Litreview #4
Litreview #4
Conversation
xee5ch
left a comment
xee5ch
left a comment
There was a problem hiding this comment.
Some initial questions and comments, I am willing to contribute items to the literature and draft edits if it is deemed appropriate.
| <div class="usa-alert__body"> | ||
| <h4 class="usa-alert__heading">Use Case 1: Leverage Security Artifacts Between Agencies</h4> | ||
| <p class="usa-alert__text"> | ||
| Agency A uses C-ATO to authorize a new platform. Agency B wants to authorize the same platform and leverage the machine-readable artifacts of Agency A to shorten their authorization process from months to days. |
There was a problem hiding this comment.
Per NIST SP 800-37 Revision 2 Appendix F p. 163, this summary could allude to either ATO (authorize to operate) or ATU (authorize to use). Do we know which one is meant here? ATU could be what this use case means or a separate new use case.
What is the relevance to the techdata group in this initiative? That changes what is shared and how (specifically, which instances of OSCAL models you share) and a bunch of process/mission changes that come with it.
| C-ATO can help streamline the generation and maintenance of A&A artifacts through automation. Currently, these activities are time-consuming and labor-intensive. Steps for C-ATO adoption: | ||
| 1. define a strategy | ||
| 2. make a plan | ||
| 3. ready your organization |
There was a problem hiding this comment.
Re these adoption/maturity steps, this means the implied prerequisite environment is green field and an organization that is "starting from scratch" to use a metaphor? It might help to address these assumptions in the beginning of document regarding what is and isn't in scope of the the work.
|
|
||
| The following government-wide programs or agencies have adopted C-ATO and are leveraging OSCAL. | ||
|
|
||
| 1) FedRAMP - Adopting and moving all FedRAMP-authorized services to C-ATO through OSCAL. |
There was a problem hiding this comment.
Has FedRAMP PMO or anyone in GSA officially described the FedRAMP process as cATO/C-ATO? I have never heard them describe themselves that way, so that it is interesting to attribute that label to them in this document.
| @@ -0,0 +1,50 @@ | |||
| # Overview | |||
|
|
|||
| Continuous ATO (C-ATO) is an organizational initiative to automate security compliance activity. In collaboration with industry, NIST is developing the Open Security Controls Assessment Language (OSCAL), a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. A security team will likely only work with OSCAL indirectly but through a tool. The purpose of OSCAL is a standardized, machine-readable format to share artifacts between Governance, Risk, and Compliance (GRC) and software automation tools or programs. | |||
There was a problem hiding this comment.
Are we going to reference the final DoD memo or the related NIST whitepaper (I believe it was NIST.CSWP.3 , which was later subsumed as part of NIST SP 800-37 Revision 2, where these concepts were originally defined?) Kessel Run staff helped establish the DoD interpretation, but it is rooted in whitepapers presenting a modern interpretation of C-ATO as a method of applying RMF or rather it was really Continuous RMF. These concepts seem important to define and source in this document as key assumptions, no?
Combined literature review. Closing #1 and #3