The ABC of Ontological Security Compliance Mapping

Whew. I just crawled to the finish line with the most complex documents I’ve seen since perusing DoD manuals for repairing field artillery. The documents are from a Gaithersburg company called Eigenspace, and they focus on pre-processing of System Security Plans (SSPs) and other artifacts using natural language processing, artificial intelligence, neural cognitive mapping, and dynamic risk calculations to identify security compliance gaps.

The Eigenspace method is based on a comprehensive security control ontology that they’ve designed and twisted into the shape of a tetradecagon. (Before I tell you, take a moment to guess how many sides a tetradecagon has. Got your guess? OK, it’s fourteen.) Anyway, each angle of the tetradecagon corresponds to a different security compliance framework, which then allows ingested SSP documents to be tossed up against the shape to see what sticks.

Now for some acronyms: The fourteen sides of the tetradecagon (try saying that word five times fast) are referred to collectively as the Eigenspace–Cyber Order of Operations Methodology (E–COoOM). The Eigenspace commercial as-a-service tool is based on the Eigenspace Cyber Landscape Analysis Insight Report (ÉCLAIR). And the objective of this acronym soup is Cyber Security Order of Operations (CSOoO). Got that? (Quiz next week.)

The fourteen components of the COoOM (angles on the tetradecagon) include Active Controls, Required Controls, OMB Circular A-130 Controls, Cyber Security Framework (CSF), CSF Identity (CSFI), CSF Protect (CSFP), CSF Detect (CSFD), CSF Respond (CSFR), CSF Recover (CSFR), Privacy Controls (Privacy Act, HIPAA, HITECH), Assurance Security Controls, FISMA Potential Controls, FISMA Selected Controls (Control Type Analysis), and Legal Controls (DoJ, FBI, CJIS). (By the way, Eigenspace continually updates its research and now includes 40 angles in the E–COoOM.)

More taxonomy porn: The analysis maps you to one of eight Cyber Semantic Landscape Ontology and Taxonomy (CSLOT) levels: Domain Awareness, Cyber Risk Compliance and Information Assurance, Cyber Order of Operations Methodology, Common Cyber Threat, Cyber Vulnerability Reporting, Cyber Artifact Repository, Cyber Resiliency Review, and Deep Analysis. (Eigenspace makes acronyms of these, but I just couldn’t bring myself do it.)

I asked for an example and the Eigenspace folks sent me the 41-page output from an ICS PLC Advisory. (And I’m too tired to expand those acronyms. Go look ‘em up.) The example produced an output for the Advisory that showed 17 of 17 Active Controls covered (100% score), 3 of 17 Required Controls covered (17.65% score), 5 of 17 OMB A-130 Controls covered (23.53% score), and so on. It seems pretty self-evident how useful this might be.

Now. If you’ve actually read this far, then I suspect you are either a masochist, or you work for the Federal Government in the area of information security compliance. (And yes, I understand that the second thing implies the first.) So, I have the suspicion that you will see value in all this geometric and acronym-laden complexity. Let’s face it: Pre-processing SSPs and artifacts requires complex underlying ontologies. There is no way around it.

I'll leave it to you to decide whether this type of tool is for you. The folks at Eigenspace are just outside the beltway, and if you can brave the traffic to Gaithersburg, I suspect it would be worth your while to visit them. Look – if they can save some of the drudgery of mapping your SSPs and artifacts to controls, then I say hire them yesterday. And, as always, after you meet with them, share your learning. (But please – no more acronyms.)