CCCS OSCAL Samples

This repo includes sample implementations of security control profiles from the Canadian Centre for Cyber Security (CCCS), expressed using the Open Security Controls Assessment Language (OSCAL).

For an introduction to key OSCAL concepts, please see the documentation.

OSCAL files

CCCS' security guidance has been expressed in the following OSCAL files:

1. cccs-control-catalog.json — This OSCAL catalog describes security controls that are not part of NIST 800-53.
2. cccs-mods-profile.json — This OSCAL profile imports controls from the NIST 800-53 and CCCS¹ catalogs and makes CCCS-specific modifications.
3. cccs-medium-profile.json — This OSCAL profile imports controls from the cccs-mods profile and sets parameters in accordance with the CCCS Medium security control profile.
4. cccs-pbhva-overlay-profile.json — This OSCAL profile imports controls from the cccs-mods profile and sets parameters in accordance with the CCCS Protected B High Value Assets (PBHVA) security control overlay.
5. cccs-medium+pbhva-profile.json - This OSCAL profile imports controls from the cccs-mods profile and sets parameters in accordance with both the CCCS Medium security control profile and the PBHVA overlay.

This repo also incorporates NIST's oscal-content repo as a submodule, which includes the NIST 800-53 catalog in OSCAL form.

Profile resolution and CSV conversion

The scripts folder includes a shell script, resolve.sh, which completes the following steps for each of the included profiles:

1. Calls oscal-cli to resovle the profile to an OSCAL catalog (see NIST's documentation for more information on profile resolution).
2. Calls oscal-cli to validate the resolved catalog.
3. Calls catalog-to-csv.py, which converts the catalog into a human-readable CSV format, including mapping specified parameter values into control statements.

The outputs generated by resolve.sh are included in the repo, and are named as follows:

• cccs-{profile}-resolved.json
• cccs-{profile}-resolved.csv

Use

1. Install prerequisites as required for your OS:
   1. Python 3
   2. Java Runtime Environment
   3. oscal-cli: https://github.com/metaschema-framework/oscal-cli
2. Clone this repo locally, using git clone with the --recurse-submodules flag.
3. Make changes to the files listed under OSCAL Files above.
4. From the root directory of the repo, run scripts/resolve.sh, which will generate and overwrite the *-resolved.json and *-resolved.csv files.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Footnotes

1. CCCS controls are not currently imported due to https://github.com/aws-samples/cccs-oscal-samples/issues/1 ↩