. [based on NIST SP 800 -53 definition] Catalog A set of security control definitions. Examples include the hundreds of controls in NIST SP 800 -53, the 100+ controls in ISO 27002, and the practices in COBIT 5. Profile A set of security requirements; also called a baseline or overlay. Examples include the control baselines in NIST SP 800 -53, the FedRAMP baselines, and the PCI DSS requirements.