-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Catalog Content for NIST 800-171 #150
Comments
@matt-f5 - Thank you for your initiative. The catalog you produced looks good (note - I did not validate it or try review its content in detail). |
Add @matt-f5's new catalog as announced in usnistgov/oscal-content#150.
@iMichaela I love the sound of the OSCAL Mapping Model and agree it would be particularly useful for 800-171. Another thing to note in 800-171 that makes it unique from 800-53 is that 800-171A doesn't explicitly identify ODPs throughout the determination statements. Maybe this is an improvement recommendation for 800-171A itself, but there are many statements like "3.1.1[a] authorized users are identified" which are probably more useful as control parameters. The catalog I wrote just considers all the 3.x.x[a-z] tier as normal assessment objectives. |
First off, the NIST OSCAL Team is very excited to see community members like yourself take other NIST security control frameworks and transform them into OSCAL. Great work! The 800-171 control catalog is maintained by another team within the Computer Security Division of ITL in NIST. The maintainers of that catalog would need to initiate an effort to publish the catalog in OSCAL. They need to hear from you and other community members about your interest in that. Contact information for the catalog authors is on this page, feel free to email them at [email protected]. We are going to close this issue as there is no action item for 800-171 at this time. We can re-open this if the 800-171 maintainers decide to start an effort. Thanks again! |
User Story:
As a DoD contractor subject to DFARS 252.204-7012, I would like to implement the security requirements in NIST SP 800-171 while still leveraging the technological advancements of OSCAL.
Goals:
Create at least an OSCAL Catalog to represent the security requirement content from NIST SP 800-171.
Dependencies:
None that I'm aware of.
Acceptance Criteria
Discussion Primer
I wrote a parser to transform the content from csv to OSCAL and pushed a draft OSCAL Catalog and example Full Inclusion Profile here: https://github.com/FATHOM5/oscal/tree/main/content/SP800-171/oscal-content
I wanted to open this enhancement issue to gauge the general interest in this content before creating the proper fork and opening a pull request. In general, the industry is struggling with 800-171. I feel OSCAL can be a valuable resource across the defense industrial base if the necessary base content existed.
The text was updated successfully, but these errors were encountered: