ScubaGear
ScubaGear copied to clipboard
cisagov
Cross-linking M365 baselines with NIST 800-53 controls
Description
Beyond basic security, many organizations also use a number of risk management frameworks to better understand and mitigate risks to themselves and their data. To that end, this feature is meant to provide a mapping between the M365 secure baselines and one or more common risk management frameworks or other security configuration baselines.
Steps to completing this epic include:
- Identifying which framework(s) and baseline{s) to map against
- Analyzing the controls within the frameworks to map between M365 SCBs and the candidate framework(s)
- Update the M365 SCBs to include mapping information on a policy item level
Initiative / Goal
The goal is to create an easy to use reference to map policy items in the M365 SCB to security controls or configuration items in other baselines or risk management frameworks.
Hypothesis
Adding mapping information to the M365 SCBs will provide value to additional sets of stakeholders, such as risk managers and security analysts and support organizational risk management activities by providing a clear relationship between SCB policy configuration items and security controls.
Acceptance criteria
Criteria that are considered must have for feature launch and in-scope for this epic include:
- [x] New field formatting to contain mapping information for the SCBs has been proposed and agreed upon
- [x] Risk management framework control sets and/or baseline policy items have been identified for mapping
- [x] All of the M365 SCBs have been mapped to the identified frameworks/baselines
- [ ] Updated M365 SCBs with mapping information have been published
Stakeholders / Resources
Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to risk management framework and candidate baseline documentation.
Timeline
The current projected timeline for delivery of this epic feature is currently in the June timeframe.
Associated Tasks
See details in the following issues:
- [ ]
Start exploring mechanisms to do mappings and gathering/utilizing example SSPs in Kraken.
See https://github.com/cisagov/ScubaGear/tree/oscal-exploration/oscal OSCAL exploration branch for more info.
@amart241 Since SCBs are not being modified in Lionfish, move last acceptance critieria to standalone issue in Marlin to accomplish publishing.
@schrolla, what is the status of the SCuBA to 800-53 mapping? Slide 10 of the SCuBA overview at https://csrc.nist.gov/csrc/media/Presentations/2024/cisa-s-scuba-overview/5-CISAs_SCuBA_Overview-Mamika_Huynh.pdf states [emphasis added]:
When developing the baselines, users would ask whether our baselines would meet their 800-53 controls. As a response, the SCuBA M365 and GWS baseline policies were mapped to NIST SP 800-53 Rev. 5, FedRAMP High baseline.
However, the OSCAL information you reference above states the mapping is incomplete (and the corresponding json file is quite thin on the control mapping).
Thanks for the help.
@schrolla, what is the status of the SCuBA to 800-53 mapping? Slide 10 of the SCuBA overview at https://csrc.nist.gov/csrc/media/Presentations/2024/cisa-s-scuba-overview/5-CISAs_SCuBA_Overview-Mamika_Huynh.pdf states [emphasis added]:
When developing the baselines, users would ask whether our baselines would meet their 800-53 controls. As a response, the SCuBA M365 and GWS baseline policies were mapped to NIST SP 800-53 Rev. 5, FedRAMP High baseline.
However, the OSCAL information you reference above states the mapping is incomplete (and the corresponding json file is quite thin on the control mapping).
Thanks for the help.
@faulkdev Thanks for the question. If you are referring to the OSCAL exploration branch I commented on above, yes, it is incomplete and this issue is working on a more complete updated mapping than what is present in the proof of concept branch referenced above since the focus of that branch was exploring the code to use such a mapping rather than a complete mapping itself. In short, work in progress with more to come.
@schrolla, Do you have any other formats (Excel) that have more mappings from SCuBA to 800-53? Thanks.
@schrolla, Do you have any other formats (Excel) that have more mappings from SCuBA to 800-53? Thanks.
An updated mapping is still be developed. Watching this issue for updates is the best way to be informed when new mappings are available and to find out in what format they will be made available.
@schrolla, We're standing by, here. In the interim, perhaps CISA could update their public information on SCuBA removing the the statement that CISA has performed a mapping to FedRAMP High and providing an ETA for that work. Thank you.
It would be of greater value if we could either map to CIS which is a much wider used standard, and a few forks of SCuBA do this already by adding the map value to the rego, however, they aren't without issue (current baseline version, L1, L2, E3, E5, etc).
We respectfully disagree with a CIS mapping being of more value than the CISA-advertised mapping to 800-53r5 / FedRAMP High. Given CISA BOD 25-01 and the SCuBA focus on FCEB, both USG organizations and their federal contractors are looking for a clear (and clean) mapping between SCuBA and 800-53r5 (the "glue" among / "basis" for other requirements such as FedRAMP, RMF, DoD Cloud SRG, STIGs, CNSSI 1253, C-SCRM, 171/CMMC, StateRAMP, etc.). CIS has a mapping between CIS v8 & 800-53r5 moderate & low baselines (with 119 unmapped 800-53r5 moderate controls) available to those organizations requiring only CIS or a similar framework.