Open xee5ch opened 2 years ago
xee5ch
commented
2 years ago Plugging away at this some more. @openprivacy, do you know what "Above Baseline" means for some controls, for example cell J15 in the current Excel XLSX version of the CMS ARS 5.0 catalog and baselines?
openprivacy
commented
2 years ago @xee5ch - From Leslie on the ARS team:
Above Baseline are the non-mandatory controls (in future iterations referred to as Supplemental) that systems can select as additional controls above and beyond their baseline requirements.
xee5ch
commented
2 years ago @xee5ch - From Leslie on the ARS team:
Above Baseline are the non-mandatory controls (in future iterations referred to as Supplemental) that systems can select as additional controls above and beyond their baseline requirements.
Thank you, sir! Most helpful.
Next question, now I thought last night I understood this, but it appears I do not. Is Column E, by showing redlined data that results in column D, indicate updates from 1) NIST SP 800-53 Revision 5 to CMS ARS 5.0 or 2) Updates from CMS ARS 3.0 to CMS ARS 5.0? Looking at the first few controls, now that I pulled up a refreshed version of the NIST SP 800-53 Revision 5 catalog in published PDF and XML forms, it removes things like "the organization does X or Y" which is not even extant in the SP 800-53 and 800-53B catalogs and profiles. Am I missing something, is it really option 2, and not option 1?
xee5ch
commented
2 years ago Ok, I am sorry I had that momentary slip in judgement, Column E is most certainly a comparison to the CMS ARS 3.1 tailored controls from here. I noticed there are references to the CMS Risk Management Handbook, and the vanilla NIST 800-53 catalog would not be referencing that.
Well, it would seem I might need to find a more efficient way to diff between NIST 800-53 Rev 5 and CMS ARS 5.0, will have to think about that, or start doing it by hand. Maybe I will just focus on a handful of example controls.
Per my discussion with @openprivacy in a follow-up to this call for experimentation in https://github.com/CMSgov/ars-machine-readable/issues/6#issuecomment-1033129313, I am going to begin proofing out building several exemplary controls from the NIST 800-53 catalog into JSON, XML, and YAML variants of specific baselines for Low, Moderate, High, Privacy, and HVA overlays for ARS with declarative profiles that are executed in a GitHub Actions pipeline.