Versions Compared

Version Old Version 5 New Version 6
Changes made by

Jay Hill (Unlicensed)

Jay Hill (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleGoals

What does success look like? What metrics can we effect and why it is important to affect those metrics?

Goal

Metric

Why Important?

Automate an end-to-end process to capture all STIG content (approximately 457 documents), perform ETL, and load into the UCF in common data format.

All 457 STIGs, as Authority Documents, are available for customer consumption via API from the UC 4.0 API Gateway

All Citations as part of the 457 STIGs are available for customer consumption via API from the UC 4.0 API Gateway

All Glossaries with term-definition pairs as they related to the 457 STIGs are available for customer consumption via API from the UC 4.0 API Gateway

STIGs sit at the intersection of Sec Ops and GRC. Organizations need to harden their security posture with DoD approved security measures that are in alignment with the software and hardware vendors.

IT departments will utilize a variety of software and hardware in their data centers. UC needs to maximize the breadth of STIG coverage to ensure can match as many IT assets as possible.

Automate an end-to-end process to capture all NIST - 800-53 content (approximately 36 files with a mixture of json, yaml, and xml documents), perform ETL, and load into the UCF in common data format.

All NIST-800-53 content, as Authority Documents, are available for customer consumption via API from the UC 4.0 API Gateway

All Citations as part of the NIST-800-53 documents are available for customer consumption via API from the UC 4.0 API Gateway

All Glossaries with term-definition pairs as they related to the NIST-800-53 content are available for customer consumption via API from the UC 4.0 API Gateway

NIST 800-53 helps IT departments implement proper security controls to proactively take care of their organization's infrastructure.

Automate an end-to-end process to capture all FedRAMP content (approximately 32 files with a mixture of json, yaml, and xml documents), perform ETL, and load into the UCF in common data format.

All FedRAMP content, as Authority Documents, are available for customer consumption via API from the UC 4.0 API Gateway

All Citations as part of the NIST-800-53 documents are available for customer consumption via API from the UC 4.0 API Gateway

All Glossaries with term-definition pairs as they related to the NIST-800-53 content are available for customer consumption via API from the UC 4.0 API Gateway

FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.

UC can assist federal agencies or organizations working with federal agencies to grow and use secure cloud technologies.

eCFR

...

Expand
titleRequirements

Describe the product requirements that will fulfill the underserved need(s) starting off with the use cases, then specific functionality.

Requirement

Importance

Comments

STIGsSTIG Pipeline

Scrape the STIG document library to download all zip files.

High

The zip files are multi-level nested zip files.

Unzip each STIG file to retrieve the XML files.

High

Store the XML files for later use.

High

The hierarchy of zip files must be maintained to ensure follow-on functions have context.

Identify which documents within the hierarchy are Authority Documents.

High

The zip files may contain readme’s or other files that do not constitute Authority Documents.

Identify which files are Glossary-specific.

High

Some files may solely be Glossaries with term-definition pair entries. Ensure those documents are also processed for follow-on steps.

Detect file metadata changes from prior processing.

High

Potential metadata changes could be a new document or a new version of an old document.

Only pass new or changed documents further down the pipeline.

High

NIST 800-53 Pipeline

Access the GitHub repository for all NIST 800-53 content.

High

Retrieve and store the XML, JSON, and YAML files for later use.

High

Identify which documents are Authority Documents.

High

Identify which files are Glossary-specific.

High

Some files may solely be Glossaries with term-definition pair entries. Ensure those documents are also processed for follow-on steps.

Detect file metadata changes from prior processing.

High

Only pass new or changed documents further down the pipeline.

High

FedRAMP Data Pipeline

Access the GitHub repository for all FedRAMP content.

Retrieve and store the XML, JSON, and YAML files for later use.

Identify which documents are Authority Documents.

Identify which files are Glossary-specific.

High

Some files may solely be Glossaries with term-definition pair entries. Ensure those documents are also processed for follow-on steps.

Detect file metadata changes from prior processing.

Only pass new or changed documents further down the pipeline.

eCFR Data Pipeline

Access the eCFR files via the eCFR APIs.

Store files for later use.

Identify which documents are Authority Documents.

Identify which files are Glossary-specific.

High

Some files may solely be Glossaries with term-definition pair entries. Ensure those documents are also processed for follow-on steps.

Detect file metadata changes from prior processing.

Only pass new or changed documents further down the pipeline.

General Pipeline

Catalog each source Authority Document.

High

Gather all information as is required by the Common Data format.

Identify and extract Citations from the Authority Document

High

Citations are passages in the Authority Document that:

  1. contain Mandates (requirements) OR

  2. related contextual information such as stubs, informational, and informational gathering.

Maintain Citation structure.

High

Since Authority Documents will contain multiple Citations and passages may have related Citations, that structure must be maintained to know the relationship between Citations.

Extract Glossary from within Authority Documents.

High

Some Authority Documents may have glossary within the document. This will typically be near the end of the file.

Extract the Glossary details including the Title, source, and all term-definition pairs.

Extract Glossary from glossary-specific files.

High

Some files may only have Glossary entries with term definition pairs.

Extract the Glossary details including the Title, source, and all term-definition pairs.

Detech content changes from prior loads.

High

Nee discussion here. See questions

Transform the Authority Document into the Common Data Format

High

The transformation documentation must be used as reference as to how source document schema structures are related to the Common Data Format.

Transform the Authority Document related Citations into the Common Data Format

High

As above, use the CDF transformation document as reference.

Transform the Glossaries into the Common Data Format

High

As above, use the CDF transformation document as reference.

Load Authority Documents into the Unified Compliance Platform

High

UCF engineering team will determine the optimal approach for loading (API, service, …)

Load Citations into the Unified Compliance Platform

High

Same as above

Load Glossaries into the Unified Compliance Platform

High

Same as above

Expand
titleOut of Scope / Future Functionality

List the known features that are out of scope for this project or might be revisited at a later time.

As is case with the assumptions, it is important to list these out so that architects and engineers can plan accordingly for these later updates.

Requirement

Comments

Mapping STIGs, NIST, FedRamp, or eCFR content to the Common Controls.

This project ends at the AD, Citation and Glossary extraction.

Follow-on projects will include the mapping.

...

Expand
titleOpen Questions

List any open questions that come to mind throughout the lifecycle of this initiative.

Question

Answer

Date Answered

For STIGs, how do we identify which files are authority documents?

Specifically, what is required to catalog an AD?

In this first pass, what should constitute content changes?

We don’t want to get too crazy and make this a massive project.

Need to discuss

Expand
titleAlternative Solutions

Provide a high-level evaluation criterion for alternative solutions (build, buy, partner) to evaluate different routes to success.

...