Creating a Component Definition
This tutorial covers creating a basic OSCAL component definition. Before reading this tutorial you should:
- Have some familiarity with the XML, JSON, or YAML formats.
- Read the OSCAL implementation layer overview.
- Review the OSCAL component definition model overview.
- Be familiar with the use of OSCAL properties and links.
What is an OSCAL Component Definition?
An OSCAL component definition contains a collection of components. Each component in a component definition describes how a given implementation of a hardware, software, service, policy, process, or procedure asset can support or provide implementations of specific controls. The asset described by a component in a component definition is called a component subject"* in this tutorial.
By publishing a set of components in a component definition, product and service vendors, capability owners, policy and process owners, and others can share control implementation information for a component subject they maintain. The information about a component subject can then be used when implementing that subject in an information system. This allows the control narrative for the subject to be imported into the System Security Plan (SSP).
It is important to note that component definitions do not describe actual implementations; rather, component definitions describe possible implementations which can be instantiated within an information system. Thus, component definitions serve as references with content that can be (re)used (e.g., in the SSP OSCAL model) to develop comprehensive and consistent control implementations within an SSP.
In this tutorial, we will walk through the process of creating an OSCAL component definition model instance for MongoDB. Our goal is to demonstrate how to provide standard control implementations for the benefit of system owners and SSP authors that use a similar software application.
As potential components in information systems that may need to meet the OMB A-130 Authorization to Operate requirements, the component definition in this tutorial will show proper implementation of a couple NIST SP 800-53 rev 5 controls deemed necessary for high, moderate, or low impact systems. While this example focuses on NIST controls, the same approach could be applied to any catalog of controls (e.g., ISO/IEC 27002).
For the purposes of this tutorial we'll presume the MongoDB component can partially or fully satisfy the following controls:
| NIST 800-53 rev5 Control | Description |
|---|---|
| SA-4(9) | Acquisition Process - Functions, Ports, Protocols, and Services in Use |
| SC-8(1) | Transmission Confidentiality and Integrity |
This tutorial demonstrates how to document a set of implemented controls as an OSCAL component definition for these controls.
Creating an OSCAL Component Definition Instance
The examples below illustrate the top-level structure of the OSCAL Component Definition Model.
| |
The root of the OSCAL component definition model is <component-definition>. Note that the schema location attribute is omitted for this example. The @uuid attribute (on line 3) is the document's universally unique identifier (UUID), a unique 128-bit number displayed as a string of hyphenated hexadecimal digits as defined by RFC 4122. OSCAL documents use a version 4 UUID (randomly generated) to uniquely identify the document.
A <component-definition> contains the following elements:
<metadata>(required) - Provides document metadata for the component definition. This is covered in the next section to a limited extent. The metadata used here is similar to metadata for other OSCAL models, therefor is not described extensively in this tutorial.<import-component-definition>(optional) – Identifies a collection of external component definitions from other resources from which related information is referenced within this component definition. Use of<import-component-definition>is not covered in this tutorial.<component>(optional) - Defines a given component in the component definition. Zero or more<component>elements may be used. Use of this element is discussed later in this tutorial.<capability>(optional) - Defines a given capability in the component definition. Zero or more<capability>elements may be used. Capabilities are not covered in this tutorial.<back-matter>(optional) – Contains resources which are referenced within the component definition. Use of<back-matter>is not covered in this tutorial.
| |
The root of the OSCAL component definition model is component-definition. The uuid property (on line 3) is the document's universally unique identifier (UUID), a unique 128-bit number displayed as a string of hyphenated hexadecimal digits as defined by RFC 4122. OSCAL documents use a version 4 UUID (randomly generated) to uniquely identify the document.
A component-definition contains the following properties:
metadata(required) - Provides document metadata for the component definition. This is covered in the next section to a limited extent. The metadata used here is similar to metadata for other OSCAL models, therefor is not described extensively in this tutorial.import-component-definitions(optional) – Identifies a collection of external component definitions from other resources from which related information is referenced within this component definition. Use ofimport-component-definitionsis not covered in this tutorial.components(optional) - Groupscomponentobjects which each define a given component in the component definition. One or morecomponentobjects may be provided. Use of this property is discussed later in this tutorial.capabilities(optional) - Defines a group of given capabilities in the component definition. One or morecapabilityobjects may be used. Capabilities are not covered in this tutorial.back-matter(optional) – Contains references which are referenced within the component definition. Use ofback-matteris not covered in this tutorial.
| |
The root of the OSCAL component definition model is component-definition. The uuid key (on line 3) is the document's universally unique identifier (UUID), a unique 128-bit number displayed as a string of hyphenated hexadecimal digits as defined by RFC 4122. OSCAL documents use a version 4 UUID (randomly generated) to uniquely identify the document.
A component-definition contains the following keys:
metadata(required) - Provides document metadata for the component definition. This is covered in the next section to a limited extent. The metadata used here is similar to metadata for other OSCAL models, therefor is not described extensively in this tutorial.import-component-definitions(optional) – Identifies a collection of external component definitions from other resources from which related information is referenced within this component definition. Use ofimport-component-definitionsis not covered in this tutorial.components(optional) - Groupscomponentitems which define given component(s) in the component definition. One or morecomponentitems may be used. Use of this key is discussed later in this tutorial.capabilities(optional) - Defines a group of given capabilities in the component definition. One or morecapabilityitems may be used. Capabilities are not covered in this tutorial.back-matter(optional) – Contains references which are referenced within the component definition. Use ofback-matteris not covered in this tutorial.
For simplicity of this tutorial, we will only discuss certain data structures in the sections that follow and identify how they can be used to represent our component definition.
Defining the Component Definition’s Metadata
Most OSCAL models have a standard metadata syntax, therefore, this is not covered extensively in this tutorial. There are a few considerations however when authoring metadata for a component definition, such as the role and party data items illustrated in the example below.
| |
The <role> element defines a function assumed or expected to be assumed by a party in a specific situation. In this case the role provider has been standardized by OSCAL to be used for component definition authors. This element has a required @id attribute which expects an token data type. A <title> is also provided.
The <party> element represents either a person or organization that serves as the responsible entity. A party must have an associated @uuid which is used to reference this party, a <name> which provides a formal label, and a @type which defines the nature of the party. There are prescribed types, including "person", and "organization". In this case we are defining the MongoDB project as an organization. A pointer to the organization's website is also included.
| |
The roles property provides a grouping of role objects that each defines a function assumed or expected to be assumed by a party in a specific situation. In this case the role provider has been standardized by OSCAL to be used for component definition authors. This element has a required id attribute which expects an token data type. A title is also provided.
The parties property provides a grouping of party objects that each represent either a person or organization that serves as the responsible entity. A party must have an associated uuid which is used to reference this party, a name which provides a formal label, and a type which defines the nature of the party. There are prescribed types, including "person", and "organization". In this case we are defining the MongoDB project as an organization. A pointer to the organization's website is also included.
| |
The roles key provides a grouping of role items that each defines a function assumed or expected to be assumed by a party in a specific situation. In this case the role provider has been standardized by OSCAL to be used for component definition authors. A role item has a required id attribute which expects an token data type. A title is also provided.
The parties key provides a grouping of party objects that each represent either a person or organization that serves as the responsible entity. A party must have an associated uuid which is used to reference this party, a name which provides a formal label, and a type which defines the nature of the party. There are prescribed types, including "person", and "organization". In this case we are defining the MongoDB project as an organization. A pointer to the organization's website is also included.
Defining the MongoDB Component
Within the component definition model, components provide a way to describe subject assets which may be used as parts of an information system. A component allows potential control implementations to be described for an subject asset, which can then be used when implementing an information system. While components are optional in a component definition, a typical component definition will include at least one component. In this example, we'll demonstrate how the control implementation of the MongoDB software is represented using the OSCAL component definition model. The snippet below provides an example of the minimum data needed to define a component.
| |
A component is represented using the <component> element (on line 3). This element requires a unique identifier, which is provided using the @uuid attribute.
The required @type attribute categorizes the component by asset type. Some common examples include interconnection, hardware, software, service, policy, process/procedure, plan, guidance, standard, and validation. In our example, we’ll set the MongoDB component as the "software" type, since MongoDB is a software application.
Next, the component needs to have title and description elements that help to support human-readability of this information.
The optional <responsible-role> element can be used to reference one or more roles with responsibility for performing a function relative to the component. In this tutorial, will reference the provider and map this role to the mongoDB party.
| |
A component is represented in the components object array shown in line 4. Each component requires a unique identifier, which is provided using the uuid property.
The required type property categorizes the component by asset type. Some common examples include interconnection, hardware, software, service, policy, process/procedure, plan, guidance, standard, and validation. In our example, we’ll set the MongoDB component as the "software" type, since MongoDB is a software application.
Next, the component needs to have title and description properties that help to support human-readability of this information.
The optional responsible-roles property can be used to reference one or more roles with responsibility for performing a function relative to the component. In this tutorial, will reference the provider and map this role to the mongoDB party.
| |
A component is represented in the components object array shown in line 4. Each component requires a unique identifier, which is provided using the uuid property.
The required type key categorizes the component by asset type. Some common examples include interconnection, hardware, software, service, policy, process/procedure, plan, guidance, standard, and validation. In our example, we’ll set the MongoDB component to a "software" type.
Next, the component needs to have title and description keys that help to support human-readability of this information.
The optional responsible-roles key can be used to reference one or more roles with responsibility for performing a function relative to the component. In this tutorial, will reference the provider and map this role to the mongoDB party.
Defining Protocols Used in a Component
Another optional but valuable sub-element of <component> is <protocol>. Generally, <protocol> elements are applicable when dealing with a <component> of types "service", but they can also be provided for component types "software", "hardware", or "interconnection". In our example, we'll assume that installations of MongoDB will result in an installation of mongod (Mongo Daemon) which runs the MongoDB database as a process and uses the following protocols:
| Port | Transport | Direction | Description |
|---|---|---|---|
| 27017 | TCP | Inbound | The default port for mongod and mongos instances. |
| 27018 | TCP | Inbound | The default port when running with --shardsvr runtime operation. |
| 27019 | TCP | Inbound-Outbound | The default port when running with --configsvr runtime operation |
This is represented below.
| |
The <protocol> element has a mandatory @uuid and mandatory @name attribute that should be set to the common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. In this example, we set it to "mongodb", which is registered with IANA. The @name attribute accepts string data types and can be set to other values when there is no corresponding IANA service name for the port (e.g., lines 10 and 15). Descriptive text for the protocol can be provided using the title element. The <port-range> element is where we can specify the port number(s) and associated transport. If the protocol uses multiple contiguous port numbers, a single <port-range> element with start="27017" end="27019" is sufficient, however; when the component has several protocols, it is acceptable to have multiple <protocol> and <port-range> elements as shown in the example XML above.
| |
The protocols grouping has objects with mandatory uuid and mandatory name properties that should be set to the common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. In this example, we set it to "mongodb", which is registered with IANA. The name property accepts string data types and can be set to other values when there is no corresponding IANA service name for the port (e.g., lines 19 and 29). Descriptive text for the protocol can be provided using the title property. The port-ranges object grouping is where you can specify the port number(s) and associated transport. If the protocol uses multiple contiguous port numbers, a single port-ranges object with "start":"27017" and "end":"27019" is sufficient; however, when the component has several protocols, it is acceptable to have multiple protocols and port-ranges objects as shown in the example XML above.
| |
The protocols key has items with mandatory uuid and mandatory name keys that should be set to the common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. In this example, we set it to "mongodb", which is registered with IANA. The name key accepts string data types and can be set to other values when there is no corresponding IANA service name for the port (e.g., lines 17 and 24). Descriptive text for the protocol can be provided using the title key. The port-ranges key can contain items where you can specify the port number(s) and associated transport. If the protocol uses multiple contiguous port numbers, a single port-ranges key with start: 27017 and end: 27019 is sufficient; however, when the component has several protocols, it is acceptable to have multiple protocols and port-ranges items as shown in the example XML above.
Defining Control Implementation Details
By providing control implementation details in a component, information is provided about how the given component target can satisfy controls with an associated OSCAL catalog in general, or an associated OSCAL profile to describe how the component subject can satisfy controls from a specific baseline. In this example, we document how the MongoDB component may satisfy SC-8(1) which requires the implementation of cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
An example of providing control implementation details for SC-8(1) is provided below.
| |
To document this, we use the <control-implementation> element. This element requires a unique identifier, which is provided using the @uuid attribute. This element also has a @source attribute that is used to provide a URI reference to the appropriate OSCAL catalog or profile. The URI reference can be a URI, a relative reference, or a fragment that points to a <back-matter> resource. The <implemented-requirement> element on line 10 is where we can specify the control (e.g., SC-8(1)) and the implementation description. The <implemented-requirement> element also has its own unique identifier @uuid, and the control is specified in the @control-id attribute on line 12. We then use the <description> element to describe how this component can satisfy the specified control.
In the example above, we demonstrated how to use OSCAL to document the MongoDB software component's control implementation for NIST control SC-8(1). However, one could document how the same component also satisfies controls from other security risk management frameworks (e.g., FedRAMP, ISO 27002, etc.) by simply adding additional <control-implementation> elements for each catalog or profile. Likewise, for each <control-implementation>, we can add additional <implemented-requirement> elements for every control that can be implemented by the component. Additionally, we can address implementations at the control statement-level using the <statement> element, allowing implementation details to be provided in a more fine-grained way.
| |
To document this, we use the control-implementations grouping. Objects within this grouping require a unique identifier, which is provided using the uuid property. This object also has a source property that is used to provide a URI reference to the appropriate OSCAL catalog or profile. The URI reference can be a URI, a relative reference, or a fragment that points to a back-matter resource. The implemented-requirements grouping on line 12 is where we can specify the control (e.g., SC-8(1)) and the implementation description. Each object in the implemented-requirements grouping also has its own unique identifier uuid, and the control is specified using the control-id property on line 14. We then use the description property to describe how this component can satisfy the specified control.
In the example above, we demonstrated how to use OSCAL to document the MongoDB software component's control implementation for NIST control SC-8(1). However, one could document how the same component also satisfies controls from other security risk management frameworks (e.g., FedRAMP, ISO 27002, etc.) by simply adding additional control-implementations objects for each catalog or profile. Likewise, for each control-implementations object, we can add additional implemented-requirements objects for every control that can be implemented by the component. Additionally, we can address implementations at the control statement-level using the statements grouping, allowing implementation details to be provided in a more fine-grained way.
| |
To document this, we use the control-implementations key. Items associated with this key require a unique identifier, which is provided using the uuid key. These items also have a source key that is used to provide a URI reference to the appropriate OSCAL catalog or profile. The URI reference can be a URI, a relative reference, or a fragment that points to a back-matter resource. The implemented-requirements key on line 13 is where we can specify the control (e.g., SC-8(1)) and the implementation description. Each item under the implemented-requirements key also has its own unique identifier uuid, and the control is specified using the control-id key on line 15. We then use the description key to describe how this component can satisfy the specified control.
In the example above, we demonstrated how to use OSCAL to document the MongoDB software component's control implementation for NIST control SC-8(1). However, one could document how the same component also satisfies controls from other security risk management frameworks (e.g., FedRAMP, ISO 27002, etc.) by simply adding additional control-implementations items for each catalog or profile. Likewise, for each control-implementations item, we can add additional implemented-requirements items for every control that can be implemented by the component. Additionally, we can address implementations at the control statement-level using the statements key, allowing implementation details to be provided in a more fine-grained way.
The Final Component Definition
Combining all the content described in this tutorial, we can produce a completed component definition instance. Provided below are well-formed complete examples. Having these implementation details readily available in an OSCAL component definition means they can be used to populate an OSCAL SSP and should give SSP authors helpful content for their control implementation statements. These examples can also be downloaded in XML, JSON, and YAML.
| |
| |
| |
Summary
This concludes the tutorial. You should now be familiar with:
- The basic structure of a component definition in OSCAL.
- How to provide the basic metadata required in an OSCAL component definition.
- How to define a component within an OSCAL component definition.
- How to use the protocol elements in a component.
- How to specify the control implementation for a component.
For more information, you can review the OSCAL component definition model documentation.