NIST Generated 800-53 OSCAL Catalog could nest Objectives under their respective Statements #98
Labels
closable
Requests that the issue be closed by the repository maintainers.
enhancement
The issue adds a new feature, capability, or artifact to the repository.
User Story
The issue is a user story for a development task.
Comments
vmangat
added
enhancement
vmangat
changed the title
|
The style of the OSCAL catalog content used in the 800-53 catalog reflects the content (and its underlying structure) for the team producing the catalog in NIST (not the same as this developer team). You can contact that team at sec-cert@nist.gov, per the official team website and contact instructions. That said, we are going to open an issue for a future enhancement to explicitly define the links between objectives and their originating statements in the published content to ease your ability for developers to easily reorganize the data to their liking, since you are suggesting one such approach. |
aj-stein-nist
added
the
closable
|
Beyond objectives being tied to statements, the methods should be linked to objectives. With a clear linkage between Statement-> Objective-> Method, there is a lot of opportunity to streamline the SSP documentation and the SAP tasks and SAR findings documentation, providing labor savings and ensuring data integrity.
The FedRAMP baselines offered the concept of “response points” which is very useful. However there is discrepancy between the statement response points and objective response points because the linkage does not exist. We love the concept of “response points” as it allows tools to support customization of how granular the SSP need to be and hence how the assessment should be conducted.
Hopefully in the near future we will be able to offer a revised representation of the statements/objectives/methods to the catalog.
From: Alexander Stein ***@***.***>
Sent: Tuesday, May 10, 2022 11:55 AM
To: usnistgov/oscal-content ***@***.***>
Cc: Valinder Mangat ***@***.***>; Author ***@***.***>
Subject: Re: [usnistgov/oscal-content] NIST Generated 800-53 OSCAL Catalog could nest Objectives under their respective Statements (Issue #98)
The style of the OSCAL catalog content used in the 800-53 catalog reflects the content (and its underlying structure) for the team producing the catalog in NIST (not the same as this developer team). You can contact that team at ***@***.******@***.***>, per the official team website and contact instructions<https://csrc.nist.gov/projects/risk-management/about-rmf>.
That said, we are going to open an issue for a future enhancement to explicitly define the links between objectives and their originating statements in the published content to ease your ability for developers to easily reorganize the data to their liking, since you are suggesting one such approach.
—
Reply to this email directly, view it on GitHub<#98 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXO7IHWNNHN75L2GSNRHRI3VJKBE3ANCNFSM5P6QGQ2Q>.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User Story:
As an OSCAL tool developer, I need to be able to present a control statement at a certain "response point" with its related objectives and methods to meet the requirement of the statement.
NIST 800-53 Catalog file as structured today, the Objectives and methods are siblings to statements and the only way to correlate the objectives to the statements is via semantic parsing of the IDs.
If the objectives were included as nested parts to the statements, they would be automatically correlated. Likewise methods could be nested parts within the objectives.
FedRAMP resolved catalog specifies "methods" for objectives through the 'alter' directive in the Profile.
Goals:
This does not require a change in the standard, and could be achieved by generating NIST 800-53 catalog as requested.
A sample of what this could look like is included. We modified AC-1 of the FedRAMP provided resolved catalog.
Alternatively, the tools will have to correlate the objectives to their respective statements requiring a lot of compute cycles which will fail if the semantics of the statement and objective IDs were changed.
Dependencies:
We don't think there are any dependencies.
Acceptance Criteria
FedRAMP_rev4_MODERATE-baseline-resolved-profile_catalog_EDITED.txt
The text was updated successfully, but these errors were encountered: