Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review first draft of compliance matrix alignments #108

Open
SecurityCRob opened this issue Dec 13, 2024 · 5 comments
Open

Review first draft of compliance matrix alignments #108

SecurityCRob opened this issue Dec 13, 2024 · 5 comments
Assignees
@funnelfiasco @david-a-wheeler @puerco @eddie-knight @SecurityCRob
Labels
documentation Improvements or additions to documentation help wanted Extra attention is needed

Comments

@SecurityCRob
Copy link
Contributor

We have created a Compliance Crosswalk Matrix(1) - to help see where our baseline criteria aligns with global frameworks, standards, and regulations. I started us off with looking at the EU CRA, NIST's SSDF, NIST's CSF, Security Insights and I'm working through BP Badges. Eventually we'll need to do things like NIST 800-53, EU DORA, EU NIS/NIS2, ISO 2700x, etc.

I'd like feedback on the initial alignments from the community to ensure or correct my perspective. Did I account for and align things appropriately?

  • The "Crosswalk" tab is where everything ultimately is aggregated and will be displayed (until we debate the best ways to show our data....a future conversation). This is where the meat of what I am looking for feedback on. Here I am keying off the OSPS criteria and showing "If you fulfill OSPS-AC-01. then you also get credit for SSDF requirement PO3.2 or CRA Annex 1.2d, etc.)
  • Each framework/standard/reg has it's own tab where I key off that standard to the OSPS. As we pull in more regs/frameworks, a tab such as this is where the mapping will start and ultimately it will get added back into the "Crosswalk" tab. The data should be identical to the alignments in the 1st tab.

I'd love it if folks could look at this and ponder it, and then we can coordinate a live working session to work through the feedback together. I propose doing this in early January '25.

Thanks for your time, expertise, and collaboration on this!

(1) - https://docs.google.com/spreadsheets/d/1an5mx3rayoz3JRFUepD56zgprpwXBXBG70fVZvIMCpA/edit?gid=769418932#gid=769418932
@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation help wanted Extra attention is needed labels Dec 13, 2024
@SecurityCRob
Copy link
Contributor Author

Let's hash out the ultimate display method/location in this issue: #99

@TheFoxAtWork
Copy link

I've shared this with a number of folks hoping to get more eyes on this. Thank you so much @SecurityCRob and others for your efforts putting together this very large cross walk.

@SecurityCRob
Copy link
Contributor Author

We'll add SLSA and S2C2F to the matrix once criteria are firm

@SecurityCRob
Copy link
Contributor Author

SecurityCRob commented Jan 7, 2025
edited
Loading

We're still not sure what the ultimate final form for this will be. Markdown tables are terrible, external gsheets are also not great.

@eddie-knight
Copy link
Contributor

@SecurityCRob FWIW, we do have the yaml field for this—allows us to store a 1->n list of mappings for each criteria.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@funnelfiasco funnelfiasco

@david-a-wheeler david-a-wheeler

@puerco puerco

@eddie-knight eddie-knight

@SecurityCRob SecurityCRob

Labels
documentation Improvements or additions to documentation help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@funnelfiasco @david-a-wheeler @puerco @eddie-knight @TheFoxAtWork @SecurityCRob