Add CCC Roadmap to Project ReadMe #52
Conversation
mcleo-d
added
All Working Groups
There was a problem hiding this comment.
Some comments and suggestions were provided.
- Controls are documented in an OSCAL Catalog
- An OSCAL Profile can select and customize (per service) a subset of controls
- The implementations of controls in a Profile or Catalog are implemented in an OSCAL Component definition (CDef)
- When a component become part of a system, the CDef is reviewed and configurations and controls' implementations are adapted , and the information is captured in an system security plan (SSP)
- SSP is used in an assessment to generate the Assessment Plan (AP) . The assessment findings , observations, risks identified, etc. are captured in the Assessment Result, and the deficiencies are reported in OSCAL POA&M and conveyed to the SSP and system owner to address or assume the risk .
1, 2, and 3, is what this group can demonstrate and help group 4 to generate.
| - Define the end target for the working group. | ||
| - For example, stop regenerating processes. | ||
| 2. [Define whether the working group wants to create a repo of component definitions #43](https://github.com/finos/common-cloud-controls/issues/43) | ||
| - Define whether the working group wants to create an OSCAL catalog? |
There was a problem hiding this comment.
All the bullets under item 2. are separate from the decision of creating a repository of component definitions for the abstracted cloud capabilities/components/services. If FINOS wants to publish the CCC in OSCAL, then an example catalog is needed (maybe a tutorial, for the 4th team to know how to implement the final catalog)
There was a problem hiding this comment.
Please see recommendation here - #52 (comment)
| - Allocate MITRE threats and apply OSCAL mitigations | ||
| - Write Gherkin tests to describe service configuration expectations | ||
| - Work with CSPs on how Gherkin should be interpreted via cloud APIs | ||
|
|
There was a problem hiding this comment.
There was a problem hiding this comment.
Please see recommendation here - #52 (comment)
Readme.md
Outdated
| 1. [Define vision and purpose for OSCAL Representation of CCC working group #42](https://github.com/finos/common-cloud-controls/issues/42) | ||
| - Define the end target for the working group. | ||
| - For example, stop regenerating processes. | ||
| 2. [Define whether the working group wants to create a repo of component definitions #43](https://github.com/finos/common-cloud-controls/issues/43) |
There was a problem hiding this comment.
- [Define a proof of concept OSCAL catalog - creation and use Create a sample control catalog and component definition implementing the controls #65](Create a sample control catalog and component definition implementing the controls #65
There was a problem hiding this comment.
Please see recommendation here - #52 (comment)
|
Hey @iMichaela 👋🏻 Thank you for the change requests. I've updated the PR to reflect the live updates made during the #54 meeting that can be reviewed below. Can I suggest these changes are merged and your changes are applied through a new PR. This way we're not editing and reviewing by commit? Thanks for your collaboration on this 😄 James. |
|
The roadmap should be added to a separate markdown so not to bloat the project readme. |
Description
This pull request adds the 30, 60, 90 day roadmap created by the OSCAL (@jonmuk) and Taxonomy (@mark-rushing) working groups to the main project ReadMe. This work was fulfilled within and closes #13
The MITRE (@git-hub-forwork1) working group still needs to add their roadmap to the project, which can be done by pull request into the ReadMe section created by this pull request.