Proprietary + Confidential

February 2023

OSCAL Adoption
For Continuous Assurance & Beyond
Google Cloud CISO
Vikram Khare - Director Continuous Assurance Engineering
Valentin Mihai - Technical Lead
Agenda

Moving Towards Continuous Assurance

Adoption Challenges
Aligning The Data
Process and Systems Overview

Aspirational: Future Plans

 Proprietary + Confidential

Introductions

Vikram Khare Valentin Mihai

Continuous Assurance Engineering Technical Lead
Objective: Continuous Assurance Proprietary + Confidential

The Case for OSCAL

● OSCAL is an integral part of enabling continuous assurance.

○ Method for exchanging risk & controls data with
customers & partners
○ Comprehensive taxonomy for GRC & CCM ( Continuous
Controls Monitoring) platforms
○ Tooling ecosystem built with OSCAL support can enable
interoperability

Defining Continuous Assurance

● Continuous Assurance
○ Opinion: Continuous assurance is an umbrella term for
industry buzzwords:
■ Compliance/Privacy/Security by Design
■ Policy as Code
■ Continuous Compliance
○ Tangible: Automation of assurance activities and the
enablement of real time monitoring of controls based on
objectively defined metrics
○ Treat compliance failures like systems downtime
 Proprietary + Confidential

Challenges for Adoption

Minor

● Timeline to support OSCAL automation

○ OSCAL builder tooling
○ Control on-boarding tooling
● Control data change management process
● Emerging standard
● Taxonomy adoption

Place Image Here

Major

● 3P Software Challenges
○ Performance
○ Complexity with systems integrations
● Operationalization at scale
● Technical Debt: Gaps must be remediated
immediately
Moving Towards Continuous Assurance

Templates / Scripts

Phase 1: POC OSCAL Builder

Deliver a manual driven
automation enable OSCAL
Phase 2: MVP
generation from sheets. Deliver tool that will provide a Phase 3: Data Pre-
user friendly UI, and UUID Population Phase 4: Maturation
persisted.
Data pre-populated from GRC,
asset inventory for vulnerability Two-way integration with GRC,
management, as well integration enhanced collaboration features,
of validation rules. and format support.

Additional usability Future items including external

enhancements. publication, ConMon support,
OSCAL Builder P0 etc.

OSCAL Builder P1

OSCAL Builder P2 + Future

 Proprietary + Confidential

Aligning The Data

Regulatory Decomposition
● Needed to change the way that regulations are decomposed for internal consumption and
evaluation

Establishing a granular structure for defining controls

● Need the ability to draw a straight line from the regulatory requirements, through the control
implementation, down to the individual control metrics

Refining the Asset Model

● Establish an asset taxonomy that aligns with current tooling, automation and management
capabilities, but that can also align with a common data structure (how do we consume
systems and component structures with our current asset mgmt systems)

Aggregating Data From Disparate Sources

● OSCAL definition of a control requires a higher level of granularity:
○ Complete rewrite of the GRC data model
○ Population of data from external source into centralized GRC
Example Requirement Breakdown Proprietary + Confidential

Scaling Requires:

- Diffusion of responsibility
- Granularity of requirements
to facilitate automation

OSCAL Adopted Control Mapping

Anti Virus Control from FooRAMP

Requirement ID: AC-1.a.1 Requirement ID: AC-1.a.2

Requirement Hierarchy: Access Control | Access Control Requirement Hierarchy: Access Control | Access Control
Title: Policy and Procedures Policy and Procedures
[FooRamp] AC-1: Anti Virus Requirements for Cloud Service Providers
Title: Title:
CSP Has an AntiVirus Program CSP Has an AntiVirus Program

Description: Description:
Description:
The provider has an antivirus program: The provider has an antivirus program:
The provider has an antivirus program:
1. Scans are run on prod daily 1. AV findings are assessed and
1. Scans are run on prod daily remediated within 24hrs
2. AV findings are assessed and remediated within 24hrs
3. All incoming data is scanned

Requirement ID: AC-1.b.1

Requirement Hierarchy: Access Control | Access Control
Policy and Procedures

Title:
CSP Has an AntiVirus Program

Description:
The provider has an antivirus program:
1. All incoming data is scanned
Mapping to Internal Controls & Implementation Details

Control Supporting GRC Scope(Product) Control Implementation Object in Component

Control GRC Model

CONTROL-XXXX: Control-Implementation-XXXX:
CSP has an AV program CSP has an AV program that does the following:

Control-Implementation-XXXX:
In NA DC, CSP runs daily scans using Company Foo x,y,z on all Component-XXX
CONTROL-XXXX: production systems
AV scans run daily in prod Company Foo
Control-Implementation-XXXX: Endpoint Security
Cloud - US AV scan results are sent to local NA AV-Sec teams, that work with
Suite
dev, eng, and SRE to resolve any findings in 24hr, bugs are managed
in US Issue Tracking System

CONTROL-XXXX: Control-Implementation-XXXX:
All AV findings resolved in All incoming files go through a Company Foo proxy, which scans...
24 hrs

Cloud - CA
Control-Implementation-XXXX:
CONTROL-XXXX: CSP runs scans daily using Company Bar on all prod systems Component-XXX
All incoming in data DCs is
scanned daily Company Bar
AntiVirus Scanner
Control-Implementation-XXXX:
AV scan results are sent to local CA AV-Sec teams, that work with
dev, eng, and SRE to resolve any findings in 24hr, bugs are managed
in CA Issue Tracking System

Control-Implementation-XXXX:
All files are uploaded to an FTP, and are then scanned and moved to
prod. scans done by Company Bar
Measuring Continuous Assurance
CCM Metrics: % of scans,
findings & incoming data
measured based on risk
appetite

Aggregate of CCM Metrics

Determines: CONTROL-XXXX:
● Red - down AV scans run daily in
● Yellow - warning prod
Cloud - US
● Green - up

CONTROL-XXXX:
All AV findings resolved
CONTROL-XXXX:
in 24 hrs
CSP has an AV program
Cloud - CA

CONTROL-XXXX:
All incoming in data DCs
is scanned daily

● Real time monitoring at the system component level is weighted to determine the overall effectiveness.
● Risk thresholds can be defined at more granular levels:
○ Ex: 1 missed remediation of low risk AV finding in the 24hr SLO not as critical as failed AV scans
High Level Process Proprietary + Confidential

Existing Control Modified

Net New Control Created
Systems Overview
Inputs
(Control signals, policies, risk
data, third party services,
customer commitments, contracts, OSCAL Outputs
etc.)
- SSP
Immutable Data GRC, CMDB, CCM,
Visualization of Risk,
- POAM
Storage for Threat, Risk & Loss
Controls Data - Assessment Plan & Results
Retention Data
Visualizations
- Risk Assessment/ Risk
Evidence Repository Quantification
(archival + control Systems of Record Data Analytics - Upstream / Alerting
evidence) monitoring
- Control/ Threat Mapping
and Modeling

End User Outputs

Areas of Opportunity
Proprietary + Confidential

1. Audit Toil Reduction

● Adoption Beyond US Public Sector

○ Expansion of OSCAL to include CCM
○ More regulatory bodies to adopt CCM metrics in place of manual audits & assessments
○ Participation / collaboration with regulators and standards body to establish data sharing architecture

2. Reg Analysis Toil Reduction

● Adoption of machine readable formats for compliance frameworks can greatly reduce time to analyze regs.
○ Conversion of existing regulations (banking, privacy regs) into machine readable formats
○ Aligning these formats with the different regulatory bodies
■ Potential to eliminate confusion on interpreting regulatory requirements

3. Integration of Controls with Broader IT Management & Security Operations

● Develop a mechanism to integrate CCM signals into security and incident response functions
● Incorporate control effectiveness coverage metrics into threat assessment practices
 Proprietary + Confidential

Thank you.