Abstract: Open Security Controls Assessment Language (OSCAL) is the foundation for security automation, with particular focus on the continuous authorization to operate (ATO) processes and continuous monitoring. OSCAL provides machine-readable representations of control catalogs, control baselines or profiles, system security plans, assessment plans, assessment results, and plan of actions and milestones, in a set of formats expressed in XML, JSON, and YAML. The goal is to become familiar with the OSCAL architecture, formats, how these models can be used to support security assessment automation, continuous monitoring, continuous ATO and development, security and operations (DevSecOps). This is an introduction to the NIST SP 800-53 (Rev4 and Rev5) catalogs, assessment objectives, and associated baselines in OSCAL. We will explore OSCAL-based automation solutions, starting with the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office’s (PMO) efforts to digitize authorization packages submitted in OSCAL and present FedRAMP’s updated OSCAL resources that include a comprehensive set of guides for additional deliverables.
About the Speaker
Dr. Michaela Iorga serves as senior security technical lead for cloud computing with the National Institute of Standards and Technology (NIST), Computer Security Division. She also co-leads the Open Security Controls Assessment Language (OSCAL) project and chairs the NIST Cloud Computing Public Security and Forensics Working Groups. Having previously served in a wide range of consulting positions in both, government and private sector industries, Dr. Iorga has a deep understanding of cybersecurity, risk assessment and information assurance for cloud and fog computing and IoT systems. In her role at NIST, Dr. Iorga supports the development and dissemination of cybersecurity standards and guidelines that meet national priorities and promote American innovation and industrial competitiveness. Aligned with NIST’s mission, Dr. Iorga’s work particularly focuses on collaborating with industry, academia, and other government stakeholders on developing a high-level, vendor-neutral security and forensics guidance. Dr. Iorga received her Ph.D. from Duke University in North Carolina, USA.