Skip to content

Controls Assessment Automation Worflows

Dmitry Cousin edited this page Jun 25, 2024 · 1 revision

Life-Cycle of OSCAL Application (Single System "non-Leveraged" Assessment)

sequenceDiagram

    participant OSCAL Catalog
    participant OSCAL Profile
    participant OSCAL Resolved Profile

    box rgb(0, 0, 33) Assessment Lifecycle 

        participant SSP (System Security Plan)
        participant SAP (Security Assessment Plan)

        actor Assessor
        participant ASSESSED SYSTEM

        participant SAR (Security Assessment Results)
        participant PoAM (Plan of Actions and Milestones)

    end
    participant Authorization Package


    opt Catalog Controls Tailoring
        OSCAL Catalog-->>OSCAL Profile: Select the Controls
        OSCAL Catalog-->>OSCAL Profile: Tailor the Controls
        OSCAL Profile-->>OSCAL Profile: Tailor the Controls
        OSCAL Profile-->>OSCAL Resolved Profile: Resolve Profile
    end

    OSCAL Resolved Profile-->>SSP (System Security Plan): Generate SSP

    loop  Iterative Assessment Process
        SSP (System Security Plan)->>SSP (System Security Plan): Define and Set Assessment and Validation Policies
        SSP (System Security Plan)->>SAP (Security Assessment Plan): Generate SAP
        SAP (Security Assessment Plan)->>SAP (Security Assessment Plan): Specifies How to Assess

        SSP (System Security Plan)->>Assessor: Uses SSP
        SAP (Security Assessment Plan)->>Assessor: Uses SAP
        Assessor->>ASSESSED SYSTEM: Assess According to Plan (SAP&SSP)
        Assessor->>SAR (Security Assessment Results): Describes Assessment Failures(Results) in SAR
        Assessor->>PoAM (Plan of Actions and Milestones): Based on SAR Findings are Documented in PoAMs


        %% loop rgb(255,0,0) Aggregate Findings
        loop Aggregate Findings
            
            SSP (System Security Plan)->>+Authorization Package: Aggregated into AP(Authorization Package)
            SAP (Security Assessment Plan)->>Authorization Package: Aggregated into AP(Authorization Package)
            SAR (Security Assessment Results)->>Authorization Package: Aggregated into AP(Authorization Package)
            PoAM (Plan of Actions and Milestones)->>Authorization Package: Aggregated into AP(Authorization Package)
            deactivate Authorization Package
        end
        note left of Authorization Package: Repeat 1...∞
        Authorization Package->>SSP (System Security Plan): Loop Back

    end
Loading

The General Workflow Part of Assessment is Trying to Automate Some Assessor Interactions with SAP, SAR, PoAM, and SSP

Automation Information Request Logic

sequenceDiagram

    participant Assessment Automation
    participant GitHub

    box purple AWS-Services
        participant EC2
        participant AMB
        participant Cognito
        %%% participant S3 Trigger
    end


    loop Logical Information Flow
        Assessment Automation-->>EC2: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Python Script
        Assessment Automation-->>EC2: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via AWS Command
        Assessment Automation-->>EC2: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Docker-Exec Command

        Assessment Automation-->>AMB: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Python Script
        Assessment Automation-->>AMB: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via AWS Command
        Assessment Automation-->>AMB: What SSP/SAP/SAR/PoAM Questions about System Can We Answer? <br />Automatically via Docker-Exec Command
    end

Loading

Information-Flow Functional Design

sequenceDiagram

    participant Assessment
    participant GitHub
    
    box purple AWS-Services
        participant EC2
        participant AMB
        participant Cognito
        participant S3 Trigger
    end


    loop Functional Implementation
        GitHub ->> S3 Trigger: Information Request File Placed on S3
        S3 Trigger --) EC2: Spin up EC2 with AMB
        EC2 ->> EC2: Query Policy-Roles/ChainCode Users/AWS-Cognito/AMB
        GitHub ->> EC2: Pull Repo
        EC2 ->> GitHub: Checkout Repo predesignated Branch

        alt Query Requested Information
            EC2 ->> AMB: Query Block-Chain Transactions
            EC2 ->> AMB: Query AMB Users
            EC2 ->> EC2: Query Policy 
            EC2 ->> Cognito: Query Dashboard Users
        end

        EC2 ->> EC2: Make Changes to pre-Agreed File(s)
        EC2 ->> EC2: Commit with file-Reference in the Commit Comment
        EC2 ->> GitHub: Push the Updates to the Mother-Ship
        GitHub -->> GitHub: Trigger GH-ACTION and Inspect the Commit
        GitHub -->> GitHub: Run Post-Process GH-ACTION(S) if Needed
    end


Loading