schrolla
commented
2 months ago Start exploring mechanisms to do mappings and gathering/utilizing example SSPs in Kraken.
Open schrolla opened 9 months ago
schrolla
commented
2 months ago Start exploring mechanisms to do mappings and gathering/utilizing example SSPs in Kraken.
schrolla
commented
2 months ago See https://github.com/cisagov/ScubaGear/tree/oscal-exploration/oscal OSCAL exploration branch for more info.
Description
Beyond basic security, many organizations also use a number of risk management frameworks to better understand and mitigate risks to themselves and their data. To that end, this feature is meant to provide a mapping between the M365 secure baselines and one or more common risk management frameworks or other security configuration baselines.
Steps to completing this epic include:
Initiative / Goal
The goal is to create an easy to use reference to map policy items in the M365 SCB to security controls or configuration items in other baselines or risk management frameworks.
Hypothesis
Adding mapping information to the M365 SCBs will provide value to additional sets of stakeholders, such as risk managers and security analysts and support organizational risk management activities by providing a clear relationship between SCB policy configuration items and security controls.
Acceptance criteria
Criteria that are considered must have for feature launch and in-scope for this epic include:
Stakeholders / Resources
Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to risk management framework and candidate baseline documentation.
Timeline
The current projected timeline for delivery of this epic feature is currently in the June timeframe.
Associated Tasks
See details in the following issues: