CMMC Renews Focus on OSCAL
By Matt Malarkey | Date published: 21 May 2021
The rollout of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program continues to raise questions about reciprocity and harmonization between other cybersecurity requirements that contractors are subject to, such as the Federal Risk and Authorization Management Program (FedRAMP). This is resulting in increased discussion about using the Open Security Controls Assessment Language (OSCAL) to make the compliance assessment process of cybersecurity standards more effective and efficient. Matt Malarkey, Titania's VP of Strategic Alliances, explains.
Developing OSCAL The National Institute of Standards and Technology (NIST) is developing the OSCAL as a standardized, data-centric framework that can be applied to an information system for documenting and assessing its security controls, which can then be used to evidence compliance against different frameworks.
Government agencies, the private sector, and non-profits must comply with a wide variety of regulatory standards and frameworks that seek to address information security and privacy risk through the implementation of selected controls that need to be verified and shown to be effective. However, these requirements can overlap in scope which can cause confusion, and they can also evolve over time, making it difficult for organizations to manage and demonstrate evidence of their compliance requirements.
A private sector company that receives federal grant money may need to comply with the Federal Information Security Modernization Act (FISMA). If the company is also a contractor to the US government and processes controlled unclassified information (CUI) on its networks, it must comply with NIST SP 800-171. And, if its supports Department of Defense (DoD) contracts, it will soon also be required to evidence compliance with the Cybersecurity Maturity Model Certification (CMMC).
Equally, in addition to meeting FISMA requirements, a federal agency that handles health records and/or provides healthcare services where payments are collected, must comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS) respectively.
However, the varying security controls and control baselines, such as those associated with the aforementioned frameworks, are represented in proprietary formats, requiring data conversion and manual effort to describe their implementation. This increases the complexity of assessing individual requirements and makes the effort of evidencing compliance both time and resource intensive. So, there is a need to simplify this complexity for organizations that are subject to multiple compliance frameworks, whilst still ensuring the conduct of appropriate security and risk management practices.
Is NIST designing OSCAL to address this issue?
OSCAL provides a standardized format that helps to streamline and homogenize the processes of documenting, implementing, and assessing security controls. It uses seven models to express security control information, how controls are implemented and assessed, and the results of that assessment. OSCAL formats the information in multiple languages, XML, JSON, and YAML, providing a common means to identify and standardize assessment information.
By transitioning the assessment and reporting of security controls and control baselines from a text-based and manual approach (i.e., using word processors or spreadsheets) to a normalized, machine-readable format, the automation enabled by the OSCAL will:
- Reduce complexity, time, and paperwork needed to assess the implementation of controls
- Ensure consistency of data in both format and mapping to requirements and controls
- Provide ongoing, automated assessment, allowing any drift in control implementation to be detected as it occurs, reducing the MTTD and overall risk Integrate machine-readable data with other security tools to provide additional automation
- Decrease implementation costs Enable the simultaneous, continuous assessment of a system's security against multiple sets of requirements.
Providing its findings in the OSCAL-compatible machine-readable format, Titania’s solutions are used to automate security and compliance assessments for routers, switches, and firewalls with the likes of NIST 800-53 and NIST 800-171.
If you’d like to continue the discussion around the role of cybersecurity standards in advancing supply chain risk management, you can catch up with our On Demand webinar with Dr. Ron Ross (NIST), John Weiler (IT Acquisition Advisory Council), Titania CEO, Phil Lewis, and Matt Malarkey to delve further into the topic.