Organization vs System controls

[its-a-lisa-at-work]

Is it possible to map which controls are organization controls opposed to controls that are system controls?

[jason-callaway]

Yes, but you might be able to get what you want with a query. If there's anything in the description that indicates that it's an organizational control we could do something like:

match (r:regime)-[:HAS*]->(c:control) where c.description contains 'organization-defined' return c.name

On the other hand, it's likely that if there's a bash implementation that references a control we could probably infer that it's a system control:

match (r:regime {name: 'NIST 800-53'})-[:HAS*]->(c:control) with c match (b:baseline)-[*..4]->(c) where b.name ends with '.sh' return distinct(c.name)

Thoughts?