Implementation Layer Samples #13
Comments
|
We need both SSP and Component samples. These should be artificial, constructed samples that will help a content creator better understand the SSP and component models. |
|
A component can be a software application, service, technology, policy, procedure, or an aggregation of the previous. Some specific examples of each type would be helpful. |
9/5/2019The existing SSP sample needs a review to make sure the syntax did not change and the sample is still valid. A different sample might be needed to exercise the component aggregation approach of the SSP layer. @JoshLoveUSAF's small planned sample might be useful here. |
|
This issue was partially addressed by PR usnistgov/OSCAL#492, which includes a component-based SSP. More work is needed to complete the other samples. Adding to sprint 25. |
|
Can this task be split into individual tasks? The acceptance criteria is:
It looks like 5 was implemented in usnistgov/OSCAL#492 I have a sample in usnistgov/OSCAL#585 that could be useful for 1, when its reviewed / complete. |
|
Here is a sample SSP generated from DOJ's Cyber Security Assessment and Management (CSAM) tool populated with fictional data. The CSAM SSP format was designed to follow the NIST 800-18 Rev1 guidelines fairly closely. The Minimum Security Controls section contains an artificially small subset of Controls compared with typical real-world SSPs. The intent was to include a small sample of Controls demonstrating various applicability scenarios (e.g. Applicable, Fully Inherited, Hybrid Inherited). |
User Story:
As an OSCAL implementer, I would benefit from examples demonstrating both component and SSP content.
NOTE: Due to the sensitivity of SSP content, samples must be fictitious.
Goals:
Dependencies:
Issue usnistgov/OSCAL#246
Acceptance Criteria
The text was updated successfully, but these errors were encountered: