Support for NIST SP 800-161 Appendix F, for Executive Order 14028?

[rjb4standards]

Are there any plans to produce OSCAL artifacts for NIST 800-161 Appendix F, supporting Executive Order 14028?

[iMichaela]

@rjb4standards - Unfortunately NIST OSCAL team does not have the cycle, any time soon, to generate the requested information.
If you are interested in the F-x tables in the Appendix F of SP 800-161, those are good candidates for OSCAL profile(s). There are 2 ways of including the E.O 14028 mapping:

1. The catalog of controls will have to be first altered to include the E.O.14028 mapping for the listed controls by using props, then the profile will import only the controls listed in the tables, bringing forward the mapping in the process.
2. Alternatively, one can generate first a resolved profile with the listed controls from the F-x tables and then alter the obtained catalog to add the E.O 14028 using again props. I think I prefer 2), so the 800-53 catalog remains intact.

[rjb4standards]

Thank you for the quick response, Michaela.

[sunstonesecure-robert]

I can bring it up to the CNCF supply chain group. Also The Kubernetes Policy WG is working on Profile alignment, inclusive of supply chain management policies, so I can discuss if we can contribute back a PR to OSCAL. No guarantees but we'll discuss options.

…

On Fri, Jan 14, 2022 at 6:20 AM Dick Brooks ***@***.***> wrote: Thanks you for the quick response, Michaela. — Reply to this email directly, view it on GitHub <#1085 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AQWTGFDI76QNNRTXO4VS6GLUWAWMFANCNFSM5L4XN6PA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[rjb4standards]

Thanks for offering to research this matter. I know that NIST SCRM is working on update to Appendix F to provide guidance needed to implement EO 14028 and the Senate passed legislation on Wednesday that would also fit into this category, i.e., training regarding cybersecurity supply chain risk assessments.

[aj-stein-nist]

I can bring it up to the CNCF supply chain group. Also The Kubernetes Policy WG is working on Profile alignment, inclusive of supply chain management policies, so I can discuss if we can contribute back a PR to OSCAL. No guarantees but we'll discuss options.

Do you have more details on this? You are looking into 800-161 (either appendix) and contributing it back, @sunstonesecure-robert?

[aj-stein-nist]

FYI we also have an open call in #1080 for use cases in components/SSPs. Not 100% relevant to this (re catalog, profile creation, and/or catalog mappings), but I am not sure someone has asked about "a component in a def or SSP that shows supporting evidence around 800-161 controls" yet. Just a thought! :-)

[rjb4standards]

Supporting evidence will be key for SP 800-161, but SBOM vulnerability reporting is also gaining momentum. This week Cyclone DX announced V 1.4 with support for vulnerability reporting in their NTIA supported SBOM standar. I posted an article recently about the various methods for vulnerability reporting after receiving a message from Allan Friedman of CISA: https://energycentral.com/c/um/terminology-confusion-regarding-vulnerability-reporting

[aj-stein-nist]

Supporting evidence will be key for SP 800-161, but SBOM vulnerability reporting is also gaining momentum. This week Cyclone DX announced V 1.4 with support for vulnerability reporting in their NTIA supported SBOM standar. I posted an article recently about the various methods for vulnerability reporting after receiving a message from Allan Friedman of CISA: https://energycentral.com/c/um/terminology-confusion-regarding-vulnerability-reporting

I will have to look later since this requires a membership and I cannot access it even with Javascript disabled. I will have to review from a personal workstation another time.

If you see how evidence of 800-161 and/or SBOM vulnerability reporting would fit into documenting an information system for federal government use and would like to experiment with that, I would really appreciate a quick summary of the specific use case in #1080. Eventually the team will vet those requests and try to design examples after we hear from the community are of the most interest.

Michaela spoke to the catalog thing, and I agree with that! It is a tall order that would need community effort. :-)

[rjb4standards]

Thanks, Alexander. The next release of SP 800-161 is expected to come out sometime in February. Then we'll all have a better sense for what those Appendix F EO 14028 requirements will be, then we should be able to construct a use case for EO 14028.

[iMichaela]

@aj-stein-nist - we can take it internally at NIST with the authors. If Jon et. all. wants to release the data in OSCAL, and if we can get a little help, we might be able to generate the SP 800-161 Appendix F tables with the mapping to the EO 14028 in OSCAL. Examples, use cases, and SBOM beyond the existing inventory is a lot more of work. As of today, we have a full plate with the conference, the workshop and getting the updated for the OSCAL 1.1.0 out.

@rjb4standards - BUT if the community can pitch in and become the driving force for this effort, we are here to provide guidance starting today. The lowest hanging fruit would be the Appendix F, F-x tables as profiles with the controls enhanced to capture the mapping to the EO requirements. I believe that the OSCAL 1.1.0's Mapping Model could also be used if waiting for the OSCAL 1.1.0 release is acceptable.

[rjb4standards]

Thanks, Michaela.
Reliable Energy Analytics (REA) stands ready to work with any entity in the EO 14028 community that wants to start working/planning their implementation today following NIST SP 800-161 Appendix F and the NTIA SBOM requirements, including the pursuit of an OSCAL artifact, if the EO 14028 community wishes to pursue this effort.

[iMichaela]

@rjb4standards - This is great. We can provide guidance to community members interested in rolling sleaves.

[GaryGapinski]

Can NIST supply SP 800-161 in a format other than PDF? (I presume there is at least one precursor format).

[david-waltermire]

usnistgov/oscal-content#22 is an issue for doing this. As mentioned in this thread, we do not have the cycles to work on this at the moment and there is now SP 800-53 rev5 OSCAL content which contains the privacy-related controls.