Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Analyze New Default Control Origination Values in Core OSCAL #1502

Open
6 tasks
aj-stein-nist opened this issue Oct 11, 2022 · 4 comments
Open
6 tasks

Analyze New Default Control Origination Values in Core OSCAL #1502

aj-stein-nist opened this issue Oct 11, 2022 · 4 comments
Labels
Aged A label for issues older than 2023-01-01 enhancement Scope: Modeling Issues targeted at development of OSCAL formats User Story

Comments

@aj-stein-nist
Copy link
Contributor

aj-stein-nist commented Oct 11, 2022

User Story

As a security practitioner, in order to be able to more precisely define the origin of control requirements and who is responsible for their implementation, I would like to review and consider possible additional of default values for control origination for implemented requirements of a control in a control implementation of a SSP to support the notion of shared origin or that of a third-party/outsourced entity that is part of the service offered by a CSP and used in a customer's environment as part of that service.

This a continuation of discussion during review of https://github.com/usnistgov/OSCAL/pull/1460/files#r988165640 to make this a dedicated work item in this issue and determine it outside the context of #784.

Goals

  • Analyze and model new origination concepts from ACSC ISM and other control catalogs different from that of NIST SP 800-53
  • Review potential options for the addition/removal of defaults
  • If additions or changes are required, implement them as part of a PR as a result of a recommendation to make necessary changes

Dependencies

No response

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
@Compton-US
Copy link
Contributor

Also, consider whether this crosses any paths with work on #1467 (Note to self)

@GaryGapinski
Copy link

Per-control (as opposed to per-control-statement imperatives, or perhaps per-control-individual-objectives) control requirement origins (too bad the term origination was used) will be diverse (i.e., will vary by statement).

@aj-stein-nist
Copy link
Contributor Author

I am not going to triage this one for now. Will review with the fuller triage group when Dave is back from leave. Thanks for the initial feedback, Gary.

@aj-stein-nist
Copy link
Contributor Author

Not completed last sprint and not in scope for Sprint 63, moving to the backlog.

@Compton-US Compton-US added the Aged A label for issues older than 2023-01-01 label Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Aged A label for issues older than 2023-01-01 enhancement Scope: Modeling Issues targeted at development of OSCAL formats User Story
Projects
Status: Todo
Development

No branches or pull requests

4 participants