Brian Ruf

icon indicating a website link www.linkedin.com/in/brianruf

icon company Ruf Risk (@ruf-risk) icon location Washington DC Metro Area

Results 49 comments of Brian Ruf

Tracking control identity via catalog of origin

@JJediny I realize the whole point of OSCAL is to be as machine-readable as possible, thus we want to automate our activities as much as possible, including de-conflicting of controls...

Customer Responsibility Matrix (CRM) Transform

**THIS COMMENT WAS MOVED TO ISSUE #722, WHICH IS A MORE APPROPRIATE LOCATION** [https://github.com/usnistgov/OSCAL/issues/722#issuecomment-705615973](https://github.com/usnistgov/OSCAL/issues/722#issuecomment-705615973)

Customer Responsibility Matrix (CRM) Transform

@pburkholder **Short answer:** It's in-plan. **Longer answer**: The plan is to complete the CRM modeling in issue #722. This will become a priority later October and into November. Once that...

Better defined linking semantics regarding resources

@smichelotti, on the topic of the FedRAMP profile in JSON pointing to an XML catalog, you've uncovered a bit of a blind-spot (at least for me) in our conversion process....

Better defined linking semantics regarding resources

Per conversation with @david-waltermire-nist and @wendellpiez, we need to be clear about intentions when multiple rlink entries are present in a resource, such as to specify both an XML and...

Incorrect Interconnection Property Value in SSP Template

I'll try to circle back to this when I'm on a machine where I am setup to clone, commit, and push.

OSCAL File Fragments - System Inventory

This can now be accomplished by including the system inventory as a `local-definition` in the POA&M model.

AP/AR/POA&M Local Definitions and Metadata Party/Location Require a Link to Corrected Content

I recommend establishing a "updates-uuid" property in: - /assessment-plan/metadata/party - /assessment-plan/metadata/location - /assessment-plan/local-definitions/component - /assessment-plan/local-definitions/inventory-item - /assessment-plan/local-definitions/user - /assessment-results/metadata/party - /assessment-results/metadata/location - /assessment-results/result/local-definitions/component - /assessment-results/result/local-definitions/inventory-item - /assessment-results/result/local-definitions/user - /plan-of-action-and-milestones/party -...

AP/AR/POA&M Local Definitions and Metadata Party/Location Require a Link to Corrected Content

@iMichaela The SSP is authored by the system owner. The AP and AR are authored by the assessor. The assessor must never modify SSP content. They may ask the system-owner...

AP/AR/POA&M Local Definitions and Metadata Party/Location Require a Link to Corrected Content

The POA&M is also a system-owner authorized document. The assessor may update it on behalf of the system owner. In theory, anything the assessor added or corrected is in `local-definitions`,...