-
Notifications
You must be signed in to change notification settings - Fork 10
Controls Assessment Automation Worflows
Dmitry Cousin edited this page Jun 25, 2024
·
1 revision
sequenceDiagram
participant OSCAL Catalog
participant OSCAL Profile
participant OSCAL Resolved Profile
box rgb(0, 0, 33) Assessment Lifecycle
participant SSP (System Security Plan)
participant SAP (Security Assessment Plan)
actor Assessor
participant ASSESSED SYSTEM
participant SAR (Security Assessment Results)
participant PoAM (Plan of Actions and Milestones)
end
participant Authorization Package
opt Catalog Controls Tailoring
OSCAL Catalog-->>OSCAL Profile: Select the Controls
OSCAL Catalog-->>OSCAL Profile: Tailor the Controls
OSCAL Profile-->>OSCAL Profile: Tailor the Controls
OSCAL Profile-->>OSCAL Resolved Profile: Resolve Profile
end
OSCAL Resolved Profile-->>SSP (System Security Plan): Generate SSP
loop Iterative Assessment Process
SSP (System Security Plan)->>SSP (System Security Plan): Define and Set Assessment and Validation Policies
SSP (System Security Plan)->>SAP (Security Assessment Plan): Generate SAP
SAP (Security Assessment Plan)->>SAP (Security Assessment Plan): Specifies How to Assess
SSP (System Security Plan)->>Assessor: Uses SSP
SAP (Security Assessment Plan)->>Assessor: Uses SAP
Assessor->>ASSESSED SYSTEM: Assess According to Plan (SAP&SSP)
Assessor->>SAR (Security Assessment Results): Describes Assessment Failures(Results) in SAR
Assessor->>PoAM (Plan of Actions and Milestones): Based on SAR Findings are Documented in PoAMs
%% loop rgb(255,0,0) Aggregate Findings
loop Aggregate Findings
SSP (System Security Plan)->>+Authorization Package: Aggregated into AP(Authorization Package)
SAP (Security Assessment Plan)->>Authorization Package: Aggregated into AP(Authorization Package)
SAR (Security Assessment Results)->>Authorization Package: Aggregated into AP(Authorization Package)
PoAM (Plan of Actions and Milestones)->>Authorization Package: Aggregated into AP(Authorization Package)
deactivate Authorization Package
end
note left of Authorization Package: Repeat 1...∞
Authorization Package->>SSP (System Security Plan): Loop Back
end
The General Workflow Part of Assessment is Trying to Automate Some Assessor Interactions with SAP, SAR, PoAM, and SSP
sequenceDiagram
participant Assessment Automation
participant GitHub
box purple AWS-Services
participant EC2
participant AMB
participant Cognito
%%% participant S3 Trigger
end
loop Logical Information Flow
Assessment Automation-->>EC2: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Python Script
Assessment Automation-->>EC2: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via AWS Command
Assessment Automation-->>EC2: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Docker-Exec Command
Assessment Automation-->>AMB: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Python Script
Assessment Automation-->>AMB: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via AWS Command
Assessment Automation-->>AMB: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Docker-Exec Command
end
sequenceDiagram
participant Assessment
participant GitHub
box purple AWS-Services
participant EC2
participant AMB
participant Cognito
participant S3 Trigger
end
loop Functional Implementation
GitHub ->> S3 Trigger: Information Request File Placed on S3
S3 Trigger --) EC2: Spin up EC2 with AMB
EC2 ->> EC2: Query Policy-Roles/ChainCode Users/AWS-Cognito/AMB
GitHub ->> EC2: Pull Repo
EC2 ->> GitHub: Checkout Repo predesignated Branch
alt Query Requested Information
EC2 ->> AMB: Query Block-Chain Transactions
EC2 ->> AMB: Query AMB Users
EC2 ->> EC2: Query Policy
EC2 ->> Cognito: Query Dashboard Users
end
EC2 ->> EC2: Make Changes to pre-Agreed File(s)
EC2 ->> EC2: Commit with file-Reference in the Commit Comment
EC2 ->> GitHub: Push the Updates to the Mother-Ship
GitHub -->> GitHub: Trigger GH-ACTION and Inspect the Commit
GitHub -->> GitHub: Run Post-Process GH-ACTION(S) if Needed
end