Speaker: Alexander Koderman, Senior Developer, SerNet, Inc.
Session type: Full Length
Abstract: State-sponsored and state-tolerated cyber attacks continue to rise. Governments and regulators also continue to respond. Companies are facing an increasing number of compliance requirements and controls. The result is that assessment cycles are becoming faster and control satisfaction needs to be verifiable with high granularity down to single control statements for individual systems or even system components. The U.S. National Institute of Standards and Technology (NIST) has developed OSCAL, a machine-readable language for cybersecurity control implementation and assessment. The next step is to develop implementations to aid cybersecurity practitioners in their daily tasks, such as: determining control prerequisites, finding related controls, tailoring controls to the organization,and assessing control implementation. We demonstrate "OSCL4NEO4J" – a set of open source scripts and REST API that can be used to import and work with OSCAL data in Neo4j to solve practical problems faced by cybersecurity practitioners every day. The open source project that we present has already been recognized by NIST.gov and is referenced from their official OSCAL repository.