Explore CISecurity collaboration

[JonZeolla]

It seems that CISecurity is working on OSCAL for their benchmarks. Looking to set up collaboration conversations.

[JonZeolla]

Pending an introduction by Zeal

[xee5ch]

FYI, their baselines control catalog (sorry, not I misspoke, I assume baselines might mean something specific an different than I how use it) are already public and they accept feedback via GH issues.

https://github.com/CISecurity/CISControls_OSCAL/

[JonZeolla]

Intro has been sent, working on initial discussion

[JonZeolla]

Had an initial discussion this morning; more coming, collaboration likely and may loop in other entities including NIST and the CSA

[JonZeolla]

Here are my notes from today:

CIS provides Mapping as a Service - controls only, which is a very popular service that tool vendors and orgs look at.

Looking for all frameworks to be represented in OSCAL, and map together as needed. Some work on refining mapping methodologies; opportunity for collaboration. Internally they plan to come up with use cases and think about the end goal of the mapping. They currently use ideas like superset and intersection, but are also looking to be able to identify gaps during mapping exercises.

CSA CCM is 4.0 in OSCAL; CIS has mapped, but no unique IDs yet.

• Want unique IDs for their benchmarks.

Cloud providers are interested.

CSA does have CCM 4.0 in OSCAL, not sure where it resides

CIS mapping to CSA is in https://github.com/CISecurity/CISControls_OSCAL

If we want to talk about coming together for a mapping methodology.

CIS Meets with CSA and NIST regularly; going to work on a method to collaborate more together instead of individually. Consider a CIS Workbench community or GitHub discussions.