JonZeolla
commented
1 year ago Pending an introduction by Zeal
Open JonZeolla opened 1 year ago
JonZeolla
commented
1 year ago Pending an introduction by Zeal
xee5ch
commented
1 year ago FYI, their ~baselines~ control catalog (sorry, not I misspoke, I assume baselines might mean something specific an different than I how use it) are already public and they accept feedback via GH issues.
JonZeolla
commented
1 year ago Intro has been sent, working on initial discussion
JonZeolla
commented
1 year ago Had an initial discussion this morning; more coming, collaboration likely and may loop in other entities including NIST and the CSA
JonZeolla
commented
1 year ago Here are my notes from today:
CIS provides Mapping as a Service - controls only, which is a very popular service that tool vendors and orgs look at.
Looking for all frameworks to be represented in OSCAL, and map together as needed. Some work on refining mapping methodologies; opportunity for collaboration. Internally they plan to come up with use cases and think about the end goal of the mapping. They currently use ideas like superset and intersection, but are also looking to be able to identify gaps during mapping exercises.
CSA CCM is 4.0 in OSCAL; CIS has mapped, but no unique IDs yet.
- Want unique IDs for their benchmarks.
Cloud providers are interested.
CSA does have CCM 4.0 in OSCAL, not sure where it resides
CIS mapping to CSA is in https://github.com/CISecurity/CISControls_OSCAL
If we want to talk about coming together for a mapping methodology.
CIS Meets with CSA and NIST regularly; going to work on a method to collaborate more together instead of individually. Consider a CIS Workbench community or GitHub discussions.
It seems that CISecurity is working on OSCAL for their benchmarks. Looking to set up collaboration conversations.