-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Control Mapping: Support for additional context when defining equivalencies in sets. #1332
Comments
This makes sense. To move forward we need concrete examples, using the OSCAL mapping model, that illustrate the use of these new relationships. These will be helpful in driving additional discussion around refining this proposal. @Compton-NIST Can you convert the scenarios above into concrete examples? |
For those that are curious, I will share "real time" progress on research in this gist: Findings and concerns will filter over into this ticket as determined. |
Part of the discussion to take place in the model review. |
These are the slides from the mapping exercise: |
Chris is away and so we will need to move this to Sprint 63 and @Compton-NIST and I can sync up later about whether this is still doable for completion in Sprint 63 (February). |
This is being worked as a part of DEFINE:
Keeping open pending outcome. |
User Story:
As an OSCAL implementer, I would like to specifically describe a control equivalency when requirements of a control may not be completely compatible. This support would allow me to constrain a source control that is more broadly interpreted than the target control.
"Meets or exceeds" is a commonly used phrase when describing the degree of conformance, and we already have operators that address
equal-to
andequivalent-to
. Based on discussion, when anequivalent-to
relationship between two controls is described, there will be situations where the relationship needs context to specifically describehow
the equivalence is achieved. Additionally, there may be situations where this equivalency can be assured only in one direction, unless thehow
is precisely defined in a way that automation can interpret the intention of the author.Goals:
The goal is to allow a human-centered, potentially subjective, statement of equivalency that can be interpreted reliably by automation. Discussion has been around the greater-than
>
and less-than<
style set operators, where one control has a greater constraint than another. Terms that seem to most accurately capture the comparisons could be:exceeds - The source control, statement and/or requirement is more constrained than the target requirement. The requirement in the target will be met, but the comparison is not completely (or mathematically) equivalent.
precludes - The source control, statement and/or requirement prevents equivalency in the target, or is deficient in some manner. The requirement in the target may not be met without constraints in the source. Some combinations may never be allowed.
Above is just to provoke discussion, and the exact terms still need consideration and definition.
Use Cases
Example 1:
An information system to be used by government, where the solution is also used in another sector where constraints are more strictly defined by an organization.
Example 2:
A health IT vendor has a profile to address HIPAA requirements for a SaaS solution. The HIPAA controls are typically very broad, and less opinionated regarding technical implementation details. The vendor is planning to license the solution to federal government and wishes to map the HIPAA profile to a FedRAMP moderate profile.
or another potential variation (one statement, many options):
Additional Discussion References:
Dependencies:
This is related to the OSCAL control mapping development work that is underway.
Acceptance Criteria
The text was updated successfully, but these errors were encountered: