cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.77k stars 230 forks source link

Cross-linking M365 baselines with NIST 800-53 controls #940

Open schrolla opened 9 months ago

schrolla commented 9 months ago

Description

Beyond basic security, many organizations also use a number of risk management frameworks to better understand and mitigate risks to themselves and their data. To that end, this feature is meant to provide a mapping between the M365 secure baselines and one or more common risk management frameworks or other security configuration baselines.

Steps to completing this epic include:

Initiative / Goal

The goal is to create an easy to use reference to map policy items in the M365 SCB to security controls or configuration items in other baselines or risk management frameworks.

Hypothesis

Adding mapping information to the M365 SCBs will provide value to additional sets of stakeholders, such as risk managers and security analysts and support organizational risk management activities by providing a clear relationship between SCB policy configuration items and security controls.

Acceptance criteria

Criteria that are considered must have for feature launch and in-scope for this epic include:

Stakeholders / Resources

Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to risk management framework and candidate baseline documentation.

Timeline

The current projected timeline for delivery of this epic feature is currently in the June timeframe.

Associated Tasks

See details in the following issues:

schrolla commented 2 months ago

Start exploring mechanisms to do mappings and gathering/utilizing example SSPs in Kraken.

schrolla commented 2 months ago

See https://github.com/cisagov/ScubaGear/tree/oscal-exploration/oscal OSCAL exploration branch for more info.