oscal-content icon indicating copy to clipboard operation
oscal-content copied to clipboard

Published 20 hours ago verified publisher icon usnistgov

Enriching copy of SP800-53 with explicit links?

Open wendellpiez opened this issue 2 years ago • 0 comments

User Story:

Picking up on #86, we have code in a working branch here: https://github.com/wendellpiez/oscal-content/tree/issue86-opd-analysis

But there are (policy-level) data governance questions to be addressed first.

The idea/concept of enhancing the copy here raises issues of fidelity to upstream data sources, since these links will not be given in the authoritative (canonical) representation of SP800-53 to be found at https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/public-comments#/home.

Essentially, the OSCAL would represent an 'improved' version - which could also pose a maintenance challenge if we need to update to reflect changes in the upstream, as then we have a branching situation. (Indeed we already have that situation; this makes it worse.)

We need a policy level determination about whether / how we can make changes like this.

Do we do so in coordination with our upstream sources? Can we do so without such coordination? With what guarantees?

Looking at #86 and the WIP branch you can see that improvements to the data are pretty easily made once they are specified.

An alternative approach might be not to do this but to show others how to do it.

Goals:

  • [ ] Determine policy regarding the core requirement served by OSCAL SP800-53 - data fidelity, or enhanced features/functionality?
  • [ ] Plan next steps in data enhancement captured in #86 on this basis.

Dependencies:

Up to this point the OSCAL team has maintained this data set on behalf of the FISMA team. Continuing to do that probably requires some planning.

Until then, there is nothing that prevents us from making (or encouraging others to make) improvements to a public data set. It's just that when we do so we need to be overt as to its status, clarifying its status (or lack of status as the case may be).

Acceptance Criteria

  • [ ] #86 is either moved forward or put to bed as a 'not for now' or 'not ever'
  • [ ] We have plans reflecting data governance / maintenance policies for the next time this question comes up, or plans to make such plans in consultation as necessary.

wendellpiez avatar Feb 01 '23 15:02 wendellpiez