NIST National Cybersecurity Online Informative References (OLIR) Programについての2つのドラフト
こんにちは、丸山満彦です。
NISTが”National Cybersecurity Online Informative References (OLIR) Program”に関する2つのドラフト
- NISTIR 8278 : Program Overview and OLIR Uses
- NISTIR 8278A : Submission Guidance for OLIR Developers
を公表していますね。
● NIST -ITL
・2020.08.04 (PUBLICATIONS)
・・[PDF] NISTIR 8278 (Draft)
・・[PDF] NISTIR 8278A (Draft)
Planning Note (8/4/2020):
NIST is seeking public comments on two draft NISTIRs for the National Cybersecurity Online Informative References (OLIR) Program. This Program is a NIST effort to facilitate subject matter experts in defining standardized Online Informative References (OLIRs), which are relationships between elements of their documents and elements of other documents like the NIST Cybersecurity Framework. The draft reports focus on 1) OLIR program overview and uses (NISTIR 8278), and 2) submission guidance for OLIR developers (NISTIR 8278A).
Draft (2nd) NISTIR 8278 describes the OLIR Program: what OLIRs are, what benefits they provide, how anyone can search and access OLIRs, and how subject matter experts can contribute OLIRs. Based on feedback received from early adopters as well as discussions at the December 2019 OLIR workshop, this second draft includes:
- The introduction of two new Focal Document Templates:
- Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management v1.0, and
- Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
- New functional enhancements to the OLIR Catalog and Derived Relationships Mapping (DRM) display tool
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
色々な標準のような文書が発行されるとそれらの間の関係性を説明できるツールが必要ですよね。そして、システム的に実装していくことが重要となるので、関係性を説明するツールについてもシステム化する前提となりますね。。。
NISTIR 8287
Abstract
Table of Contents
Executive Summary
1 Introduction
1.1 Purpose and Scope
1.2 Document Structure
2 Overview of the National Cybersecurity OLIR Program
3 Common Uses of the OLIR Catalog
3.1 Reference Data
3.1.1 Tier 1 – Informative References
3.1.2 Tier 2 – Derived Relationship Mappings (DRMs)
3.2 The OLIR Catalog
3.3 The DRM Analysis Tool
3.4 Display Report
3.5 Report Downloads
3.5.1 Report Download in CSV Format
3.5.2 Report Download in JSON Format
3.6 Common Use Cases
3.6.1 Comparative Analysis of Cybersecurity Documents and Controls
References
List of Appendices
Appendix A— Acronyms
Appendix B— Glossary
List of Figures
Figure 1: Relationship Types
Figure 2: Relative Strength of Relationships
Figure 3: Multiple Documents Related to a Focal Document
Figure 4: OLIR Catalog Page
Figure 5: Informative Reference More Details Page
Figure 6: DRM Analysis Tool Home Page
Figure 7: Multi-Select Example
Figure 8: Display Report Example
Figure 9: Report Download Options
Figure 10: Sample CSV Report
Figure 11: Sample JSON Report
List of Tables
Table 1: Relationship Type Descriptions
Table 2: Informative Reference More Details Description Fields
Table 3: Display Report Column Header Descriptions
Executive Summary
The fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations. There is no standardized way to indicate how an element of one document relates to an element of another document (e.g., the relationship between requirement A in one document and recommendation 7.2 in another document). This relationship is called an informative reference. The Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) introduced informative references, but these were simple prose mappings that only noted that a relationship existed and not the nature of that relationship. These informative references were also part of the Cybersecurity Framework document itself, so they could not be readily updated as the other documents changed.
The National Cybersecurity Online Informative References Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their cybersecurity, privacy, and workforce documents and elements of other cybersecurity, privacy, and workforce documents like the Cybersecurity Framework. At this stage of the OLIR Program evolution, the initial focus is on relationships to cybersecurity and privacy documents.
The OLIRs are in a simple standard format defined by NIST Interagency or Internal Report (IR) 8278A, National Cybersecurity Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers (“NISTIR 8278A”) , and they are displayed in a centralized location. By following this approach, cybersecurity document owners can use the OLIR Program as a mechanism for communicating with owners and users of other cybersecurity documents. Given the OLIR Program’s decentralized nature, cybersecurity document owners also have the flexibility to update their documents and then update their OLIRs according to their own unique requirements and schedules.
The OLIR Program integrates ongoing NIST projects that respond to administrative and legislative requirements, including those for the Cybersecurity Framework under Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, released in February 2013, and the Federal Information Security Modernization Act of 2014, which amended the Federal Information Security Management Act of 2002 (FISMA). The OLIR Program also addresses many Office of Management and Budget (OMB) memoranda that address specific cybersecurity issues and comprise large sets of regulations with which organizations must comply. The OLIR Program can represent relationships to any authoritative documents, products, or services. These resources can be generated from national and international standards, guidelines, frameworks, and regulations to policies for individual organizations, sectors, or jurisdictions.
The purpose of this document is to describe the National Cybersecurity OLIR Program and explain the use, benefits, and management of the OLIR Catalog—the online location for sharing OLIRs—for both the SMEs contributing OLIRs to it and the Catalog’s users. The content of this document complements that of NISTIR 8278A, which provides additional information for the SMEs defining OLIRs and submitting them to the OLIR Program. SMEs should read this document first, then NISTIR 8278A.
1 Introduction
1.1 Purpose and Scope
The purpose of this document is to describe the National Cybersecurity Online Informative References (OLIR) Program and explain the use and benefits of the OLIR Catalog for Informative Reference Developers (“Developers”) and Informative Reference Users (“Users”) of the OLIR Program.
In addition to this document, Developers may also be interested in NIST Interagency or Internal Report (IR) 8278A, National Cybersecurity Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers (“NISTIR 8278A”) [2]. NISTIR 8278A is intended to assist Developers as they complete the spreadsheet template for submitting their OLIRs to the Program. Developers should read this document first, then NISTIR 8278A.
1.2 Document Structure
The remainder of this document is organized into the following sections:
- Section 2 provides an overview of the OLIR Program.
- Section 3 describes common uses of the OLIR Catalog relevant to both Developers and Users.
- The References section lists the references for the publication.
- Appendix A contains acronyms used throughout the document.
- Appendix B provides a glossary of terminology used throughout the document.
Table of Contents
1 Introduction
1.1 Purpose and Scope
1.2 Document Structure
2 Informative Reference Development
2.1 OLIR Vocabulary
2.2 Background
2.3 Informative Reference Life Cycle
2.4 Developer Steps for Creating, Posting, and Submitting Informative References
2.4.1 Initial Informative Reference Development
2.4.2 Informative Reference Posting
2.4.3 Informative Reference Submitted to NIST
2.5 NIST Steps for Reviewing and Finalizing Informative References for Publication
2.5.1 NIST Screening of the Submission Package
2.5.2 Public Review and Feedback for the Candidate Informative Reference
2.5.3 Final Listing in the OLIR Catalog
2.5.4 Informative Reference Maintenance and Archival
3 OLIR Template Instructions
3.1 Completing the General Information Tab
3.1.1 Informative Reference Name
3.1.2 Reference Version
3.1.3 Web Address
3.1.4 Focal Document Version
3.1.5 Summary
3.1.6 Target Audience (Community)
3.1.7 Comprehensive
3.1.8 Reference Document Author
3.1.9 Reference Document
3.1.10 Reference Document Date
3.1.11 Reference Document URL
3.1.12 Reference Developer
3.1.13 Comments
3.1.14 Point of Contact
3.1.15 Dependency/Requirement
3.1.16 Citations
3.2 Completing the Relationships Tab
3.2.1 Focal Document Element
3.2.2 Focal Document Element Description
3.2.3 Security Control Baseline
3.2.4 Rationale
3.2.5 Relationship
3.2.6 Reference Document Element
3.2.7 Reference Document Element Description
3.2.8 Fulfilled By
3.2.9 Group Identifier (Optional)
3.2.10 Comments (Optional)
3.2.11 Strength of Relationship (Optional)
3.2.12 Examples of Common Scenarios
References
List of Appendices
Appendix A— Relationship Examples
Appendix B— Acronyms
Appendix C— Glossary
Appendix D— General Information Example
Appendix E— Participation Agreement for the NIST OLIR Program
List of Figures
Figure 1: Informative Reference Name Elements
Figure 2: Informative Reference Relationship Types
Figure 3: Relative Strength of Relationships
List of Tables
Table 1: General Information Tab Field Description
Table 2: Relationships Tab Field Description
Table 3: Template Examples for Multiple Reference Document Elements
Table 4: OLIR Template Example for a Single Reference Document Element
Table 5: Second OLIR Template Example for a Single Reference Document Element
1 Introduction
1.1 Purpose and Scope
The purpose of this document is to assist Informative Reference Developers (“Developers”) in understanding the processes and requirements for participating in the National Cybersecurity Online Informative References (OLIR) Program.
This document replaces IR 8204, Cybersecurity Framework Online Informative References (OLIR) Submissions: Specification for Completing the OLIR Template.
Before reading this document, Developers should first read National Institute of Standards and Technology (NIST) Interagency or Internal Report (IR) 8278, National Cybersecurity Online Informative References (OLIR) Program: Program Overview and OLIR Uses (“NISTIR 8278”) [2]. NISTIR 8278 describes the OLIR Program and explains the uses and benefits of the OLIR Catalog.
1.2 Document Structure
The remainder of this document is organized into the following sections:
- Section 2 describes the general process for developing Informative References and submitting them to NIST for inclusion in the OLIR Catalog, as well as the processes for updating and archiving Informative References.
- Section 3 provides guidance for completing the OLIR Template when submitting an Informative Reference.
- The References section lists the references for the publication.
- Appendix A contains simplistic examples of the notional logic for determining the relationship between two document element concepts.
- Appendix B contains acronyms used throughout the document.
- Appendix C provides a glossary of terminology used throughout the document.
- Appendix D displays a notional example of values for the OLIR Template.
- Appendix E defines the Participation Agreement for the OLIR Program for Developers.
Comments