Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional security-sensitivity-level #1798

Closed
5 tasks done
RS-Credentive opened this issue May 26, 2023 · 3 comments
Closed
5 tasks done

Optional security-sensitivity-level #1798

RS-Credentive opened this issue May 26, 2023 · 3 comments
Assignees
@iMichaela @Arminta-Jenkins-NIST
Labels
enhancement User Story

Comments

@RS-Credentive
Copy link

RS-Credentive commented May 26, 2023
edited by aj-stein-nist
Loading

User Story

As an OSCAL implementer, I need to be able to address different compliance regimes. These regimes will define security-sensitivity-level differently and often will not use FIPS 199 as a baseline. In some cases, the sensitivity level is deterministically related to the related control profile, so specifying both a profile and sensitivity level is unnecessary. The sensitivity level will automatically determine the profile, and the chosen profile implies the sensitivity level.

For example, a CA under the FPKI common policy will determine which certificate types and profiles should be issued, and the set of controls that apply to that CA are completely determined by the chosen certificate types. In this case, it is unnecessary and irrelevant to identify a security-sensitivity-level. Furthermore, if the individual or team completing the SSP chooses the wrong combination of security-sensitivity-level and profile, this is an error condition, and the SSP should be rejected as invalid.

Goals

Security-sensitivity-level and security-impact-level should be optional attributes.

Dependencies

No response

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
  • An SSP without any security-sensitivity-level or security-impact-level defined should be processed as valid with NIST tooling
  • The schemas describing the SSP model should not mandate the presence of these attributes.

Revisions

No response
@aj-stein-nist
Copy link
Contributor

We have to consider short-term accommodation and long-term approach for supporting community needs.

  • In the short-term, we can:
    • confirm we to intend to support non-RMF (SP 800-37) properties
    • consider relaxing the schema for the security sensitivity level based on this short-term confirmation
  • In the long-term, we may need to:
    • document our long-term design principles, present and future
    • leverage the documented design principles for future cases similar to this

We are comfortable reviewing this for possible inclusion in upcoming sprints and not deferring this work. More to follow.

@iMichaela iMichaela self-assigned this Jul 6, 2023
@iMichaela
Copy link
Contributor

This issue (short-term approach) also addresses concerns raised by European OSCAL users as well. I worked today with @Arminta-Jenkins-NIST and show where to make the changes (against the develop branch). She needs to push the commit and submit the PR later today or tomorrow.

@iMichaela
Copy link
Contributor

@aj-stein-nist How do you want to document the long-term design principles in support of non-(NIST/FedRAMPP) processes and procedures?

@Arminta-Jenkins-NIST Arminta-Jenkins-NIST mentioned this issue Jul 7, 2023
Merged
6 tasks
Arminta-Jenkins-NIST added a commit that referenced this issue Jul 7, 2023
@Arminta-Jenkins-NIST
Added changes for #1798
11dbab4
@Arminta-Jenkins-NIST Arminta-Jenkins-NIST mentioned this issue Jul 7, 2023
Merged
6 tasks
@Arminta-Jenkins-NIST Arminta-Jenkins-NIST moved this from Todo to Under Review in NIST OSCAL Work Board Jul 7, 2023
@iMichaela iMichaela mentioned this issue Jul 8, 2023
Closed
8 tasks
@Compton-US Compton-US mentioned this issue Jul 10, 2023
Closed
aj-stein-nist pushed a commit that referenced this issue Jul 11, 2023
@Arminta-Jenkins-NIST @aj-stein-nist
Added changes for #1798
4e114c9
aj-stein-nist pushed a commit that referenced this issue Jul 11, 2023
@Arminta-Jenkins-NIST
Added changes for #1798 (#1842)
2d502f9
@aj-stein-nist aj-stein-nist moved this from Under Review to Done in NIST OSCAL Work Board Jul 27, 2023
@aj-stein-nist aj-stein-nist modified the milestone: v1.1.0 Jul 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iMichaela iMichaela

@Arminta-Jenkins-NIST Arminta-Jenkins-NIST

Labels
enhancement User Story
Projects
NIST OSCAL Work Board
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@iMichaela @aj-stein-nist @Arminta-Jenkins-NIST @RS-Credentive