Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Control Mapping: Support for additional context when defining equivalencies in sets. #1332

Open
3 tasks
Compton-US opened this issue Jul 1, 2022 · 6 comments
Open
3 tasks
Labels
Community Feedback Needed Discussion Needed This issues needs to be reviewed by the OSCAL development team. enhancement Research User Story

Comments

@Compton-US
Copy link
Contributor

Compton-US commented Jul 1, 2022

User Story:

As an OSCAL implementer, I would like to specifically describe a control equivalency when requirements of a control may not be completely compatible. This support would allow me to constrain a source control that is more broadly interpreted than the target control.

"Meets or exceeds" is a commonly used phrase when describing the degree of conformance, and we already have operators that address equal-to and equivalent-to. Based on discussion, when an equivalent-to relationship between two controls is described, there will be situations where the relationship needs context to specifically describe how the equivalence is achieved. Additionally, there may be situations where this equivalency can be assured only in one direction, unless the how is precisely defined in a way that automation can interpret the intention of the author.

Goals:

The goal is to allow a human-centered, potentially subjective, statement of equivalency that can be interpreted reliably by automation. Discussion has been around the greater-than > and less-than < style set operators, where one control has a greater constraint than another. Terms that seem to most accurately capture the comparisons could be:

  • exceeds - The source control, statement and/or requirement is more constrained than the target requirement. The requirement in the target will be met, but the comparison is not completely (or mathematically) equivalent.

  • precludes - The source control, statement and/or requirement prevents equivalency in the target, or is deficient in some manner. The requirement in the target may not be met without constraints in the source. Some combinations may never be allowed.

Above is just to provoke discussion, and the exact terms still need consideration and definition.

Use Cases

Example 1:

An information system to be used by government, where the solution is also used in another sector where constraints are more strictly defined by an organization.

  • Organization: Requires TLS [Catalog_B:Control_2]
  • Organization: Requires when TLS is used, must be v1.3 [Catalog_B:Control_4:Stmt_2]
  • FedRAMP: Requires TLS no less than v1.2. [Catalog_A:Control_1]

Example 2:

A health IT vendor has a profile to address HIPAA requirements for a SaaS solution. The HIPAA controls are typically very broad, and less opinionated regarding technical implementation details. The vendor is planning to license the solution to federal government and wishes to map the HIPAA profile to a FedRAMP moderate profile.

  • HIPAA: Requires Encryption in Transit [Catalog_B:Control_2]
    • May Use TLS 1.0 [Catalog_B:Control_2:Stmt_3]
    • May Use TLS 1.1 [Catalog_B:Control_2:Stmt_4]
    • May Use TLS 1.2 [Catalog_B:Control_2:Stmt_5]
  • FedRAMP: Requires TLS no less than v1.2 [Catalog_A:Control_1]

or another potential variation (one statement, many options):

  • HIPAA: Requires Encryption in Transit [Catalog_B:Control_2]
    • May Use TLS 1.0 [Catalog_B:Control_2:Stmt_3]
    • or TLS 1.1 [Catalog_B:Control_2:Stmt_3]
    • or TLS 1.2 [Catalog_B:Control_2:Stmt_3]
  • FedRAMP: Requires TLS no less than v1.2 [Catalog_A:Control_1]

Additional Discussion References:

Dependencies:

This is related to the OSCAL control mapping development work that is underway.

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
@aj-stein-nist aj-stein-nist added this to the OSCAL 1.1.0 milestone Jul 5, 2022
@aj-stein-nist aj-stein-nist added the Model Engineering An issue to be discussed during the bi-weekly Model Engineering Meeting label Jul 5, 2022
@david-waltermire david-waltermire added the Discussion Needed This issues needs to be reviewed by the OSCAL development team. label Jul 5, 2022
@aj-stein-nist aj-stein-nist added Discussion Needed This issues needs to be reviewed by the OSCAL development team. and removed Discussion Needed This issues needs to be reviewed by the OSCAL development team. Model Engineering An issue to be discussed during the bi-weekly Model Engineering Meeting labels Jul 5, 2022
@david-waltermire
Copy link
Contributor

david-waltermire commented Jul 5, 2022

This makes sense. To move forward we need concrete examples, using the OSCAL mapping model, that illustrate the use of these new relationships. These will be helpful in driving additional discussion around refining this proposal.

@Compton-NIST Can you convert the scenarios above into concrete examples?

@Compton-US Compton-US moved this from Todo to In Progress in NIST OSCAL Work Board Sep 19, 2022
@david-waltermire david-waltermire added the Model Engineering An issue to be discussed during the bi-weekly Model Engineering Meeting label Sep 27, 2022
@Compton-US
Copy link
Contributor Author

For those that are curious, I will share "real time" progress on research in this gist:
https://gist.github.com/Compton-NIST/e76412d372b4e9608ae010aad243c9ae#file-mapping-md

Findings and concerns will filter over into this ticket as determined.

@Compton-US
Copy link
Contributor Author

Part of the discussion to take place in the model review.
Handout - OSCAL Model Review 2022-10-14.pdf

@Compton-US
Copy link
Contributor Author

These are the slides from the mapping exercise:
Mapping Exercise - OSCAL Model Review 2022-10-14.pdf

@aj-stein-nist
Copy link
Contributor

Chris is away and so we will need to move this to Sprint 63 and @Compton-NIST and I can sync up later about whether this is still doable for completion in Sprint 63 (February).

@Compton-US Compton-US moved this from In Progress to Todo in NIST OSCAL Work Board Feb 2, 2023
@aj-stein-nist aj-stein-nist removed the Model Engineering An issue to be discussed during the bi-weekly Model Engineering Meeting label Jul 11, 2023
@aj-stein-nist aj-stein-nist removed this from the v1.1.0 milestone Jul 27, 2023
@aj-stein-nist aj-stein-nist moved this from Todo to Further Analysis Needed in NIST OSCAL Work Board Sep 20, 2023
@aj-stein-nist aj-stein-nist moved this from Further Analysis Needed to DEFINE Research Needed in NIST OSCAL Work Board Sep 20, 2023
@Compton-US Compton-US added the Aged A label for issues older than 2023-01-01 label Nov 2, 2023
@Compton-US
Copy link
Contributor Author

@Compton-US Compton-US removed the Aged A label for issues older than 2023-01-01 label Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Community Feedback Needed Discussion Needed This issues needs to be reviewed by the OSCAL development team. enhancement Research User Story
Projects
Status: DEFINE Research Needed
Development

No branches or pull requests

3 participants