CSAM
Integration with the Cyber Security Assessment and Management (CSAM) System
CSAM Integration
Reference: DoJ CSAM
Prep work
The CSAM integration relies upon a number of custom fields within RegScale. The code checks for these and
exits if they are missing. The fields are:
-
Security Plans | Basic Tab:
- acronym (text field)
- FISMA Id (text field)
- CSAM Id (text field)
- Classification (select - Sensitive But Unclassified, Unclassified, Secret, Top Secret)
- Contractor System (select - Yes, No)
- FISMA Reportable (select - Yes, No)
- Critical Infrastructure (select - Yes, No)
- Mission Essential (select - Yes, No)
-
Security Plans | Agency Defined Data Items (new tab)
- (Create Custom Fields corresponding to the values in init.yaml csamAgencyDefinedDataItems)
-
Security Plans | Financial Information (new tab)
- Financial System (select - Financial, Non-Financial)
- omb Exhibit (text field)
- uii Code (text field)
- Investment Name (text field)
- Portfolio (text field)
- Prior Fy Funding (dollar)
- Current Fy Funding (dollar)
- Next Fy Funding (dollar)
- Funding Import Status (text)
-
Security Plans | Status and Archive (new tab)
- Risk Assessment Completed (date)
- Risk Assessment Next Due Date (date)
- Risk Assessment Expiration Date (date)
- SSP Completed (date)
- SSP Next Due Date (date)
- CM Completed (date)
- CM Next Due Date (date)
-
Security Plans | Recovery Targets and Outcomes (new tab)
- MTD (text)
- RTO (text)
- RPO (text)
-
Security Plans | Privacy Details (new tab)
- PIA Date (date)
- PII (text)
- PTA Date (date)
- SORN Date (date)
- SORN Status (text)
- SORN Id (text)
-
Security Plans | Authorization (new tab)
- Authorization Process (text)
- Initial Authorization Date (date)
- ATO Date (date)
- Authorization Next Due Date (date)
-
Security Plans | Continuity and Incident Response (new tab)
- BIA Completed (date)
- BIA Next Due Date (date)
- CP Completed (date)
- CP Next Due Date (date)
- CP Training Completed (date)
- CP Training Next Due Date (date)
- CP Test Next Due Date (date)
- IRP Completed (date)
- IRP Next Due Date (date)
- IRP Training Completed (date)
- IRP Training Due Date (date)
- IRP Test Next Due Date (date)
- CPR Completed (date)
- CPR Next Due Date (date)
- CPR Expiration Date (date)
- Doc Review Completed (date)
- Doc Review Next Due Date (date)
- Doc Review Expiration Date (date)
-
Security Plans | Continuity Tests (new tab)
- CP Test Type (select - TableTop | Functional | Real-world | Call Tree)
- CP Date Tested (date)
- CP Test Outcome (select - Success, Failure)
- CP RPO Achieved (text)
- CP RTO Achieved (text)
- IRP Test Type (select - TableTop | Functional | Real-world | Call Tree)
- IRP Date Tested (date)
- IRP Test Outcome (select - Success, Failure)
- IRP RPO Achieved (text)
- IRP RTO Achieved (text)
-
Security Plans | Points of Contact (new tab)
- Certifying Official (user)
- Risk Executive (user)
- Senior Information Security Officer (user)
- Alternate Information System Security Officer (user)
- Chief Information Security Officer (user)
- Senior Information Systems Security Officer (user)
- Technical Advisor (user)
-
Interconnects | Basic Tab
- Active (select - Yes | No)
- Classification (text)
-
Interconnects | Connections
- External (select - Yes | No)
- Protection (select - SSL |
init.yaml variables
csamToken: string example: "Bearer AAA..."
csamURL: URL example: "https://csam.abc.gov"
csamAgencyDefinedDataItems: Dict
Mapping of CSAM agency defined data items. CSAM Key names to RegScale Custom Field Name.
NOTE: The Agency Defined Data Items: "High Value Asset", "Cloud System", and "Cloud Service Model" are built in and do not require inclusion in this list nor creation of custom fields.
example
csamAgencyDefinedDataItems:
AI/ML Component: AI-ML Component
csamFilter: Dict
Valid keys:
id, name, acronym, organization, systemType, financialSystem, classification, contractorSystem, fismaReportable, criticalInfrastructure, missionCritical, uiiCode, portfolio, categorization, fundingStatus, operationalStatus
example:
csamFilter:
organization: MGMT
systemType: Major Application, General Support Service
operationalStatus: Operational
csamFrameworkCatalog: Dict
Mapping of the CSAM Control Frameworks to RegScale Catalog Ids.
example:
csamFrameworkCatalog:
800-53r5: 5
800-53r4: 3
csamArtifactTypes: List
Artifact imports are limited to those with artifactType matching those in this setting.
example:
csamArtifactType:
Appendices
Privacy Impact Assessment
Business Impact Assessment
Commands
test_csam
A utility for testing the connectivity with CSAM. No arguments. Returns a conneciton success if the configuration keys are correct and the network connectivity is in place.
Command:
regscale csam test_csam
import_ssp
This is the main import for CSAM. It pulls the "systems" from CSAM and creates or updates Security Plans in RegScale.
With no filter, it imports all the plans in CSAM. Use csamFilter to limit this by key/value pair.
It pulls each system in the input file and read in.
The list of applicable systems is then compared to the list of existing RegScale security plans by CSAM Id.
Matching SSPs are updated. Missing SSPs are added.
Command:
regscale csam import_ssp
import_poam
This command Imports Plans of Actions and Milestones (POA&Ms) from CSAM into RegScale. It will retrieve the POA&Ms from CSAM and add them as Issues in RegScale marked as POA&M. It also imports POA&M milestones from CSAM.
With no filter, it imports all the plans in CSAM. Use csamFilter to limit this by key/value pair.
Command:
regscale csam import_poam
import_artifacts
This command Imports Artifacts from CSAM into RegScale. It will retrieve the artifact files from CSAM and add them as Files in RegScale in each associated plan (see 'Subsystems\Files').
With no filter, it imports all the plans in CSAM. Use csamFilter to limit this by key/value pair.
With no filter, it imports all artifacts in CSAM. Use csamArtifactTypes to limit the imports to specific artifact types.
Command:
regscale csam import_artifacts
Updated 2 days ago