lula icon indicating copy to clipboard operation
lula copied to clipboard

Published 20 hours ago verified publisher icon defenseunicorns

Augmenting upstream catalogs with additional context

Open brandtkeller opened this issue 1 year ago • 6 comments

The catalog in many contexts is the source of truth for requirements that are intended for accreditation/compliance.

If possible, we want to prevent the need from forking catalogs for the sake of established source of truth - but we need to augment the data with other information that can provide context for reporting and other pertinent information.

How will Lula provide optionality to extend/augment a source-of-truth catalog artifact with identifiers/data that allows for establishing a "whole story".

Example: In order to generate reporting data for the amount of controls satisfied vs not-satisfied - we need to know what the total controls are - but we also need to distinguish between different types of controls. Optimally these would be identifiers placed in a catalog/profile.

How might Lula augment without forking?

brandtkeller avatar Feb 15 '24 21:02 brandtkeller

This may be entirely accomplishable by additional context in the component-definitions

brandtkeller avatar Apr 26 '24 16:04 brandtkeller

Going back on the statement above - using component-definitions lacks full scope necessary to determine required reporting.

Need to establish "layers" of reporting involved - "total context" may dictate producing all or only targeted information:

  1. With a catalog reference and an SSP - Lula should be able to report total controls that exist.
  2. With a catalog reference and an Assessment-Results - Lula should be able to report total controls satisfied vs not-satisfied
  3. Others?

Edit: total context refers to pulling in all relevant models and performing analysis.

brandtkeller avatar May 29 '24 13:05 brandtkeller

  1. With a catalog reference, we should be able to use a specified field (likely under props) per control to establish other reporting figures.

example: control "type" -> technical, admin, policy, etc -> report % technical controls satisfied vs not satisfied

Layered onto this functionality would be a profile that performs some modification to the catalog reference.

brandtkeller avatar May 29 '24 15:05 brandtkeller

  1. With a catalog reference and a POAM - Lula should be able to report left over risk, remediation steps, and timelines?

CloudBeard avatar May 29 '24 16:05 CloudBeard

Based on the scenarios listed - I believe the ability to report based on some specified tag should be a subset feature of more generic reporting.

brandtkeller avatar May 31 '24 16:05 brandtkeller

Given the original statement of work in the body of the issue #67 will provide the profile implementation required to augment catalogs.

#67 is not strictly required for the development of reporting generically & with some specified tags - but would provide some critical functionality to supporting the intent of a component-definitions control-implementation.source field.

brandtkeller avatar May 31 '24 17:05 brandtkeller