OSCAL icon indicating copy to clipboard operation
OSCAL copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

SSP Control Implementation Scope/Origination

Open brian-ruf opened this issue 4 years ago • 4 comments

User Story:

As an OSCAL we need to better differentiate scope and origination of responsibility for control and more granular control statements in the SSP model.

See the table in issue #572 for inspiration for references.

Goals:

  • Using analysis, ensure scope and origination can be appropriately represented at all appropriate levels of granularity (implemented-requirement, statement, and/or by-component)
  • Ensure syntax and documentation are updated, enabling OSCAL users to apply this feature.
  • Create new issues identifying the specific OSCAL model and documentation changes that are needed to address this issue

Dependencies:

None.

Acceptance Criteria

  • [ ] Update the constraint to allow the prop to appear at the statement, by-component, and statement/by-component levels.
  • [ ] Add a note in the docs about how to resolve the effective value when values are applied at multiple levels.
  • [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

brian-ruf avatar Nov 04 '20 21:11 brian-ruf

It looks like the prop control-origination is only supported at the implemented-requirement level right now. This can be added to the statement, by-component, and statement/by-component levels. It should be noted that the most specific (lowest level) one must win when this value is defined at multiple levels.

david-waltermire avatar Mar 08 '22 17:03 david-waltermire

This was a gap identified in #1385. Perhaps this could be addressed as part of this issue.

We need to consider a way forward that aligns with how FedRAMP is currently considering this information. e.g., it should be possible to map from the approach we design to the current FedRAMP approach.

david-waltermire avatar Sep 01 '22 19:09 david-waltermire

several issues on CIS/CRM end up linked here, but the details in those issues are great, and this seems to be more of a catch-all. Github handles all the linkages but since the language in this and may of the issues is "perhaps" "can" "may" - it becomes less clear, especially over weeks and months, whether there is 1:1 coverage of the issues brought up earlier with a lot of detail and the end proposal.

I would just hate to lose a lot of that great detailed discovery - but appreciate the benefits of good issue hygeine!

sunstonesecure-robert avatar Sep 26 '22 18:09 sunstonesecure-robert

@sunstonesecure-robert Thank you for sharing your feedback and concerns! In this particular issue, we just addressed a consistency issue with the origination prop discovered at the component and statement level. We are carrying on with the CRM modeling work in #1467, which was created just a few days ago. At the moment, I note the prior supporting issue at the very beginning, and there is a "related to" section where I reference other tickets from the past that others have recommended reviewing. I'll try to make a pass to see if I've missed anything, but if there is an issue you think I've missed, definitely leave me a note on #1467, and I'll take a look.

Compton-US avatar Sep 26 '22 19:09 Compton-US