Skip to content

Joint NIST/FedRAMP tool to interact with OSCAL files via a browser-based GUI

License

Notifications You must be signed in to change notification settings

brian-ruf/OSCAL-GUI

Repository files navigation

OSCAL-GUI

An open-source graphical user interface (GUI) for interacting with Open Security Controls Assessment Language (OSCAL) files, developed under a collaborative effort between the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) and the National Institute of Science and Technology (NIST) OSCAL Team.

This tool is designed to work with Extensible Markup Language (XML)-based OSCAL files, and enables conversion of OSCAL files between XML, JavaScript Object Notation (JSON), and Yet another Markup Language (YAML) in any direction.

OSCAL-GUI Short Term Roadmap and Progress:

Complete:

  • Core GUI framework (Presentation, Menus, etc.)
  • Core OSCAL functions (in oscal-functions.php)
  • Basic Project Management Functions
  • OSCAL File Import (XML and JSON)
  • XML Schema Description (XSD) Update Download and Pre-compile
  • Validation of OSCAL files using XSD with friendly error reporting
  • OSCAL Profile Resolution: Collapses OSCAL Profiles that contain Pointers to Catalogs, down to a single Catalog.
  • OSCAL Format Conversion (XML to/from JSON)

In Progress:

  • Metadata Management (all OSCAL layers)
  • Profile Creation/Manipulation
  • Catalog Creation/Manipulation
  • Back-Matter Management (all OSCAL layers)

Future:

  • OSCAL Format Conversion (XML/JSON to/from YAML)
  • SSP Creation/Manipulation
  • SSP FedRAMP Validation
  • Identity management
  • Access control (on a project-by-project basis) Functionality related to the assessment layers will be planned and developed as the syntax for those OSCAL layers are defined.

Technical Requirements

  • PHP 7+ (Will likely work with PHP 5+; however, this has not been verified)
  • Java Runtime: Only required by Saxon-HE (Home Edition) to convert between OSCAL formats (XML to/from JSON and YAML)
  • Browser Support: Most major browsers are supported, EXCEPT Microsoft Internet Explorer and Edge, which do not support server-side execution (SSE) via javascript/eventSource. The latest version of Google Chrome or Mozilla Firefox is recommended.

This can run on a stand-alone workstation using PHP's integrated web server, or placed on a web server such as Apache. If placed on a web server, must run in the webroot directory.

IMPORTANT

While this code will function correctly on a multi-user web server, there is currently no identity management or access control mechanisms built in. All OSCAL files managed by this tool will be exposed to everyone with access to the web server. These capabilities will be added after other OSCAL functionality is complete and stabilized. On a web server, each project is contained within a directory. A web server administrator could apply permissions to the project's directory as the operating system (OS) level.

Additional Technologies Used

This tool includes and uses the following open-source modules:

  • Jodit 3.2.44 to enable rich editing of mixed and prose OSCAL fields
  • Saxon-HE (Home Edition) Version 9.9: Used only to process the XSLT 3.0 files used to convert between OSCAL formats (XML to/from JSON and YAML)

OSCAL Layers: Brief Overview

Layer Description Syntax Status
Catalog Syntax for describing control definitions, such as those that appear in NIST 800-53, Revision 4 and ISO-27001. Fully Drafted
Profile Syntax for describing control baselines, such as the FedRAMP High, Moderate, and Low baselines. Fully Drafted
Implementation Syntax for describing System Security Plan (SSP) content, as well as vendor-provided component content. Under Development
Assessment Syntax for describing content related to Security Assessment Plan (SAP), assessment activities, and evidence gathering. CY 2019 Q4
Assessment Results Syntax for describing Security Assessment Report (SAR) and Plan of Action and Milestones (POA&M) content. CY 2019 Q4

For more information about OSCAL's architecture, please visit: https://pages.nist.gov/OSCAL/docs/

About

Joint NIST/FedRAMP tool to interact with OSCAL files via a browser-based GUI

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published