Creating a Component Definition
This tutorial covers creating a basic OSCAL component definition. Before reading this tutorial you should:
- Have some familiarity with the XML, JSON, or YAML formats.
- Read the OSCAL implementation layer overview.
- Review the OSCAL component definition model overview.
- Be familiar with the use of OSCAL properties and links.
What is an OSCAL Component Definition?
An OSCAL component definition contains a collection of components. Each component in a component definition describes how a given implementation of a hardware, software, service, policy, process, or procedure asset can support or provide implementations of specific controls. The asset described by a component in a component definition is called a component subject"* in this tutorial.
By publishing a set of components in a component definition, product and service vendors, capability owners, policy and process owners, and others can share control implementation information for a component subject they maintain. The information about a component subject can then be used when implementing that subject in an information system. This allows the control narrative for the subject to be imported into the System Security Plan (SSP).
It is important to note that component definitions do not describe actual implementations; rather, component definitions describe possible implementations which can be instantiated within an information system. Thus, component definitions serve as references with content that can be (re)used (e.g., in the SSP OSCAL model) to develop comprehensive and consistent control implementations within an SSP.
In this tutorial, we will walk through the process of creating an OSCAL component definition model instance for MongoDB. Our goal is to demonstrate how to provide standard control implementations for the benefit of system owners and SSP authors that use a similar software application.
As potential components in information systems that may need to meet the OMB A-130 Authorization to Operate requirements, the component definition in this tutorial will show proper implementation of a couple NIST SP 800-53 rev 5 controls deemed necessary for high, moderate, or low impact systems. While this example focuses on NIST controls, the same approach could be applied to any catalog of controls (e.g., ISO/IEC 27002).
For the purposes of this tutorial we'll presume the MongoDB component can partially or fully satisfy the following controls:
NIST 800-53 rev5 Control | Description |
---|---|
SA-4(9) | Acquisition Process - Functions, Ports, Protocols, and Services in Use |
SC-8(1) | Transmission Confidentiality and Integrity |
This tutorial demonstrates how to document a set of implemented controls as an OSCAL component definition for these controls.
Creating an OSCAL Component Definition Instance
The examples below illustrate the top-level structure of the OSCAL Component Definition Model.
|
|
The root of the OSCAL component definition model is <component-definition>
. Note that the schema location attribute is omitted for this example. The @uuid
attribute (on line 3) is the document's universally unique identifier (UUID), a unique 128-bit number displayed as a string of hyphenated hexadecimal digits as defined by RFC 4122. OSCAL documents use a version 4 UUID (randomly generated) to uniquely identify the document.
A <component-definition>
contains the following elements:
<metadata>
(required) - Provides document metadata for the component definition. This is covered in the next section to a limited extent. The metadata used here is similar to metadata for other OSCAL models, therefor is not described extensively in this tutorial.<import-component-definition>
(optional) – Identifies a collection of external component definitions from other resources from which related information is referenced within this component definition. Use of<import-component-definition>
is not covered in this tutorial.<component>
(optional) - Defines a given component in the component definition. Zero or more<component>
elements may be used. Use of this element is discussed later in this tutorial.<capability>
(optional) - Defines a given capability in the component definition. Zero or more<capability>
elements may be used. Capabilities are not covered in this tutorial.<back-matter>
(optional) – Contains resources which are referenced within the component definition. Use of<back-matter>
is not covered in this tutorial.
|
|
The root of the OSCAL component definition model is component-definition
. The uuid
property (on line 3) is the document's universally unique identifier (UUID), a unique 128-bit number displayed as a string of hyphenated hexadecimal digits as defined by RFC 4122. OSCAL documents use a version 4 UUID (randomly generated) to uniquely identify the document.
A component-definition
contains the following properties:
metadata
(required) - Provides document metadata for the component definition. This is covered in the next section to a limited extent. The metadata used here is similar to metadata for other OSCAL models, therefor is not described extensively in this tutorial.import-component-definitions
(optional) – Identifies a collection of external component definitions from other resources from which related information is referenced within this component definition. Use ofimport-component-definitions
is not covered in this tutorial.components
(optional) - Groupscomponent
objects which each define a given component in the component definition. One or morecomponent
objects may be provided. Use of this property is discussed later in this tutorial.capabilities
(optional) - Defines a group of given capabilities in the component definition. One or morecapability
objects may be used. Capabilities are not covered in this tutorial.back-matter
(optional) – Contains references which are referenced within the component definition. Use ofback-matter
is not covered in this tutorial.
|
|
The root of the OSCAL component definition model is component-definition
. The uuid
key (on line 3) is the document's universally unique identifier (UUID), a unique 128-bit number displayed as a string of hyphenated hexadecimal digits as defined by RFC 4122. OSCAL documents use a version 4 UUID (randomly generated) to uniquely identify the document.
A component-definition
contains the following keys:
metadata
(required) - Provides document metadata for the component definition. This is covered in the next section to a limited extent. The metadata used here is similar to metadata for other OSCAL models, therefor is not described extensively in this tutorial.import-component-definitions
(optional) – Identifies a collection of external component definitions from other resources from which related information is referenced within this component definition. Use ofimport-component-definitions
is not covered in this tutorial.components
(optional) - Groupscomponent
items which define given component(s) in the component definition. One or morecomponent
items may be used. Use of this key is discussed later in this tutorial.capabilities
(optional) - Defines a group of given capabilities in the component definition. One or morecapability
items may be used. Capabilities are not covered in this tutorial.back-matter
(optional) – Contains references which are referenced within the component definition. Use ofback-matter
is not covered in this tutorial.
For simplicity of this tutorial, we will only discuss certain data structures in the sections that follow and identify how they can be used to represent our component definition.
Defining the Component Definition’s Metadata
Most OSCAL models have a standard metadata syntax, therefore, this is not covered extensively in this tutorial. There are a few considerations however when authoring metadata for a component definition, such as the role
and party
data items illustrated in the example below.
|
|
The <role>
element defines a function assumed or expected to be assumed by a party in a specific situation. In this case the role provider
has been standardized by OSCAL to be used for component definition authors. This element has a required @id
attribute which expects an token data type. A <title>
is also provided.
The <party>
element represents either a person or organization that serves as the responsible entity. A party must have an associated @uuid
which is used to reference this party, a <name>
which provides a formal label, and a @type
which defines the nature of the party. There are prescribed types, including "person", and "organization". In this case we are defining the MongoDB project as an organization. A pointer to the organization's website is also included.
|
|
The roles
property provides a grouping of role objects that each defines a function assumed or expected to be assumed by a party in a specific situation. In this case the role provider
has been standardized by OSCAL to be used for component definition authors. This element has a required id
attribute which expects an token data type. A title
is also provided.
The parties
property provides a grouping of party objects that each represent either a person or organization that serves as the responsible entity. A party must have an associated uuid
which is used to reference this party, a name
which provides a formal label, and a type
which defines the nature of the party. There are prescribed types, including "person", and "organization". In this case we are defining the MongoDB project as an organization. A pointer to the organization's website is also included.
|
|
The roles
key provides a grouping of role items that each defines a function assumed or expected to be assumed by a party in a specific situation. In this case the role provider
has been standardized by OSCAL to be used for component definition authors. A role item has a required id
attribute which expects an token data type. A title
is also provided.
The parties
key provides a grouping of party objects that each represent either a person or organization that serves as the responsible entity. A party must have an associated uuid
which is used to reference this party, a name
which provides a formal label, and a type
which defines the nature of the party. There are prescribed types, including "person", and "organization". In this case we are defining the MongoDB project as an organization. A pointer to the organization's website is also included.
Defining the MongoDB Component
Within the component definition model, components provide a way to describe subject assets which may be used as parts of an information system. A component allows potential control implementations to be described for an subject asset, which can then be used when implementing an information system. While components are optional in a component definition, a typical component definition will include at least one component. In this example, we'll demonstrate how the control implementation of the MongoDB software is represented using the OSCAL component definition model. The snippet below provides an example of the minimum data needed to define a component.
|
|
A component is represented using the <component>
element (on line 3). This element requires a unique identifier, which is provided using the @uuid
attribute.
The required @type
attribute categorizes the component by asset type. Some common examples include interconnection, hardware, software, service, policy, process/procedure, plan, guidance, standard, and validation. In our example, we’ll set the MongoDB component as the "software" type, since MongoDB is a software application.
Next, the component needs to have title and description elements that help to support human-readability of this information.
The optional <responsible-role>
element can be used to reference one or more roles with responsibility for performing a function relative to the component. In this tutorial, will reference the provider
and map this role to the mongoDB party.
|
|
A component is represented in the components object array shown in line 4. Each component requires a unique identifier, which is provided using the uuid
property.
The required type
property categorizes the component by asset type. Some common examples include interconnection, hardware, software, service, policy, process/procedure, plan, guidance, standard, and validation. In our example, we’ll set the MongoDB component as the "software" type, since MongoDB is a software application.
Next, the component needs to have title and description properties that help to support human-readability of this information.
The optional responsible-roles
property can be used to reference one or more roles with responsibility for performing a function relative to the component. In this tutorial, will reference the provider
and map this role to the mongoDB party.
|
|
A component is represented in the components object array shown in line 4. Each component requires a unique identifier, which is provided using the uuid
property.
The required type
key categorizes the component by asset type. Some common examples include interconnection, hardware, software, service, policy, process/procedure, plan, guidance, standard, and validation. In our example, we’ll set the MongoDB component to a "software" type.
Next, the component needs to have title and description keys that help to support human-readability of this information.
The optional responsible-roles
key can be used to reference one or more roles with responsibility for performing a function relative to the component. In this tutorial, will reference the provider
and map this role to the mongoDB party.
Defining Protocols Used in a Component
Another optional but valuable sub-element of <component>
is <protocol>
. Generally, <protocol>
elements are applicable when dealing with a <component>
of types "service", but they can also be provided for component types "software", "hardware", or "interconnection". In our example, we'll assume that installations of MongoDB will result in an installation of mongod (Mongo Daemon) which runs the MongoDB database as a process and uses the following protocols:
Port | Transport | Direction | Description |
---|---|---|---|
27017 | TCP | Inbound | The default port for mongod and mongos instances. |
27018 | TCP | Inbound | The default port when running with --shardsvr runtime operation. |
27019 | TCP | Inbound-Outbound | The default port when running with --configsvr runtime operation |
This is represented below.
|
|
The <protocol>
element has a mandatory @uuid
and mandatory @name
attribute that should be set to the common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. In this example, we set it to "mongodb", which is registered with IANA. The @name
attribute accepts string data types and can be set to other values when there is no corresponding IANA service name for the port (e.g., lines 10 and 15). Descriptive text for the protocol can be provided using the title
element. The <port-range>
element is where we can specify the port number(s) and associated transport. If the protocol uses multiple contiguous port numbers, a single <port-range>
element with start="27017" end="27019"
is sufficient, however; when the component has several protocols, it is acceptable to have multiple <protocol>
and <port-range>
elements as shown in the example XML above.
|
|
The protocols
grouping has objects with mandatory uuid
and mandatory name
properties that should be set to the common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. In this example, we set it to "mongodb", which is registered with IANA. The name
property accepts string data types and can be set to other values when there is no corresponding IANA service name for the port (e.g., lines 19 and 29). Descriptive text for the protocol can be provided using the title
property. The port-ranges
object grouping is where you can specify the port number(s) and associated transport. If the protocol uses multiple contiguous port numbers, a single port-ranges
object with "start":"27017"
and "end":"27019"
is sufficient; however, when the component has several protocols, it is acceptable to have multiple protocols
and port-ranges
objects as shown in the example XML above.
|
|
The protocols
key has items with mandatory uuid
and mandatory name
keys that should be set to the common name of the protocol, which should be the appropriate "service name" from the IANA Service Name and Transport Protocol Port Number Registry. In this example, we set it to "mongodb", which is registered with IANA. The name
key accepts string data types and can be set to other values when there is no corresponding IANA service name for the port (e.g., lines 17 and 24). Descriptive text for the protocol can be provided using the title
key. The port-ranges
key can contain items where you can specify the port number(s) and associated transport. If the protocol uses multiple contiguous port numbers, a single port-ranges
key with start: 27017
and end: 27019
is sufficient; however, when the component has several protocols, it is acceptable to have multiple protocols
and port-ranges
items as shown in the example XML above.
Defining Control Implementation Details
By providing control implementation details in a component, information is provided about how the given component target can satisfy controls with an associated OSCAL catalog in general, or an associated OSCAL profile to describe how the component subject can satisfy controls from a specific baseline. In this example, we document how the MongoDB component may satisfy SC-8(1) which requires the implementation of cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
An example of providing control implementation details for SC-8(1) is provided below.
|
|
To document this, we use the <control-implementation>
element. This element requires a unique identifier, which is provided using the @uuid
attribute. This element also has a @source
attribute that is used to provide a URI reference to the appropriate OSCAL catalog or profile. The URI reference can be a URI, a relative reference, or a fragment that points to a <back-matter>
resource. The <implemented-requirement>
element on line 10 is where we can specify the control (e.g., SC-8(1)) and the implementation description. The <implemented-requirement>
element also has its own unique identifier @uuid
, and the control is specified in the @control-id
attribute on line 12. We then use the <description>
element to describe how this component can satisfy the specified control.
In the example above, we demonstrated how to use OSCAL to document the MongoDB software component's control implementation for NIST control SC-8(1). However, one could document how the same component also satisfies controls from other security risk management frameworks (e.g., FedRAMP, ISO 27002, etc.) by simply adding additional <control-implementation>
elements for each catalog or profile. Likewise, for each <control-implementation>
, we can add additional <implemented-requirement>
elements for every control that can be implemented by the component. Additionally, we can address implementations at the control statement-level using the <statement>
element, allowing implementation details to be provided in a more fine-grained way.
|
|
To document this, we use the control-implementations
grouping. Objects within this grouping require a unique identifier, which is provided using the uuid
property. This object also has a source
property that is used to provide a URI reference to the appropriate OSCAL catalog or profile. The URI reference can be a URI, a relative reference, or a fragment that points to a back-matter
resource. The implemented-requirements
grouping on line 12 is where we can specify the control (e.g., SC-8(1)) and the implementation description. Each object in the implemented-requirements
grouping also has its own unique identifier uuid
, and the control is specified using the control-id
property on line 14. We then use the description
property to describe how this component can satisfy the specified control.
In the example above, we demonstrated how to use OSCAL to document the MongoDB software component's control implementation for NIST control SC-8(1). However, one could document how the same component also satisfies controls from other security risk management frameworks (e.g., FedRAMP, ISO 27002, etc.) by simply adding additional control-implementations
objects for each catalog or profile. Likewise, for each control-implementations
object, we can add additional implemented-requirements
objects for every control that can be implemented by the component. Additionally, we can address implementations at the control statement-level using the statements
grouping, allowing implementation details to be provided in a more fine-grained way.
|
|
To document this, we use the control-implementations
key. Items associated with this key require a unique identifier, which is provided using the uuid
key. These items also have a source
key that is used to provide a URI reference to the appropriate OSCAL catalog or profile. The URI reference can be a URI, a relative reference, or a fragment that points to a back-matter
resource. The implemented-requirements
key on line 13 is where we can specify the control (e.g., SC-8(1)) and the implementation description. Each item under the implemented-requirements
key also has its own unique identifier uuid
, and the control is specified using the control-id
key on line 15. We then use the description
key to describe how this component can satisfy the specified control.
In the example above, we demonstrated how to use OSCAL to document the MongoDB software component's control implementation for NIST control SC-8(1). However, one could document how the same component also satisfies controls from other security risk management frameworks (e.g., FedRAMP, ISO 27002, etc.) by simply adding additional control-implementations
items for each catalog or profile. Likewise, for each control-implementations
item, we can add additional implemented-requirements
items for every control that can be implemented by the component. Additionally, we can address implementations at the control statement-level using the statements
key, allowing implementation details to be provided in a more fine-grained way.
The Final Component Definition
Combining all the content described in this tutorial, we can produce a completed component definition instance. Provided below are well-formed complete examples. Having these implementation details readily available in an OSCAL component definition means they can be used to populate an OSCAL SSP and should give SSP authors helpful content for their control implementation statements. These examples can also be downloaded in XML, JSON, and YAML.
|
|
|
|
|
|
Summary
This concludes the tutorial. You should now be familiar with:
- The basic structure of a component definition in OSCAL.
- How to provide the basic metadata required in an OSCAL component definition.
- How to define a component within an OSCAL component definition.
- How to use the protocol elements in a component.
- How to specify the control implementation for a component.
For more information, you can review the OSCAL component definition model documentation.