CCCS OSCAL Samples

This repo includes sample implementations of security control profiles from the Canadian Centre for Cyber Security (CCCS), expressed using the Open Security Controls Assessment Language (OSCAL).

For an introduction to key OSCAL concepts, please see the documentation.

OSCAL files

The repo is structured into the following folders:

• imports - OSCAL resources imported by profiles, including a catalog containing unique CCCS security controls and the cccs-mods profile specifies which CCCS modifications to existing NIST 800-53 controls.
• profiles - OSCAL profiles reflecting CCCS security requirements.
• scripts - Scripts to process the OSCAL files.
• diagrams - The architecture diagram above.

The repo also incorporates NIST's oscal-content repo as a submodule in the imports folder, which includes the NIST 800-53 catalog in OSCAL form.

Profile resolution and CSV conversion

The shell script at scripts/resolve.sh calls oscal-cli to validate the cccs-control-catalog catalog file, then completes the following steps for each of the included profiles:

1. Calls oscal-cli to resovle the profile to an OSCAL catalog (see NIST's documentation for more information on profile resolution).
2. Calls oscal-cli to validate the resolved catalog.
3. Calls catalog-to-csv.py, which converts the catalog into a human-readable CSV format, including mapping specified parameter values into control statements.

The outputs generated by resolve.sh are included in the respective profile folders, and are named as follows:

• cccs-{profile}-resolved.json
• cccs-{profile}-resolved.csv

The flow of data is depicted in the digram below.

Use

1. Install prerequisites as required for your OS:
   1. Python 3
   2. Java Runtime Environment
   3. oscal-cli: https://github.com/metaschema-framework/oscal-cli
2. Clone this repo locally, using git clone with the --recurse-submodules flag.
3. Make any required changes to the files listed under OSCAL Files above.
4. From the root directory of the repo, run scripts/resolve.sh, which will generate and overwrite the *-resolved.json and *-resolved.csv files.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Disclaimer

This repository contains security requirements from the Canadian Centre for Cyber Security (CCCS) that have been encoded using OSCAL (Open Security Controls Assessment Language). These representations are unofficial and have not been reviewed or approved by CCCS.

The information in this repository is provided as a convenience to AWS customers, for use in achieving their compliance objectives. All content is provided "as is" without any warranty, express or implied. The authors and contributors of this repository make no representations or warranties regarding the accuracy, completeness, or suitability of the information for any purpose.

Users are solely responsible for assessing the appropriateness of using this information in their specific context and for ensuring compliance with all applicable laws, regulations, and security standards. AWS recommends that customers consult with qualified legal and security professionals before relying on this data for compliance purposes.

By using the content in this repository, you agree to these terms and acknowledge that you do so at your own risk.