Michaela Iorga
Michaela Iorga
@aj-stein-nist and @david-waltermire-nist Would a numeric value associated with the `rel` for the satisfaction (aka percentage or score) make sense? In this way, an additive operation can be applied to...
@aj-stein-nist I agree it allows for more flexibility, but I do not see a mechanism for identifying the completness or coverage of the superset of rules. A superset might still...
> But what if we want a link to point to a control or a statement inside a control, for reference (how do we do that)? @wendellpiez - Per our...
@ohsh6o -- @david-waltermire-nist and I discussed the importance of documenting identified risks in the implementation layer, but the use of a POA&M model might not be appropriate. A similar model...
Might be important to provide support for adjustment of the _perceived risk_ ( = risk identified during implementation cycles) based on the _observed/found risk_ ( = risk determined during assessment),...
@guyzyl - The naming convention is consistent: oscal_[model name]_schema.json, where the model name follows the dash convention for composed names. All the other files do not present the dash structures...
@brianrufgsa If the latest, accurate information is permitted to be scattered in all places under `local definitions` (for `component`, `inventory-item`, `user` and `control-objective`), is there a danger to not be...
@brianrufgsa - I am very well aware of the documents' ownership and hence the comment. I like very much the local 'update' solution, put I wonder it there is a...
@brianrufgsa - yes, that was the thought I had - assessors could use the POA&M and their right to update it, to convey or gather the `local-definitions` information in one...
@Compton-NIST - Can you please add this issue to the list of the Control Mapping Model issues you planned on reviewing? Even though issue #1333 documents the need of identifying...