BloSS@M ATO Process Before ATO can be demonstrated fully:

oscal-content 1.x.x release will be a minor release ?? patch release ??? with minor enhancements to the NIST SP 800-53 catalog and alignment with the NIST SP 800-53 v5.1.1 CPRT release. Key Take-aways for Ready Changes Key take-away for this release are as follows: resolved profiles by adding and by aligning the catalog and the profiles with the NIST SP 800-53 v5.1.1 release. Enhances NIST SP 800-53 catalog with links added to the assessment objectives to link them with the control statements they bolong to. Updated NIST SP 800-53 content to align with the NIST SP 800-53 v5.1.1 CPRT release. Updated profiles and resolved profiles to align with the NIST SP 800-53 v5.1.1 CPRT released data.

FY24 OSCAL tasks and responsibilities The following table aims to aggregate tasks and responsibilities the team is taking over from AJ as of Nov 1st 2023. To have a more adequate picture, I recommend we include current tasks and resposnibilities as well. I will need help from the team to keep the table current and accurate. PLEASE FEEL FREE TO ADD TASKS OR PROPOSE DIFFERENT RESPONSIBLE PARTIES. Task or responsibility Notes Resposnible member ITL-oscal-admin

FY24 OSCAL tasks and responsibilities The following table aims to aggregate tasks and responsibilities the team is taking over from AJ as of Nov 1st 2023. To have a more adequate picture, I recommend we include current tasks and resposnibilities as well. I will need help from the team to keep the table current and accurate. PLEASE FEEL FREE TO ADD TASKS OR PROPOSE DIFFERENT RESPONSIBLE PARTIES. Task or responsibility Notes Resposnible member ITL-oscal-admin

Background Aligned with [#1688] (https://github.com/usnistgov/OSCAL/issues/1688). See: Original HackMD Organization This document aims to capture a list of value streams for OSCAL adopters of how to use OSCAL models as part of my governance program. A value stream is a thematic collection of work items, varying in scope of work by quantity or quality (large epics to small issues), related to the same theme in that work. [[The list is partial, not exhaustive. We would like to hear from readers and community members on ways they have found to use OSCAL models, together or separately, to accomplish their goals.]] [[above 'my governance program'? Maybe as part of a risk management program? System security assurance program? etc. maybe it is intended to be 'any governance program'?]]

Background Aligned with [#1688] (https://github.com/usnistgov/OSCAL/issues/1688). See: Original HackMD Organization This document aims to capture a non-exhaustive list of value streams for OSCAL adopters of how to use OSCAL models as part of my governance program. A value stream is a thematic collection of work items, varying in scope of work by quantity or quality (large epics to small issues) related to the same theme in that work. Value streams grouped by use case [TBD]: Find a way to include the OSCAL models that can be used to accomplish the VS.

Background Aligned with [#1688] (https://github.com/usnistgov/OSCAL/issues/1688). See: Original HackMD Organization This document aims to capture a non-exhaustive list of value streams for OSCAL adopters of how to use OSCAL models as part of my governance program. A value stream is a thematic collection of work items, varying in scope of work by quantity or quality (large epics to small issues) related to the same theme in that work. Value streams grouped by use case [TBD]: Find a way to include the OSCAL models that can be used to accomplish the VS.

Proposed update to existing landing page _index.md title: OSCAL Specification layout: home toc: enabled: false NIST maintains specifications for each OSCAL release and the latest development snapshot. All specifications are available on the model specifications page. Each specification consists of an outline, an index, and a reference, for both JSON and XML formats.

SLIDE 1: Agenda TBD SLIDE 2: Pieces of the Puzzel place CPRT OLIR and OSCAL 'pieces' on the larger Enterprise Risk Management puzzel SLIDE(s) 3, 4, ..: Assembling the Puzzel

Charter Table of Contents Objectives Roles Scope Qualification Structure Selection Objectives

For the audience WiFi White List Requirements *.nist.gov raw.githubusercontent.com *.github.com ghcr.io npmjs.com *.docker.com vscode.dev *.visualstudio.com

How to tell the story of a specific OSCAL topics we work on? Placeholder fr the 'story' AJ wants to propose.

Draft an ADR for labels Related to Issue [#1496] - (https://github.com/usnistgov/OSCAL/issues/1496) Overall notes: https://hackmd.io/YS5ib1yMQ4ab-7Ocyy2vUA Begin ADR Draft Use of Labels in OSCAL Project(s) Date: 02/16/2023 Status Proposed

Dear OSCAL Community Members, You are kindly invited to the inaugural virtual meeting of NIST OSCAL Research pillar. The associated OSCAL DEFINE (Develop Enhancements, Future Implementations and New Education) meeting series will cover the research and educational pursuits of OSCAL using an iterative and collaborative approach with the community. Our goal is to establish an OSCAL research framework that allows topics to receive the necessary definition and understanding, sufficient to create educational content, demonstrate usage in practice, gain community’s endorsement, and serve as a catalyst for continued development of OSCAL. During the first meeting, Chris Compton will present the proposed research framework and highlight the process through the OSCAL (Customer/Shared) Responsibilities Matrix Model research he is currently performing. Agenda: Welcome Meeting Norms

Draft an ADR how to handle EPICs and the related issues Related to Issue [#1496] - (https://github.com/usnistgov/OSCAL/issues/1496) Overall notes: https://hackmd.io/YS5ib1yMQ4ab-7Ocyy2vUA

Increase Active Participation (1.a) Deadline: #12-31-2023 Responsible Parties: #Michaela Status: #EPIC Related: [[1]] [[1-b]] [[1-ii]] [[PKI]] _Increase instances of active participation by external contributors in official feedback media rate by average of 20% by 12/31/23. (Michaela owns clarifying). This document defines one of the Participation Key Indicators, namely, the #PKI-1 = "increase rate of the external participation", For a full list, see [[PKI]].

Strategic Plan Item(s) -- 1.ix Develop and implement an OSCAL Communication, Education & Participation Plan by 1/31/23 designed to grow program (simple and accessible) and targeted to multiple interested parties (developers, users, etc.) w/ defined hand-offs. -- 1.ix.a - Define what stakeholders should be educated on by 1/31/23, execute and measure success – on-going. Type of meetings A. Based on Delivery Model 1- Organized by NIST OSCAL Team and opened to the public 2- Organized by the community (e.g. Mid-Atlantic OSCAL Meetup) 3- Requested by organizations and delivered to members of the requesting entity.

NOTE: This is a draft of the OSCAL Gold Medal Award announcement combined with the key point of the strategic plan of NIST intention of evolving OSCAL from a project to a program that aims to rapidly grow and become sustainable through the community’s broader engagement. The announcement can be distributed via email, go on our website and posted on social media by NIST. The management and possibly PA approvals might be necessary. NIST OSCAL Team's Commitment Over the past years, OSCAL emerged as a research project aiming to deliver, through collaboration with GSA/FedRAMP and the industry, a machine-readable language expressed in XML, JSAON and YAML able to represent control catalogs, control baselines, system security plans, and assessment plans and results. OSCAL was managed as an initiative loosely coordinated and run from within two groups within Computer Security Division (CSD) of ITL. The OSCAL team's dedication and hard work resulted in the development and rapid adoption of the Open Security Controls Assessment Language which "is already solving foundational problems that stymied even the simplest data sharing and compliance automation, like consistent identifiers for organizational defined parameters. Importantly, the establishment of an open, government-backed standard has both forced and elevated critical conversations long needed around enabling the exchange of compliance data and compliance automation." (Greg Elin, Principal OSCAL Engineer, RegScale)

Problem Statement In the SSP/Statements/By Component structure, there are some inconsistencies across docs. If one looks at the schema page: https://pages.nist.gov/OSCAL/reference/latest/system-security-plan/json-reference/#/system-security-plan/control-implementation/implemented-requirements/statements/by-components …it references that here you “Define how the referenced component implements a set of controls.” If the system has a Firewall Appliance component, then the SSP/Statements/By Component->”this system” will have the SC-7 implemented by the respective component Firewall and can document so, and then the SSP/Statements/By Component->”firewall appliance” component of the same SSP will describe the controls the appliance implements, like AC-3 needed to secure the appliance.

Meeting #1 Date: 02/07/2023 Agenda Discuss and identify best practice for balancing recording of team member’s thoughts related to issues (for transparency with the community) and minimization of lengthy contradictory discussions. Discuss - Draft decision record for the issue #1496 – see below (40 min) Conclusions and next steps summary How do we achieve a balance between providing feedback, being curious, allowing others to express their point of view and avoiding ‘destructive discussions’. (10 min) Details

When and How to Join: January 23 - Feb 6, 2023 (weekly, on Monday at 4:30PM) Microsoft Teams - click to join Meeting ID: 245 114 034 644 Passcode: zwSmPF Or call in (audio only) +1 443-339-4347,,497397922# February 7 - June, 2023 (bi-weekly, on Monday at 4:30PM)

When and How to Join: January 25, 2023, Wednesday, 11:00 AMMicrosoft Teams - click to join Meeting ID: 239 923 148 191 Passcode: zsW6tE Or call in (audio only) +1 443-339-4347,,175307137# January 30 - April 6, 2023 (weekly, on Monday at 1:00PM) Microsoft Teams - click to join Meeting ID: 224 063 653 399

When and How to Join: January 25, 2023, Wednesday, 11:00 AMMicrosoft Teams - click to join Meeting ID: 239 923 148 191 Passcode: zsW6tE Or call in (audio only) +1 443-339-4347,,175307137# January 30 - April 6, 2023 (weekly, on Monday at 1:00PM) Microsoft Teams - click to join Meeting ID: 224 063 653 399

When and How to Join: January 25, 2023, Wednesday, 11:00 AMMicrosoft Teams - click to join Meeting ID: 239 923 148 191 Passcode: zsW6tE Or call in (audio only) +1 443-339-4347,,175307137# January 30 - April 6, 2023 (weekly, on Monday at 1:00PM) Microsoft Teams - click to join Meeting ID: 224 063 653 399