OpenCRE icon indicating copy to clipboard operation
OpenCRE copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Mapping issue: NIST SSDF to NIST SP 800-53

Open aramhovsepyan opened this issue 1 year ago • 1 comments

Issue

What is the issue?

The mapping from NIST SSDF PO.1.2 (Identify and document all security requirements) to SP800-53 gives SC-18 Mobile Code as the only Direct mapping. This doesn't seem correct.

Expected Behaviour

I don't have extensive knowledge of 800-53, but I would think SA-8 is a closer match for instance.

aramhovsepyan avatar Nov 12 '23 12:11 aramhovsepyan

@aramhovsepyan SSDF and SP800 are about different worlds. SSDf PO.1.2 refers to requirement to have the process of identifying security requirements and documenting them. The SP800-53 SA-8 is NOT about that process. It IS about a set of these security requirements itself (the privacy principles. These requirements apply to the technology, whereas the SSSD requirements apply to the organisation. Makes sense?

robvanderveer avatar Jan 15 '24 21:01 robvanderveer