You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p>In particular, the design of the OSCAL Profile layer, in relation to the Catalog layer, reflects the use of control catalogs as outlined in NIST SP800-53 – specifically the concept of <em>baselines</em> and <em>overlays</em> over a base catalog. And then, as we see in the real world, overlays on the overlays. In OSCAL, <ahref="profile">profiles</a> are generalized to be applicable to any set of information presented in catalog form. Thus, the idea of tailoring in application can be applied not only to security guidelines in general, but also in mixed environments that have to address requirements in more than one catalog at a time.</p>
382
382
</li>
383
-
<li><strong>Implementation:</strong> Defines how each profile item is implemented for a given system component. This can represent a machine-readable system security plan in OSCAL format. It will also support transforms from the machine-readable form to a human-readable version.</li>
384
-
<li><strong>Assessment:</strong> Describes how the system assessment is to be performed.</li>
385
-
<li><strong>Assessment Results:</strong> Records the findings of the assessment.</li>
386
-
</ul>
383
+
<li>
384
+
<p><strong>Implementation:</strong> Defines how each profile item is implemented for a given system component. This can represent a machine-readable system security plan in OSCAL format. It will also support transforms from the machine-readable form to a human-readable version.</p>
385
+
</li>
386
+
<li>
387
+
<p><strong>Implementation:</strong> The OSCAL implementation layer consists of two models: The component definition (planned) and the system security plan (SSP).</p>
388
+
389
+
<p>The <em>component definition</em> model, which is currently under development, will allow for the definition of a set of <em>components</em> that each provide structured information about a distinct hardware, software or services offering; or specific policy, proceedure, or compliance artifact.</p>
390
+
391
+
<p>Each defined component describes where appropriate:</p>
387
392
388
-
<p>As the project <ahref="/OSCAL/learnmore/roadmap/">progresses</a>, these definitions are expected to evolve; they are included here to indicate the current status within OSCAL and may not the represent the final definitions for each model. The above is a high-level explanation of the basic constructs supported by OSCAL. These constructs exist in all OSCAL bindings (e.g., XML, JSON). At this time, the material covers OSCAL controls, catalogs, and profiles. Additional OSCAL constructs will be added as they are developed and matured.</p>
393
+
<ul>
394
+
<li>Information about the organization that provides, developes, and manages the thing described by the component;</li>
395
+
<li>Characteristics of the component, such as its name, version, model, last-modified date, etc;</li>
396
+
<li>Details about the controls that could be satisfied by the component;</li>
397
+
<li>Configuration options for achieving specific security or privacy objectives; and</li>
398
+
<li>Assessment tests or scripts that may be used to validate the component’s implementation.</li>
399
+
</ul>
400
+
401
+
<p>The component definition model will also allow grouping related components into capabilities, and documenting how the combination of components in a capability together could satisfy specific controls that are not fully satisfied by a single component on its own.</p>
402
+
403
+
<p>A component can be used to document and share: 1) proof of compliance for a secuirty requirement for hardware or software, such as FIPS 140-2 validated cryptography, 2) to document information about how a hardware, software, or service offering supports specific security or privacy controls, or 3) demonstrate how a policy or proceedure implements a given set of security or privacy controls. These component definitions can be used by organizations implementing the things defined by the component to provide a significant amount of details needed when documenting a systems security and privacy control implemention in a system security plan.</p>
404
+
405
+
<p>The SSP model, which has been released as a draft, enables full modeling of highly granular SSP content, including points of contact, system characteristics, and control satisfaction descriptions. At a more detailed level, this includes the system’s authorization boundary, information types and categorization, inventory, and attachments. In terms of control satisfaction, it models control parameter values, responsible roles, implementation status, control origination, and a description of control satisfaction at a level of the granularity down to a specific control statement. Control satisfaction can be defined for the system as a whole or for individual implemented components.</p>
406
+
407
+
<p>The component and SSP models are designed to work together. As specific components are selected for use within a system, the content of the relevant component definition files inform and populate the use of these components within the SSP model. The SSP model can also be used to represent systems that do not define information at the granularity of a specific compoent, where component definitions do not exist.</p>
408
+
</li>
409
+
<li><strong>Assessment:</strong> Is a planned model that will describe how a system assessment is to be performed.</li>
410
+
<li><strong>Assessment Results:</strong> Is a planned model that will record the findings of a specific assessment.</li>
411
+
</ul>
389
412
413
+
<p>The OSCAL layers described above provide a high-level explanation of the OSCAL models. As the project <ahref="/OSCAL/learnmore/roadmap/">progresses</a>, the features of these models are expected to evolve; these layer descriptions are included here to indicate the current status of the related models within OSCAL and may not the represent the final features supported by each model. XML, JSON, and YAML formats for each model will be provided when the model is released.</p>
414
+
415
+
<p>The following is the release state of each model, along with download links for the latest versions of schema for each model in XML and JSON formats. YAML is also supported through conversion between JSON and YAML, but YAML schemas are not yet provided because a suffecient YAML schema language has not been identified.</p>
Copy file name to clipboardexpand all lines: docs/profile/index.html
+1-1
Original file line number
Diff line number
Diff line change
@@ -352,7 +352,7 @@ <h1>Profile</h1>
352
352
<ul>
353
353
<li>Which controls are <em>selected</em> from the catalog and thereby considered to be in scope for the application;</li>
354
354
<li>How the control selection should be <em>organized</em> and represented, including whether and how competing control definitions are to be resolved and merged;</li>
355
-
<li>Whether and where any controls are to be <em>configured</em> or modified; this includes setting parameter values for a catalog but also potentially amending the language given in controls and subcontrols, to describe their application in the system.</li>
355
+
<li>Whether and where any controls are to be <em>configured</em> or modified; this includes setting parameter values for a catalog but also potentially amending the language given in controls to describe their application in the system.</li>
356
356
</ul>
357
357
358
358
<p>See <ahref="/OSCAL/resources/examples/profiles/">examples</a> of OSCAL profiles.</p>
0 commit comments