Research use of a Customer Responsibility Matrix (CRM) model for control element content.

[Compton-US]

Identify a few test data sets, and how they would utilize the proposed CRM model outline from OSCAL/issues/722.

Goals:

• Identify a few sources of test data sets to use for demonstration.
• Demonstrate the application of the outline from OSCAL/issues/722.
• Identify potential issues, or improvements that should be made to support modeling CRM content.

Dependencies:

N/A

Related Issues:

• Customer Responsibility and Inheritance - Export Mechanism #722
• Customer Responsibility Matrix (CRM) Transform #713 (Closed and transitioned to Customer Responsibility and Inheritance - Export Mechanism #722)

Acceptance Criteria

• A document is produced that demonstrates the concept with test data.

[Compton-US]

Sharing what I have so far.

Summary

There is a desire to produce a model that can be used to represent the Customer Responsibility Matrix (CRM) or Shared Security Responsibility Matrix (SSRM) documents. In order to encompass both cases, I will refer to this as a Responsibility Matrix Model.

The System Security Plan and Component Definition models contain attributes that support the communication of information related to implementation of controls, the status of the implementation and assignment of responsibility to roles. These data address how requirements are satisfied, but lack attributes that support communicating to another party what the remaining responsibilities are for a particular system, component and/or control.

If the System Security Plan and Component Definition supported the ability to define this responsibility, and the requirements to be passed to other entities, it would likely address the gap that appears to exist for producing a responsibility matrix from these two models.

Document Review

After review of four publicly accessible CRM documents, the following fields were common to each:

Field	Description	Sample
Control ID	Typically the identifier of a control imported from a catalog of controls (e.g. NIST 800-53).	AC-8, CP-8
Control Name	Typically the name/title of a control imported from a catalog of controls (e.g. NIST 800-53).	System Use Notification
Control Description	Typically the description of a control imported from a catalog of controls (e.g. NIST 800-53).	See 800-53 Catalog
Control Origination (Ownership/Responsibility)	Assigns responsibility for a control.	Provider, Shared, Customer
Implementation Model/Entity	Assigns the responsibility for the defined implementation detail to a group or entity.	IaaS, PaaS, SaaS, Customer Provided
Implementation Details	This is a narrative field that outlines the manner and context of implementation of a control's requirements.	Variable prose, may contain paragraphs
Implementation Status	Indicates the extent of progress for a control's implementation.	Implemented, Partially Implemented, Planned, Alternative
Implementation Requirement (Responsibility)	Outlines the required customer actions to address the requirement, or a portion of a requirement when the implementation is a shared responsibility.	Variable prose, may contain paragraphs
Inheritable	Indicates whether the control is inheritable.	Yes, No, Partial
Baseline	Indicates the level of baseline that a control can address. (e.g., FedRAMP)	Low, Moderate, High
Baseline Entity/Framework	While the "Baseline" most relates to FedRAMP, this could relate to other regulatory frameworks	FedRAMP

Impressions:

• Most of the fields above are supported by existing attributes in the models.
• Inheritable and Baselines are likely not necessary. These seems addressable through profiles as a part of the OSCAL workflow.
• Implementation Model/Entity and Implementation Requirement are likely not fully addressed within the current model attributes in the context of communicating to one of more inheriting entities when implementation actions must be performed to fully satisfy a security control.
• In many cases, narrative fields such as implementation requirement repeat the same content for multiple controls in a category, for example, "The customer is responsible for appropriately terminating customer personnel."

Potential Use Case Examples

Direct

In the first case, consider a responsibility that is passed directly from the provider to customer.

The data could be similar to:

Field	Value
Control ID	PE-11
Control Name	Emergency Power
Control Description	Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system; transition of the system to long-term alternate power] in the event of a primary power source loss.
Control Origination (Ownership/Responsibility)	Provider
Implementation Model/Entity	IaaS
Implementation Details	The infrastructure is supported by multiple uninterruptible power supplies, and a redundant backup generator system capable of continuous operation for an extended period of time.
Implementation Status	Implemented
Implementation Requirement (Responsibility)	Customers do not have physical access to any system resources in Provider datacenters. Customer fully inherits this control from the Cloud Service Provider (CSP).
Inheritable	Yes
Baseline	Moderate
Baseline Entity/Framework	FedRAMP

Shared

In the second case, consider a responsibility that is passed from a cloud service provider to a managed service provider, and finally to the customer.

The goal of this example is to show information that may need to be documented through some level of shared responsibility. This scenario presents a situation where an organization operates cloud-based systems for customers who focus solely on developing and maintaining applications. This also demonstrates how a customer could understand how responsibilities are addressed for a control, and provides a mechanism to further delegate responsibility to subordinates.

Field	Value
Control ID	SI-4(d) (Statement)
Control Name	System Monitoring
Control Description	Analyze detected events and anomalies
Control Origination (Ownership/Responsibility)	Shared
Inheritable	Partial
Baseline	Low
Baseline Entity/Framework	FedRAMP

Cloud Service Provider (IaaS)

The Cloud Service Provider states the baseline implementation and the overall responsibilities that must be met to fully address the control. In this case, a distinction is not made for entities that will inherit the control, or what portion of responsibility is assigned to each inheriting entity.

Field	Value
Implementation Model/Entity	IaaS
Implementation Details	Provider implements portions of this control for IaaS and PaaS customers. Servers upload logs to a log monitoring tool and the audit logging process for aggregation and analysis. Access to tool and the audit logging process is restricted as specified in the AU family of controls, specifically AU-9. Provider Infrastructure devices are configured to upload their logs to a central repository managed by the Provider Security team. Access to manage the security incident and event management tool used with the Infrastructure is limited to authorized personnel. These personnel are members of a security incident management team.
Implementation Status	Implemented
Implementation Requirement (Delegated Responsibility)	The customer is responsible for monitoring customer-deployed resources. The customer control implementation statement should address the protection of intrusion-monitoring tool information from unauthorized access, modification, and deletion.

Managed Service Provider (PaaS)

In this scenario, the Managed Service Provider is presumed to operate services on behalf of the customer. The MSP provides monitoring services for the platform, but not for customer developed applications. The MSP assumes a portion of the Implementation Requirement from the IaaS, and delegates responsibility for application monitoring.

Field	Value
Implementation Model/Entity	PaaS
Implementation Details	Monitors customer-deployed resources for events. Access to events are limited to authorized personnel. The platform management team reviews alerts and logs as events are reported to the customer, and conducts daily analysis.
Implementation Status	Implemented
Implementation Requirement (Delegated Responsibility)	Application owners are responsible for monitoring their application logs for signs of unauthorized activity according to laws and regulations, and applying heightened scrutiny when there is an indication of increased risk.

Customer (Application Owner)

The customer addresses the application monitoring requirement, and while it wouldn't be required, it could also document responsibilities within the organization for an internal responsibility matrix utilized by a development team or business unit. This could be useful for developing a Component Definition for a service or application.

Field	Value
Implementation Model/Entity	Application Owner
Implementation Details	Application and service monitoring must be provided by the development team, and incidents reported within one hour of discovery to the Information Security Officer. Access to events are limited to authorized personnel.
Implementation Status	Planned
Implementation Requirement (Delegated Responsibility)	Application logs are reviewed daily by approved members of the development team, and suspicious events are reported to the Information Security Officer.

[Compton-US]

Additional Context: Will need to consider instances of a control under the shared use case.