Generation of SSP from other OSCAL data

[brandtkeller]

Investigate, document (here), and develop the generation of an SSP template that derives data from other OSCAL data sources that Lula already consumes.

• Component Definitions
• Security Assessment Results
• Other?

Develop a helper function that can perform the generation of this template - expectation is that there are blank fields that are manual entry (this is fine).

[iMichaela]

@brandtkeller - my earlier suggestion was that the SSP should document the security controls of the testing environment, at minimum under the 'this-system' component. Any deployed component for testing/pre-assessment gets added "new" to the system. The component-definition would be used to populate the 'new' component of the system. Once the addition to the SSP file is done, the assessment of the "new" component should /cold be automatically initiated by committing the change to the SSP. The Assessment Plan should be updated automatically since the AP imports the SSP with the assessment of the 'new' component.. The change of the AP should trigger the assessment of the 'new' component, etc... In this way you demonstrate also that your testing system is being continuously assessed , because the same process will be applied to the updated to the infrastructure.

[brandtkeller]

This issue would be comprised of an initial implementation of SSP generation from component-definition(s).

In-Scope:

• Data that is available in the component definition

Out-Of-Scope:

• Data that is not available in the component definition
• data that is required from catalog
• Data that could be added to a component-definition but does not exist today

Additional work should be captured after implementation-discovery in issues.