-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PROTOTYPE MAPPING MODEL] - Several recommendations for provenance
and confidence-score
#2013
Comments
The current proposed mapping model incorporates several new features from the previous draft (of which IBM currently employs using the commensurate open source compliance-trestle branch). ref: https://pages.nist.gov/OSCAL-Reference/models/prototype-mapping-model/mapping/json-outline/ Provenance is a new required sub-structure that "Describes requirements, incompatibilities and gaps that are identified between a target and source in a mapping item." Method: adding human+automation as a 3rd allowed value seems appropriate, and might be the most common mapping methodology employed? Some further questions:
|
Another comment around provenance - I would like to propose that the I would also +1 to question one @degenaro's list about the use of |
@degenaro - Thank you for your comments. They are very useful. You are asking:
Great question for the AI-model developers/engineers. I would like to think the bathing models provide consistency by operating on one type of matching, per training of the model. If that is not possible, an AI-driven approach is even worth than a human-based one since a human can identify what thinking process was applied, despite the biases that might exist. We should call on all OSCAL implementors using today AI methods in their tools or process, and find out.
The other questions you asked:
|
I agree with @jpower432 . Thank you for the |
ISSUE: namesapece needed under provenance |
As discussed today, the following changes can be made -
|
@vikas-agarwal76 and @ancatri - thank you for the recommendations. I think we also discussed to include a |
Also, namespace |
@iMichaela We had a detailed discussion on this and here are our suggestions -
|
@vikas-agarwal76 - I agree with all recommendations, with a caveat fro the following one:
IF provenance has NO matching-rationale, then every map MUST have one. Otherwise, a More information about those values, definitions and small examples are available in the NIST IR 8477 Without knowing , understanding how the mapping was done, a syntactic Example we used
PLEASE NOTE the I am suggesting noting in your application the I need to research the enforcement of the constraint mentioned above, BUT my suggestion would be to use a default value and keep |
@iMichaela Here is a sample OSCAL mapping model that we created based on the disucssions that we had. Here is the summary -
|
User Story
In the Control Mapping Model, the
provenance/confidence-score
had a typestring
but could serve better if it would allow doe a numeric score and a description of how it was calculated. The reference needs clarification since it indicates the score should be included if the mapping was done automatically.The values listed for the
provenance
(human and automation), do not cover the case of automatic generation with human review.A namespace was requested by IBM and RedHat for the
confidence-score
to allow for calculations of the score using other methods (when needed)Goals
string
type for theconfidence-score
with something better. An integer and a description would be more appropriate. Being more prescriptive around calculation of the confidence score is also of interest.IMPORTANT TO NOTE: A more strict, mathematical approach would provide consistency as requested by the community members, while preserving flexibility for other methods under distinct
ns
.Dependencies
No response
Acceptance Criteria
(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)
Revisions
No response
The text was updated successfully, but these errors were encountered: