SlideShare una empresa de Scribd logo

Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS

MEDINA
MEDINA

The document discusses the EU Cybersecurity Scheme for Cloud Services (EUCS) and its requirements for continuous monitoring and certification. It introduces the MEDINA project, funded by the EU, which aims to develop a framework for achieving continuous audit-based certification aligned with the EUCS through continuous monitoring. The project will leverage the Open Security Controls Assessment Language (OSCAL) for machine-readable representation of security controls and certificates. It seeks collaboration with NIST on further development and adoption of OSCAL to support its goals.

Tecnología
1 de 21
Descargar para leer sin conexión
Paving the Road Towards Continuous Certification: OSCAL and the EUCS Jesus Luna Garcia (Robert Bosch GmbH) This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 952633
Agenda Background • EU Cybersecurity Scheme for Cloud Services (EUCS) • Continuous Monitoring in the EUCS EC Funded H2020 MEDINA Project • From Continuous Monitoring to Continuous Certification • High-Level Approach and Architecture • Leveraging OSCAL Summary and Next Steps US NIST - OSCAL Workshop Feb-3rd, 2021
Background European Union Cybersecurity Certification Scheme for Cloud Services US NIST - OSCAL Workshop Feb-3rd, 2021
What is the EUCS? The EU Cybersecurity Act (EUCSA, April-2019), proposes the creation an EU-wide cybersecurity certification framework in order to: • increase the use of cybersecurity certification in Europe • go beyond national schemes and offer mutual recognition at European level • enable customers to make informed decisions about cybersecurity. ENISA (EU Agency for Cybersecurity) organized an AdHoc WG to prepare the candidate Cybersecurity Certification Scheme for Cloud Services (EUCS). Feb-3rd, 2021 US NIST - OSCAL Workshop
What is the EUCS? The EUCS defines: • rules for the management of certificates, • requirements for security controls, • levels of assurance, and • assessment processes. EUCS focuses on certifying cloud services (see ISO/IEC 17788), including composition of sub-services. Security requirements in EUSA are based on standards (e.g., BSI C5, SecNumCloud, ISO/IEC 270xx). Feb-3rd, 2021 US NIST - OSCAL Workshop
What is the EUCS? Levels of Assurance Feb-3rd, 2021 US NIST - OSCAL Workshop Minimise the known basic risks of incidents and cyberattacks (low risk profile) • Limited assurance • Self-assessment reviewed by a third-party • Focus on the definition and existence of procedures and mechanisms Minimise the risk of state-of- the-art cyberattacks carried out by actors with significant skills and resources (elevated risk profile) • Reasonable assurance • Design and operating effectiveness • Continuous (automated) monitoring of compliance Minimise known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources (medium risk profile) • Reasonable assurance • Design and operating effectiveness • Functional testing ‘basic’ level ‘substantial’ level ‘high’ level 🤞 👍 👮
Continuous Monitoring in the EUCS Definition of “Continuous (Automated) Monitoring” in the EUCS: The requirements related to continuous monitoring typically mention “automated monitoring” or “automatically monitor” in their text. The intended meaning of “monitor automatically” is: 1. Gather data to analyse some aspects of the activity being monitored at discrete intervals at a sufficient frequency; 2. Compare the gathered data to a reference or otherwise determine conformity to specified requirements in the EUCS scheme; 3. Report deviations to subject matter experts who can analyse the deviations in a timely manner; 4. If the deviation indicates a nonconformity, then initiate a process for fixing the nonconformity; and 5. If the nonconformity is major, notify the CAB of the issue, analysis, and planned resolution. These requirements stop short on requiring any notion of continuous auditing, because technologies have not reached an adequate level of maturity. Nevertheless, the introduction of continuous auditing, at least for level High, remains a mid- or long-term objective, and the introduction of automated monitoring requirement in at least some areas is a first step in that direction, which can be met with the technology available today. Feb-3rd, 2021 US NIST - OSCAL Workshop Only for HIGH Assurance!
Continuous Monitoring in the EUCS Examples of “High” assurance requirements, related to “continuous monitoring” Feb-3rd, 2021 US NIST - OSCAL Workshop
Continuous Monitoring in the EUCS Feb-3rd, 2021 US NIST - OSCAL Workshop
H2020 MEDINA Security framework to achieve a continuous audit-based certification in compliance with the EUCS Funded by Feb-3rd, 2021 US NIST - OSCAL Workshop
MEDINA Project Objective Feb-3rd, 2021 US NIST - OSCAL Workshop Provide a holistic framework that enhances cloud customers’ control and trust in consumed cloud services, by supporting CSPs (IaaS, PaaS and SaaS providers) towards the successful achievement of a continuous certification aligned to the EU Cybersecurity Act (EUCSA).
From Continuous Monitoring to Continuous Certification DevOps IT Security Governance Internal Auditors • Security Posture Management tools provide our internal stakeholders with “continuous” compliance data. • Bosch-internal deployment (since mid- 2019), monitors >28,000 cloud resources for compliance with our internal ISO/IEC 27001-based security control framework. Feb-3rd, 2021 US NIST - OSCAL Workshop
From Continuous Monitoring to Continuous Certification Feb-3rd, 2021 US NIST - OSCAL Workshop External Auditor
From Continuous Monitoring to Continuous Certification Feb-3rd, 2021 US NIST - OSCAL Workshop External Auditor (EUCS) Certification funded by
MEDINA At a Glance 1st November 2020 – 30th October 2023 EU Budget 4,480,308.75€ Feb-3rd, 2021 US NIST - OSCAL Workshop
MEDINA Approach Feb-3rd, 2021 US NIST - OSCAL Workshop OSCAL?
High-Level Architecture (wip) Feb-3rd, 2021 US NIST - OSCAL Workshop OSCAL?
Leveraging OSCAL (early thoughts) Machine-readable representation of security controls (e.g., EUCS, BSI C5). • Both for technical and organizational measures. Metrics descriptions (relationship with NIST SP 500-307?) for assessing compliance with security controls. Machine-readable certificate format. Policy-language for managing the certificate‘s life-cycle. Support for standardization roadmap and industrial adoption e.g., Gaia-X. Feb-3rd, 2021 US NIST - OSCAL Workshop
Summary and Next Steps What comes next? Feb-3rd, 2021 US NIST - OSCAL Workshop
Summary and Next Steps The upcoming EUCS will promote the adoption of continuous compliance monitoring for cloud services in Europe. MEDINA seeks to bridge the gap between continuous compliance monitoring, and continuous certification. OSCAL seems to be a strong candidate for fulfilling our requirements related to machine-readable formats in MEDINA. § Strong interest in OSCAL from other EU cloud initiatives like Gaia-X. We are looking forward to a fruiful collaboration with US NIST on the topic of OSCAL! Feb-3rd, 2021 US NIST - OSCAL Workshop
Thank you! www.medina-project.eu // jesus.lunagarcia@de.bosch.com

Recomendados

Medina general presentation
Medina general presentationMedina general presentation
Medina general presentationMEDINA
 
First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...MEDINA
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
 
SerIot Hypothesis Testing Module
SerIot Hypothesis Testing ModuleSerIot Hypothesis Testing Module
SerIot Hypothesis Testing ModuleSerIoT project
 
ARIES Project Presentation
ARIES Project PresentationARIES Project Presentation
ARIES Project PresentationNicolás Notario
 
SerIoT: Penetration testing
SerIoT: Penetration testing SerIoT: Penetration testing
SerIoT: Penetration testing SerIoT project
 
Multi Agent Anomaly detection Module
Multi Agent Anomaly detection Module Multi Agent Anomaly detection Module
Multi Agent Anomaly detection Module SerIoT project
 
SerIoT: Formal Verification
SerIoT: Formal VerificationSerIoT: Formal Verification
SerIoT: Formal VerificationSerIoT project
 

Recomendados

Medina general presentation
Medina general presentationMedina general presentation
Medina general presentationMEDINA
 
First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...MEDINA
 
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
 
SerIot Hypothesis Testing Module
SerIot Hypothesis Testing ModuleSerIot Hypothesis Testing Module
SerIot Hypothesis Testing ModuleSerIoT project
 
ARIES Project Presentation
ARIES Project PresentationARIES Project Presentation
ARIES Project PresentationNicolás Notario
 
SerIoT: Penetration testing
SerIoT: Penetration testing SerIoT: Penetration testing
SerIoT: Penetration testing SerIoT project
 
Multi Agent Anomaly detection Module
Multi Agent Anomaly detection Module Multi Agent Anomaly detection Module
Multi Agent Anomaly detection Module SerIoT project
 
SerIoT: Formal Verification
SerIoT: Formal VerificationSerIoT: Formal Verification
SerIoT: Formal VerificationSerIoT project
 
Cognitive Packet Network with Software Defined Networks using the Random Neur...
Cognitive Packet Network with Software Defined Networks using the Random Neur...Cognitive Packet Network with Software Defined Networks using the Random Neur...
Cognitive Packet Network with Software Defined Networks using the Random Neur...SerIoT project
 
5G Info Day
5G Info Day5G Info Day
5G Info DayThe Knowledge Transfer Network Creative, Digital & Design
 
13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)IJNSA Journal
 
Solent Cyber Security Cluster Event 2, ACE/UoS Presentation
Solent Cyber Security Cluster Event 2, ACE/UoS PresentationSolent Cyber Security Cluster Event 2, ACE/UoS Presentation
Solent Cyber Security Cluster Event 2, ACE/UoS PresentationNine23Ltd
 
Medicine2.0'10 Van Ooteghem
Medicine2.0'10 Van OoteghemMedicine2.0'10 Van Ooteghem
Medicine2.0'10 Van Ooteghemsmartcareplatform
 
2019 04-08 hopu-aj
2019 04-08 hopu-aj2019 04-08 hopu-aj
2019 04-08 hopu-ajOpen & Agile Smart Cities
 
13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)pijans
 
Call for papers - 13th International Conference on Network Security & Appli...
Call for papers - 13th International Conference on Network Security & Appli...Call for papers - 13th International Conference on Network Security & Appli...
Call for papers - 13th International Conference on Network Security & Appli...IJNSA Journal
 
Cyberwatching - Niccolo Zazzeri
Cyberwatching - Niccolo Zazzeri Cyberwatching - Niccolo Zazzeri
Cyberwatching - Niccolo Zazzeri ATMOSPHERE .
 
EOSC-hub & RCauth.eu presentation
EOSC-hub & RCauth.eu presentationEOSC-hub & RCauth.eu presentation
EOSC-hub & RCauth.eu presentationEOSC-hub project
 
Antonio kung impact of ai on privacy sept 10
Antonio kung impact of ai on privacy sept 10Antonio kung impact of ai on privacy sept 10
Antonio kung impact of ai on privacy sept 10Privacy Data Protection for Engineering
 
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...ATMOSPHERE .
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fimArchiver
 
SerIoT Traffic Generator and Detector of malicious traffic patterns
SerIoT Traffic Generator and Detector of malicious traffic patternsSerIoT Traffic Generator and Detector of malicious traffic patterns
SerIoT Traffic Generator and Detector of malicious traffic patternsHITSerIoTProject
 
Granular or holistic approaches - Antonio Kung
Granular or holistic approaches - Antonio KungGranular or holistic approaches - Antonio Kung
Granular or holistic approaches - Antonio KungPrivacy Data Protection for Engineering
 
Long term security evolution of ai and data protection antonio kung trialog...
Long term security evolution of ai and data protection antonio kung trialog...Long term security evolution of ai and data protection antonio kung trialog...
Long term security evolution of ai and data protection antonio kung trialog...Privacy Data Protection for Engineering
 
Ipen 2019 roma status of privacy engineering standardisation v2
Ipen 2019 roma status of privacy engineering standardisation v2Ipen 2019 roma status of privacy engineering standardisation v2
Ipen 2019 roma status of privacy engineering standardisation v2Privacy Data Protection for Engineering
 
Antonio kung - pdp4e privacy engineering oxford sept 9 - v2
Antonio kung - pdp4e privacy engineering oxford sept 9 - v2Antonio kung - pdp4e privacy engineering oxford sept 9 - v2
Antonio kung - pdp4e privacy engineering oxford sept 9 - v2Privacy Data Protection for Engineering
 
6th International Conference on Cryptography and Information Security (CRIS 2...
6th International Conference on Cryptography and Information Security (CRIS 2...6th International Conference on Cryptography and Information Security (CRIS 2...
6th International Conference on Cryptography and Information Security (CRIS 2...IJNSA Journal
 
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...MEDINA
 
Automation-based Certification for Cloud Services in Euro
Automation-based Certification for Cloud Services in EuroAutomation-based Certification for Cloud Services in Euro
Automation-based Certification for Cloud Services in EuroMEDINA
 
MEDINA Brochure 2022.pdf
MEDINA Brochure 2022.pdfMEDINA Brochure 2022.pdf
MEDINA Brochure 2022.pdfMEDINA
 

Más contenido relacionado

La actualidad más candente

Cognitive Packet Network with Software Defined Networks using the Random Neur...
Cognitive Packet Network with Software Defined Networks using the Random Neur...Cognitive Packet Network with Software Defined Networks using the Random Neur...
Cognitive Packet Network with Software Defined Networks using the Random Neur...SerIoT project
 
13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)IJNSA Journal
 
Solent Cyber Security Cluster Event 2, ACE/UoS Presentation
Solent Cyber Security Cluster Event 2, ACE/UoS PresentationSolent Cyber Security Cluster Event 2, ACE/UoS Presentation
Solent Cyber Security Cluster Event 2, ACE/UoS PresentationNine23Ltd
 
13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)pijans
 
Call for papers - 13th International Conference on Network Security & Appli...
Call for papers - 13th International Conference on Network Security & Appli...Call for papers - 13th International Conference on Network Security & Appli...
Call for papers - 13th International Conference on Network Security & Appli...IJNSA Journal
 
Cyberwatching - Niccolo Zazzeri
Cyberwatching - Niccolo Zazzeri Cyberwatching - Niccolo Zazzeri
Cyberwatching - Niccolo Zazzeri ATMOSPHERE .
 
EOSC-hub & RCauth.eu presentation
EOSC-hub & RCauth.eu presentationEOSC-hub & RCauth.eu presentation
EOSC-hub & RCauth.eu presentationEOSC-hub project
 
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...ATMOSPHERE .
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fimArchiver
 
SerIoT Traffic Generator and Detector of malicious traffic patterns
SerIoT Traffic Generator and Detector of malicious traffic patternsSerIoT Traffic Generator and Detector of malicious traffic patterns
SerIoT Traffic Generator and Detector of malicious traffic patternsHITSerIoTProject
 
Long term security evolution of ai and data protection antonio kung trialog...
Long term security evolution of ai and data protection antonio kung trialog...Long term security evolution of ai and data protection antonio kung trialog...
Long term security evolution of ai and data protection antonio kung trialog...Privacy Data Protection for Engineering
 
6th International Conference on Cryptography and Information Security (CRIS 2...
6th International Conference on Cryptography and Information Security (CRIS 2...6th International Conference on Cryptography and Information Security (CRIS 2...
6th International Conference on Cryptography and Information Security (CRIS 2...IJNSA Journal
 

La actualidad más candente (19)

Cognitive Packet Network with Software Defined Networks using the Random Neur...
Cognitive Packet Network with Software Defined Networks using the Random Neur...Cognitive Packet Network with Software Defined Networks using the Random Neur...
Cognitive Packet Network with Software Defined Networks using the Random Neur...
 
5G Info Day
5G Info Day5G Info Day
5G Info Day
 
13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)
 
Solent Cyber Security Cluster Event 2, ACE/UoS Presentation
Solent Cyber Security Cluster Event 2, ACE/UoS PresentationSolent Cyber Security Cluster Event 2, ACE/UoS Presentation
Solent Cyber Security Cluster Event 2, ACE/UoS Presentation
 
Medicine2.0'10 Van Ooteghem
Medicine2.0'10 Van OoteghemMedicine2.0'10 Van Ooteghem
Medicine2.0'10 Van Ooteghem
 
2019 04-08 hopu-aj
2019 04-08 hopu-aj2019 04-08 hopu-aj
2019 04-08 hopu-aj
 
13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)13th International Conference on Network Security & Applications (CNSA 2020)
13th International Conference on Network Security & Applications (CNSA 2020)
 
Call for papers - 13th International Conference on Network Security & Appli...
Call for papers - 13th International Conference on Network Security & Appli...Call for papers - 13th International Conference on Network Security & Appli...
Call for papers - 13th International Conference on Network Security & Appli...
 
Cyberwatching - Niccolo Zazzeri
Cyberwatching - Niccolo Zazzeri Cyberwatching - Niccolo Zazzeri
Cyberwatching - Niccolo Zazzeri
 
EOSC-hub & RCauth.eu presentation
EOSC-hub & RCauth.eu presentationEOSC-hub & RCauth.eu presentation
EOSC-hub & RCauth.eu presentation
 
Antonio kung impact of ai on privacy sept 10
Antonio kung impact of ai on privacy sept 10Antonio kung impact of ai on privacy sept 10
Antonio kung impact of ai on privacy sept 10
 
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...
A Proposal to Apply a Risk Assessment Methodology for IoT Systems to a Smart ...
 
20190523 archiver fim
20190523 archiver fim20190523 archiver fim
20190523 archiver fim
 
SerIoT Traffic Generator and Detector of malicious traffic patterns
SerIoT Traffic Generator and Detector of malicious traffic patternsSerIoT Traffic Generator and Detector of malicious traffic patterns
SerIoT Traffic Generator and Detector of malicious traffic patterns
 
Granular or holistic approaches - Antonio Kung
Granular or holistic approaches - Antonio KungGranular or holistic approaches - Antonio Kung
Granular or holistic approaches - Antonio Kung
 
Long term security evolution of ai and data protection antonio kung trialog...
Long term security evolution of ai and data protection antonio kung trialog...Long term security evolution of ai and data protection antonio kung trialog...
Long term security evolution of ai and data protection antonio kung trialog...
 
Ipen 2019 roma status of privacy engineering standardisation v2
Ipen 2019 roma status of privacy engineering standardisation v2Ipen 2019 roma status of privacy engineering standardisation v2
Ipen 2019 roma status of privacy engineering standardisation v2
 
Antonio kung - pdp4e privacy engineering oxford sept 9 - v2
Antonio kung - pdp4e privacy engineering oxford sept 9 - v2Antonio kung - pdp4e privacy engineering oxford sept 9 - v2
Antonio kung - pdp4e privacy engineering oxford sept 9 - v2
 
6th International Conference on Cryptography and Information Security (CRIS 2...
6th International Conference on Cryptography and Information Security (CRIS 2...6th International Conference on Cryptography and Information Security (CRIS 2...
6th International Conference on Cryptography and Information Security (CRIS 2...
 

Similar a Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS

TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...MEDINA
 
Automation-based Certification for Cloud Services in Euro
Automation-based Certification for Cloud Services in EuroAutomation-based Certification for Cloud Services in Euro
Automation-based Certification for Cloud Services in EuroMEDINA
 
MEDINA Brochure 2022.pdf
MEDINA Brochure 2022.pdfMEDINA Brochure 2022.pdf
MEDINA Brochure 2022.pdfMEDINA
 
Paving the road towards continuous auditbased certification for cloud service...
Paving the road towards continuous auditbased certification for cloud service...Paving the road towards continuous auditbased certification for cloud service...
Paving the road towards continuous auditbased certification for cloud service...MEDINA
 
MEDINA General Presentation
MEDINA General PresentationMEDINA General Presentation
MEDINA General PresentationMEDINA
 
MEDINA project brochure 2021
MEDINA project brochure 2021MEDINA project brochure 2021
MEDINA project brochure 2021MEDINA
 
MEDINA brochure 2023
MEDINA brochure 2023MEDINA brochure 2023
MEDINA brochure 2023MEDINA
 
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...MEDINA
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Javier Tallón
 
Medina general presentation
Medina general presentationMedina general presentation
Medina general presentationMEDINA
 
Medina general presentation
Medina general presentationMedina general presentation
Medina general presentationMEDINA
 
MEDINA ESG (Expert Stakeholder Group) presentation
MEDINA ESG (Expert Stakeholder Group) presentationMEDINA ESG (Expert Stakeholder Group) presentation
MEDINA ESG (Expert Stakeholder Group) presentationMEDINA
 
Parallel session: trust and identity
Parallel session: trust and identityParallel session: trust and identity
Parallel session: trust and identityJisc
 
MEDINA: Standardization to enable continuous cloud cybersecurity certification
MEDINA: Standardization to enable continuous cloud cybersecurity certificationMEDINA: Standardization to enable continuous cloud cybersecurity certification
MEDINA: Standardization to enable continuous cloud cybersecurity certificationMEDINA
 
Qo E E2 E6 Slotevent Programma
Qo E E2 E6 Slotevent ProgrammaQo E E2 E6 Slotevent Programma
Qo E E2 E6 Slotevent Programmaimec.archive
 
The role of IP in the digital transformation
The role of IP in the digital transformationThe role of IP in the digital transformation
The role of IP in the digital transformationMIPLM
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easyJavier Tallón
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 

Similar a Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS (20)

TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
TAS-S Seminar “From Continuous Monitoring to Continuous Cloud Cybersecurity C...
 
Automation-based Certification for Cloud Services in Euro
Automation-based Certification for Cloud Services in EuroAutomation-based Certification for Cloud Services in Euro
Automation-based Certification for Cloud Services in Euro
 
MEDINA Brochure 2022.pdf
MEDINA Brochure 2022.pdfMEDINA Brochure 2022.pdf
MEDINA Brochure 2022.pdf
 
Paving the road towards continuous auditbased certification for cloud service...
Paving the road towards continuous auditbased certification for cloud service...Paving the road towards continuous auditbased certification for cloud service...
Paving the road towards continuous auditbased certification for cloud service...
 
MEDINA General Presentation
MEDINA General PresentationMEDINA General Presentation
MEDINA General Presentation
 
MEDINA project brochure 2021
MEDINA project brochure 2021MEDINA project brochure 2021
MEDINA project brochure 2021
 
MEDINA brochure 2023
MEDINA brochure 2023MEDINA brochure 2023
MEDINA brochure 2023
 
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
 
Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
 
Medina general presentation
Medina general presentationMedina general presentation
Medina general presentation
 
Medina general presentation
Medina general presentationMedina general presentation
Medina general presentation
 
MEDINA ESG (Expert Stakeholder Group) presentation
MEDINA ESG (Expert Stakeholder Group) presentationMEDINA ESG (Expert Stakeholder Group) presentation
MEDINA ESG (Expert Stakeholder Group) presentation
 
Parallel session: trust and identity
Parallel session: trust and identityParallel session: trust and identity
Parallel session: trust and identity
 
MEDINA: Standardization to enable continuous cloud cybersecurity certification
MEDINA: Standardization to enable continuous cloud cybersecurity certificationMEDINA: Standardization to enable continuous cloud cybersecurity certification
MEDINA: Standardization to enable continuous cloud cybersecurity certification
 
Qo E E2 E6 Slotevent Programma
Qo E E2 E6 Slotevent ProgrammaQo E E2 E6 Slotevent Programma
Qo E E2 E6 Slotevent Programma
 
The role of IP in the digital transformation
The role of IP in the digital transformationThe role of IP in the digital transformation
The role of IP in the digital transformation
 
CCCAB - Making CABs life easy
CCCAB - Making CABs life easyCCCAB - Making CABs life easy
CCCAB - Making CABs life easy
 
Simplify Operations
Simplify OperationsSimplify Operations
Simplify Operations
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
NTT i3 at OpenStack Summit - May 20th, 2015
NTT i3 at OpenStack Summit - May 20th, 2015NTT i3 at OpenStack Summit - May 20th, 2015
NTT i3 at OpenStack Summit - May 20th, 2015
 

Más de MEDINA

Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...
Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...
Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...MEDINA
 
Whitepaper MEDINA Metric Recommender NLP
Whitepaper MEDINA Metric Recommender NLPWhitepaper MEDINA Metric Recommender NLP
Whitepaper MEDINA Metric Recommender NLPMEDINA
 
Whitepaper MEDINA CNL
Whitepaper MEDINA CNLWhitepaper MEDINA CNL
Whitepaper MEDINA CNLMEDINA
 
Whitepaper EUROSCAL MEDINA
Whitepaper EUROSCAL MEDINAWhitepaper EUROSCAL MEDINA
Whitepaper EUROSCAL MEDINAMEDINA
 
Assessing the Trustworthiness of AI Systems
Assessing the Trustworthiness of AI SystemsAssessing the Trustworthiness of AI Systems
Assessing the Trustworthiness of AI SystemsMEDINA
 
MEDINA - towards continuous (automated) certification of cloud services in Eu...
MEDINA - towards continuous (automated) certification of cloud services in Eu...MEDINA - towards continuous (automated) certification of cloud services in Eu...
MEDINA - towards continuous (automated) certification of cloud services in Eu...MEDINA
 
Whitepaper MEDINA Architecture
Whitepaper MEDINA ArchitectureWhitepaper MEDINA Architecture
Whitepaper MEDINA ArchitectureMEDINA
 

Más de MEDINA (7)

Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...
Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...
Whitepaper MEDINA Continuous Life Cycle Management of Cloud Security Certific...
 
Whitepaper MEDINA Metric Recommender NLP
Whitepaper MEDINA Metric Recommender NLPWhitepaper MEDINA Metric Recommender NLP
Whitepaper MEDINA Metric Recommender NLP
 
Whitepaper MEDINA CNL
Whitepaper MEDINA CNLWhitepaper MEDINA CNL
Whitepaper MEDINA CNL
 
Whitepaper EUROSCAL MEDINA
Whitepaper EUROSCAL MEDINAWhitepaper EUROSCAL MEDINA
Whitepaper EUROSCAL MEDINA
 
Assessing the Trustworthiness of AI Systems
Assessing the Trustworthiness of AI SystemsAssessing the Trustworthiness of AI Systems
Assessing the Trustworthiness of AI Systems
 
MEDINA - towards continuous (automated) certification of cloud services in Eu...
MEDINA - towards continuous (automated) certification of cloud services in Eu...MEDINA - towards continuous (automated) certification of cloud services in Eu...
MEDINA - towards continuous (automated) certification of cloud services in Eu...
 
Whitepaper MEDINA Architecture
Whitepaper MEDINA ArchitectureWhitepaper MEDINA Architecture
Whitepaper MEDINA Architecture
 

Último

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS

  • 1. Paving the Road Towards Continuous Certification: OSCAL and the EUCS Jesus Luna Garcia (Robert Bosch GmbH) This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 952633
  • 2. Agenda Background • EU Cybersecurity Scheme for Cloud Services (EUCS) • Continuous Monitoring in the EUCS EC Funded H2020 MEDINA Project • From Continuous Monitoring to Continuous Certification • High-Level Approach and Architecture • Leveraging OSCAL Summary and Next Steps US NIST - OSCAL Workshop Feb-3rd, 2021
  • 3. Background European Union Cybersecurity Certification Scheme for Cloud Services US NIST - OSCAL Workshop Feb-3rd, 2021
  • 4. What is the EUCS? The EU Cybersecurity Act (EUCSA, April-2019), proposes the creation an EU-wide cybersecurity certification framework in order to: • increase the use of cybersecurity certification in Europe • go beyond national schemes and offer mutual recognition at European level • enable customers to make informed decisions about cybersecurity. ENISA (EU Agency for Cybersecurity) organized an AdHoc WG to prepare the candidate Cybersecurity Certification Scheme for Cloud Services (EUCS). Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 5. What is the EUCS? The EUCS defines: • rules for the management of certificates, • requirements for security controls, • levels of assurance, and • assessment processes. EUCS focuses on certifying cloud services (see ISO/IEC 17788), including composition of sub-services. Security requirements in EUSA are based on standards (e.g., BSI C5, SecNumCloud, ISO/IEC 270xx). Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 6. What is the EUCS? Levels of Assurance Feb-3rd, 2021 US NIST - OSCAL Workshop Minimise the known basic risks of incidents and cyberattacks (low risk profile) • Limited assurance • Self-assessment reviewed by a third-party • Focus on the definition and existence of procedures and mechanisms Minimise the risk of state-of- the-art cyberattacks carried out by actors with significant skills and resources (elevated risk profile) • Reasonable assurance • Design and operating effectiveness • Continuous (automated) monitoring of compliance Minimise known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources (medium risk profile) • Reasonable assurance • Design and operating effectiveness • Functional testing ‘basic’ level ‘substantial’ level ‘high’ level 🤞 👍 👮
  • 7. Continuous Monitoring in the EUCS Definition of “Continuous (Automated) Monitoring” in the EUCS: The requirements related to continuous monitoring typically mention “automated monitoring” or “automatically monitor” in their text. The intended meaning of “monitor automatically” is: 1. Gather data to analyse some aspects of the activity being monitored at discrete intervals at a sufficient frequency; 2. Compare the gathered data to a reference or otherwise determine conformity to specified requirements in the EUCS scheme; 3. Report deviations to subject matter experts who can analyse the deviations in a timely manner; 4. If the deviation indicates a nonconformity, then initiate a process for fixing the nonconformity; and 5. If the nonconformity is major, notify the CAB of the issue, analysis, and planned resolution. These requirements stop short on requiring any notion of continuous auditing, because technologies have not reached an adequate level of maturity. Nevertheless, the introduction of continuous auditing, at least for level High, remains a mid- or long-term objective, and the introduction of automated monitoring requirement in at least some areas is a first step in that direction, which can be met with the technology available today. Feb-3rd, 2021 US NIST - OSCAL Workshop Only for HIGH Assurance!
  • 8. Continuous Monitoring in the EUCS Examples of “High” assurance requirements, related to “continuous monitoring” Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 9. Continuous Monitoring in the EUCS Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 10. H2020 MEDINA Security framework to achieve a continuous audit-based certification in compliance with the EUCS Funded by Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 11. MEDINA Project Objective Feb-3rd, 2021 US NIST - OSCAL Workshop Provide a holistic framework that enhances cloud customers’ control and trust in consumed cloud services, by supporting CSPs (IaaS, PaaS and SaaS providers) towards the successful achievement of a continuous certification aligned to the EU Cybersecurity Act (EUCSA).
  • 12. From Continuous Monitoring to Continuous Certification DevOps IT Security Governance Internal Auditors • Security Posture Management tools provide our internal stakeholders with “continuous” compliance data. • Bosch-internal deployment (since mid- 2019), monitors >28,000 cloud resources for compliance with our internal ISO/IEC 27001-based security control framework. Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 13. From Continuous Monitoring to Continuous Certification Feb-3rd, 2021 US NIST - OSCAL Workshop External Auditor
  • 14. From Continuous Monitoring to Continuous Certification Feb-3rd, 2021 US NIST - OSCAL Workshop External Auditor (EUCS) Certification funded by
  • 15. MEDINA At a Glance 1st November 2020 – 30th October 2023 EU Budget 4,480,308.75€ Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 16. MEDINA Approach Feb-3rd, 2021 US NIST - OSCAL Workshop OSCAL?
  • 17. High-Level Architecture (wip) Feb-3rd, 2021 US NIST - OSCAL Workshop OSCAL?
  • 18. Leveraging OSCAL (early thoughts) Machine-readable representation of security controls (e.g., EUCS, BSI C5). • Both for technical and organizational measures. Metrics descriptions (relationship with NIST SP 500-307?) for assessing compliance with security controls. Machine-readable certificate format. Policy-language for managing the certificate‘s life-cycle. Support for standardization roadmap and industrial adoption e.g., Gaia-X. Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 19. Summary and Next Steps What comes next? Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 20. Summary and Next Steps The upcoming EUCS will promote the adoption of continuous compliance monitoring for cloud services in Europe. MEDINA seeks to bridge the gap between continuous compliance monitoring, and continuous certification. OSCAL seems to be a strong candidate for fulfilling our requirements related to machine-readable formats in MEDINA. § Strong interest in OSCAL from other EU cloud initiatives like Gaia-X. We are looking forward to a fruiful collaboration with US NIST on the topic of OSCAL! Feb-3rd, 2021 US NIST - OSCAL Workshop
  • 21. Thank you! www.medina-project.eu // jesus.lunagarcia@de.bosch.com