-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementation Layer Samples #13
Comments
We need both SSP and Component samples. These should be artificial, constructed samples that will help a content creator better understand the SSP and component models. |
A component can be a software application, service, technology, policy, procedure, or an aggregation of the previous. Some specific examples of each type would be helpful. |
9/5/2019The existing SSP sample needs a review to make sure the syntax did not change and the sample is still valid. A different sample might be needed to exercise the component aggregation approach of the SSP layer. @JoshLoveUSAF's small planned sample might be useful here. |
This issue was partially addressed by PR usnistgov/OSCAL#492, which includes a component-based SSP. More work is needed to complete the other samples. Adding to sprint 25. |
Can this task be split into individual tasks? The acceptance criteria is:
It looks like 5 was implemented in usnistgov/OSCAL#492 I have a sample in usnistgov/OSCAL#585 that could be useful for 1, when its reviewed / complete. |
Here is a sample SSP generated from DOJ's Cyber Security Assessment and Management (CSAM) tool populated with fictional data. The CSAM SSP format was designed to follow the NIST 800-18 Rev1 guidelines fairly closely. The Minimum Security Controls section contains an artificially small subset of Controls compared with typical real-world SSPs. The intent was to include a small sample of Controls demonstrating various applicability scenarios (e.g. Applicable, Fully Inherited, Hybrid Inherited). |
User Story:
As an OSCAL implementer, I would benefit from examples demonstrating both component and SSP content.
NOTE: Due to the sensitivity of SSP content, samples must be fictitious.
Goals:
Dependencies:
Issue usnistgov/OSCAL#246
Acceptance Criteria
The text was updated successfully, but these errors were encountered: