03/14/2024 Common Cloud Controls - OSCAL WG

[crawfordchanel]

Date

03/13/2024 - 12:00 PM ET / 16:00 UK

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• Convene & roll call (5mins)
• Display FINOS Antitrust Policy summary slide
• Review Meeting Notices (see above)
• Approve past meeting minutes
• Project board walkthrough (filter by WG label, start right to left)
• Blocker Clearing for OSCAL & Related Design Questions #139
• Guidance needed on OSCAL structure (blocking CDMC-to-OSCAL mapping work) #131
• Define catalogue
• AOB, Q&A & Adjourn (5mins)

Zoom info

Join Zoom Meeting
https://zoom.us/j/93861901920

Meeting ID: 938 6190 1920
Passcode: 284383

---

Dial by your location
• +1 719 359 4580 US
• +1 253 205 0468 US
• +1 253 215 8782 US (Tacoma)
• +1 301 715 8592 US (Washington DC)
• +1 305 224 1968 US
• +1 309 205 3325 US
• +1 312 626 6799 US (Chicago)
• +1 346 248 7799 US (Houston)
• +1 360 209 5623 US
• +1 386 347 5053 US
• +1 507 473 4847 US
• +1 564 217 2000 US
• +1 646 558 8656 US (New York)
• +1 646 931 3860 US
• +1 669 444 9171 US
• +1 669 900 6833 US (San Jose)
• +1 689 278 1000 US
• 855 880 1246 US Toll-free
• 877 369 0926 US Toll-free
• +1 438 809 7799 Canada
• +1 587 328 1099 Canada
• +1 647 374 4685 Canada
• +1 647 558 0588 Canada
• +1 778 907 2071 Canada
• +1 780 666 0144 Canada
• +1 204 272 7920 Canada
• 855 703 8985 Canada Toll-free

Meeting ID: 938 6190 1920

Find your local number: https://zoom.us/u/acPjHdY2IO

[robmoffat]

Rob / FINOS ☁️

[iMichaela]

Michaela Iorga/NIST

[mlysaght2017]

Mike L /Citi

[rgriffiths-scottlogic]

Robert Griffiths / Scott Logic

[zeal-somani]

Zeal Somani / JupiterOne

[crawfordchanel]

Chanel Crawford - Citi

[crawfordchanel]

Meeting Summary:

MI – Created a source directory with subdirectory examples. – Future will be able to create deliverables, profiles and/or component definitions. XML, JSON available

MI: Created a local make file. Can run to generate other versions those can be then pushed to the GitHub Repository. The make file can be used locally, but in the future can also be expanded, then used under actions on GitHub Repository.

Cleaning tool available – OSCAL cli is java-based implementation that helps to do conversion, validation of all formats and maintains it to the latest version. Provided demonstration of tool.
Grouping capabilities: Grouping allows you to bundle controls in a way you want them. Threat group by type of threat. Can bundle controls the way you want. Group by threat or mitigations. Grouping by type of threat.

MI
Trying to understand the vision. Do we use the logical controls and pass those to the Cloud Service providers and expect a report just at the level of the controls? Or is the vision that the process is going to go beyond that and say, do you? An analysis with respect to the threats that were identified and the mitigations?

The information that is gathered by the working groups and how this is generated in OSCAL needs to support the process and the vision that is for this work. And this is where I'm struggling to help the team to identify the optimal representation, because I do not understand? What is the vision?

ML
Honestly, I think there is a dedicated working section.

MI
Agreed. Definition of assessment needed. Intention defined because there are several ways of capturing the threat as props with the controls, and then a tool, would use that to group them. But the optimal way depends on what the vision is. And the process that this working group was to support.

ML
I think an action around finding what our objectives are from an assessment. Perspective is the next good step for us to take. I see the guys from LSEG have joined.

LA
Agree with dedicated working group . LSEG has a proposal. Provided demonstration.