Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Annotate NIST SP800-53r5 controls with data from Appendix C #197

Open
3 tasks
jaspetry opened this issue May 11, 2023 · 1 comment
Open
3 tasks

Annotate NIST SP800-53r5 controls with data from Appendix C #197

jaspetry opened this issue May 11, 2023 · 1 comment
Labels
enhancement The issue adds a new feature, capability, or artifact to the repository. User Story The issue is a user story for a development task.

Comments

@jaspetry
Copy link

User Story:

As an OSCAL user, I would like the NIST SP800-53r5 electronic control catalog to incorporate the additional data contained within the Summary tables of Appendix C of the PDF version to be included within the OSCAL representation of the catalog. This data would consist of the "Implemented By" notional guidance (either organization, system or both), and whether or not the control provides assurance. (the "Assurance" column) This would probably best be handled as additional properties of the control objects.

Goals:

For any (not withdrawn) SP800-53r5 control, it would be possible, in a machine consumable way, to determine if the control is listed as providing assurance within Appendix C of the PDF version, and whether the control is indicated as typically implemented by the organization, the system, or both/either the organization and system. If implemented using properties on the control, then the properties of control 'ac-1' might appear as below.

props:
  - name: label
    value: AC-1
  - name: label
    value: AC-01
    class: sp800-53a
  - name: sort-id
    value: ac-01
  - name: implemented-by
    value: org  # rather than 'sys' or 'org/sys'
  - name: provides-assurance
    value: y  # property could just be absent for controls not indicated.

Dependencies:

None known.

Acceptance Criteria

  • All readme documentation affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
@jaspetry jaspetry added enhancement The issue adds a new feature, capability, or artifact to the repository. User Story The issue is a user story for a development task. labels May 11, 2023
@wendellpiez
Copy link
Contributor

@japestry take a look at #174 where this work is staged (thanks to @aj-stein-nist and others) -- and please review the PR, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement The issue adds a new feature, capability, or artifact to the repository. User Story The issue is a user story for a development task.
Projects
Status: Needs Triage
Development

No branches or pull requests

2 participants