Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AP Tasks Need Asset Linkage #2026

Open
3 tasks
brian-comply0 opened this issue Jun 21, 2024 · 1 comment
Open
3 tasks

AP Tasks Need Asset Linkage #2026

brian-comply0 opened this issue Jun 21, 2024 · 1 comment
Labels
enhancement User Story

Comments

@brian-comply0
Copy link

User Story

As a developer of cATO capabilities using OSCAL, I need the ability to define which tool will be performing a specific task in the Assessment Plan model.

Currently, the AP provides for the definition of:

  • assessors (parties)
  • activities (Examine, Test, Interview)
  • assets (assessment tools and platforms)
  • subjects (parties, components, inventory items, users locations)

The AP also provides tasks, which are used to link assessors, activities and subjects as well as define a time interval; however, it is missing the ability to associate assessment assets with tasks.

For snapshot in time assessments, the inability to link assets to tasks is inconvenient, but not critical.

However, when attempting to use an OSCAL AP as a specification for automated continuous ATO, the ability to associate an asset to a task becomes critical. Under cATO the tool is the actor in lieu of the assessor.

The frequency of an automated activity is defined in a AP task (i.e. every 10 minutes, once an hour, once a day). There needs to be a way to indicate what assessment asset (tool, script, or automated process) performs that task.

Goals

  • add an associated-asset-uuid field to assessment-plan/task with a cardinality of 0 or more. (this would be a non-breaking change)

Dependencies

No response

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Revisions

No response
@brian-comply0
Copy link
Author

NOTE for others facing this need. For now, we are using an OSCAL extension to address this. We define a property with:

  • name: associated-asset-uuid
  • value: UUID of the associated asset
  • ns: our application's namespace (http://comply0.com/ns/oscal)

@brian-comply0 brian-comply0 mentioned this issue Aug 30, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement User Story
Projects
NIST OSCAL Work Board
Status: Needs Triage
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brian-comply0