gdasher
commented
6 months ago I sized and put it at medium priority. I think this may rise in priority based on MTA related work in the future.
Open gdasher opened 1 year ago
gdasher
commented
6 months ago I sized and put it at medium priority. I think this may rise in priority based on MTA related work in the future.
schrolla
commented
3 days ago @gdasher Any updates on the need for the applications metrics here based on changes in ScubaGear since the last update or refinements to what is being requested?
💡 Summary
Extend ScubaGear to report these metrics:
Motivation and context
Since 2021, FISMA metrics have required agencies to report on a _per-system basis. Putting aside that systems are not the same as applications, it would be useful to agencies to have a consolidated ability to collect this data from their SSO provider if AAD is being used as the SSO provider for part of the agency. Most agencies aren't currently using AAD for SSO but some are moving in that direction and this would support better measurement.
This FR would extend scuba gear to report this information.
Implementation notes
Implementation would adjusting CAP policy logic to be more granular. Current logic requires all applications to be subject to CAP policy (but I believe ignores/allows exceptions in that policy) and is boolean yes/no. Post this change, ScubaGear may need to track the fraction of applications that comply/are exempt on a per-app basis. We can discuss the complexity of this versus other possible simpler approximations (e.g. counting # of exempt applications from a policy that applies to all).
I suspect we will learn more as applied as people deploy the new code in prod.
Acceptance criteria