ARF 0.41.1 with fixes to issues discovered during ARCAT development

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ARF 0.41.1 with fixes to issues discovered during ARCAT development

Wolfkiel, Joseph
ARF 0.41.1 with fixes to issues discovered during ARCAT development

All,

Please find, attached, updated schemas for ARF 0.41.1 .  Minor changes were made to 6 schemas to address issues that were encountered during construction of our reference implementation, the "Assessment Results Consumer and Analysis Tool (ARCAT)."

A change log and updated data dictionary are included.

<<...>>
Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


ARF 041dot1.zip (189K) Download Attachment
smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ARF 0.41.1 with fixes to issues discovered during ARCAT development

Bob Neuman

What changes are occurring to ARF due to CNSSI-1253 Security Categorization and Control Selection for National Security Systems, dated October 2009 at http://www.cnss.gov/instructions.html?

Is the ops_attributes.xsd under review for modifications to allow defining the security controls / profiles?
The control selection process allows different methodologies to select, tailor, and supplement the of controls or assignment of a profile.  Since the tailoring decisions, including the specific rationale (i.e., mapping to risk thresholds) for those decisions, are to documented in the security plan for the information system.  Wouldn't it be best to capture that data in the ARF?

Is there a discussion thread on this already?
Reply | Threaded
Open this post in threaded view
|

Re: ARF 0.41.1 with fixes to issues discovered during ARCAT development

Wolfkiel, Joseph
While the Ops Attributes schema from ARF was designed to carry information
required to address these issues, we haven't been working hand-in-hand with
the CNSS on how ARF will play with respect to risk documentation and profile
selection.

I'll have my team look into this and try to have something out to the list
by next Friday.  Obviously, the operational attributes schema already can
capture confidentiality, integrity, and availability values, along with
network architecture and role/function issues.  

How to build a repeatable, global risk quantification and management process
based on common usage of ARF operational attribute values to support
CNSSI-1253 is something we haven't really been focusing on. (yet)

Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Bob Neuman [mailto:[hidden email]]
Sent: Friday, February 12, 2010 10:58 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] ARF 0.41.1 with fixes to issues
discovered during ARCAT development

What changes are occurring to ARF due to CNSSI-1253 Security Categorization
and Control Selection for National Security Systems, dated October 2009 at
http://www.cnss.gov/instructions.html http://www.cnss.gov/instructions.html
?

Is the ops_attributes.xsd under review for modifications to allow defining
the security controls / profiles?
The control selection process allows different methodologies to select,
tailor, and supplement the of controls or assignment of a profile.  Since
the tailoring decisions, including the specific rationale (i.e., mapping to
risk thresholds) for those decisions, are to documented in the security plan
for the information system.  Wouldn't it be best to capture that data in the
ARF?

Is there a discussion thread on this already?
--
View this message in context:
http://n2.nabble.com/ARF-0-41-1-with-fixes-to-issues-discovered-during-ARCAT
-development-tp4094709p4561823.html
Sent from the CPE - Common Platform Enumeration mailing list archive at
Nabble.com.

smime.p7s (6K) Download Attachment