The National Institute of Standards and Technology hosted on Tuesday, March 1st, and Wednesday, March 2nd, 2022, the third workshop in the series focusing on the Open Security Controls Assessment Language (OSCAL).
Setting the foundation for security automation, with particular focus on the continuous authorization to operate (ATO) processes and continuous monitoring, OSCAL provides machine-readable representations of control catalogs, control baselines or profiles, system security plans, assessment plans, assessment results, and plan of actions and milestones, in a set of formats expressed in XML, JSON, and YAML.
Day one of the workshop will highlight OSCAL 1.0.0 layers and models, with the goal to familiarize the audience with the OSCAL architecture, formats, how these models can be used to support security assessment automation, continuous monitoring, continuous ATO and development, security and operations (DevSecOps). Additionally, the audience will be introduced to the NIST SP 800-53 (Rev4 and Rev5) catalogs, assessment objectives, and associated baselines in OSCAL.
Day two of the workshop will explore OSCAL-based automation solutions, starting with the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office’s (PMO) efforts to digitalize authorization packages submitted in OSCAL, will present FedRAMP’s updated OSCAL resources that include a comprehensive set of guides for additional deliverables.
Based on the responses received to our Call for Proposals (see below), NIST’s team was able to organize an inspiring event that demonstrates OSCAL's international adoption and brings in front of our audience some of the most prestigious names that share the same passion for new advancements in security automation. A complete list of speakers and their bio (in the order of their scheduled talks) can be found here.
The OSCAL project and this workshop series are aligned with NIST’s mission of promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST works to maximize its impact and mission fulfillment by positioning itself to anticipate future technology trends and develop the most important measurements and standards products that are aligned with industry drivers and needs.
The workshop will provide attendees an opportunity to familiarize themselves and build skills in the development and use of OSCAL. We encourage developers of control-oriented security tools and organizations that want to use or create OSCAL-based information, to register and attend the workshop.
Who should attend:
- Leaders in digital transformation and security automation from the government, private, and academic sectors;
- Vendors of security automation tools who are considering implementing OSCAL formats in their tools;
- Participants in standard development organizations focusing on developing and publishing control catalogs and baselines;
- System owners from the government, private, and academic sectors, who want to streamline the documentation of controls used in their information systems.
RECORDED TALKS AND DEMOS
PRESENTATIONS (SLIDES)
March 1, 2022:
Welcome, Introduction and Administrative issues (no slides) - video:D1,Part1
Matthew Scholl, Chief, Computer Security Division, NIST
Visionary Keynote (no slides) - video: D1,Part1(T09:47)
André Mendez, CIO, DoC
Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST
David Waltermire, OSCAL Technical Director, NIST
Zach Baldwin, Program Manager for Strategy, Innovation, and Technology, FedRAMP, GSA
Gary Gapinski, Security and XML Engineer, Flexion Inc.
Thomas Volpe Sr., CIO, VITG Inc.
Parallel Tracks
Alexander (AJ) Stein, OSCAL team member, NIST
Dr. Wendell Piez, OSCAL team member, NIST
Jasson Walker, President, cFocus Software
Ray Gauss, Director of Innovation, Easy Dynamics
Dr. Wendell Piez, OSCAL team member, NIST
Jasson Walker, President, cFocus Software
Gaurav (GP) Pal, Principal/SME, StackArmorMartin Rieger, Chief Solutions Officer, StackArmor
Alexander (AJ) Stein, OSCAL team member, NIST
Nikita Wootten, OSCAL team member, NIST
Victoria Pillitteri, Group Manager, ITL/CSD, NIST
Jasson Walker, President, cFocus Software
March 1, 2022:
Opening Remarks (no slides) - video:D2,Part1
Dr. Michaela Iorga, OSCAL Strategic Outreach Director, NIST
Anca Sailer, SME, STSM, IBM Research
Vikas Agarwal, Ph.D., Senior Researcher, SME, IBM Research
Lou DeGenaro, Senior Engineer, IBM Research
Dr. Jesus Luna Garcia, Bosch, Germany
Matthew Donkin, SME, AWS
Douglas Boldt, Solutions Architect, AWS
Ramon Burks, CSS Assistant Director, DoJ/CSAM
Adam Oline, Technical Lead, CyberBalance, LLC, DoJ/CSAM
Parallel Tracks
Nikita Wootten, OSCAL team member, NIST
Max Aulakh, Managing Director, Ignyte Assurance Platform
Valinder Mangat, CIO, DRT Strategies
Track 4: Entertainment – NIST documentaries
J. Travis Howerton, Co-Founder and CTO, RegScale
Jet Ryan, XACTA Solutions Architect, Telos
Anca Sailer, SME, STSM, IBM Research
Jaya Ramanathan, Ph.D., Chief Security and Governance Architect, Red Hat
Jim Bugwadia, CEO, NirmataRobert Ficcaglia, CTO, SunStone Secure
Adam Brand, Managing Director, KPMG
Thomas Nash, Director, KPMG
Vikas Khosla, Chief Digital Health Officer, Intraprise Health
Conner Phillippi, Senior Compliance Solutions Manager, Product Manager, Secureframe
Apostolos Delis, Software Engineer, Secureframe
David Waltermire, OSCAL Technical Director, NIST
Closing Remarks and Adjourn (no slides) - video:D2,Part4(T50:02)
Matthew Scholl, Chief, Computer Security Division, NIST
CALL FOR PROPOSALS - CLOSED
The 2022 NIST OSCAL Workshop program committee is seeking timely, topical, and thought-provoking presentations or demonstrations highlighting OSCAL-based security assessment automation processes or Governance Risk and Compliance (GRC) tools supporting OSCAL formats for integration into such processes.
We encourage proposals from a diverse array of organizations and individuals with different perspectives, from the public and private sectors, international bodies, assessment and authorization (A&A), or certification and authorization (C&A) providers.
Submissions must incorporate, in addition to the title, speaker information (bio and photo), a brief abstract, and proof of OSCAL support or integration into the tool, process, or solution.
Proposals will be evaluated and selected based on the quality of the written proposal, the topic proposed the proof of OSCAL integration.
Submission Deadline: midnight, EST, January 31, 2022.
Submit your proposal via email to oscal2022@nist.gov, with the subject line: “OSCAL 2022 CFP”.
Accepted Proposals Notification: no later than midnight, EST, February 16, 2022.
TECHNICAL POC
Dr. Michaela Iorga
michaela.iorga@nist.gov
Links to previous OSCAL workshops from this series:
2019: Open Security Controls Assessment Language (OSCAL) Workshop
2021: 2nd Open Security Controls Assessment Language (OSCAL) Workshop
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
