Reporting of percentage of controls met by component definitions

[brandtkeller]

This would evaluate the percent of controls met from provided component-definition files against the catalog (or control-implementation.source)

Variables at play here being that we do not have an identifier for what delineates a technical control vs an administrative control.

That said, given the processing and mapping of implemented-requirements.control-id against whole catalog(s) would still be valuable context and we could later support a filtering when we/oscal establish a method for performing the identification of a control as technical or administrative (or other).

Valuable context:

• Establish source of control
  • component definition contains the relation of implemented-requirements back to a baseline (profile/catalog)
  • Security assessment result contains the actual status (satisfied/not-satisfied)
• Find patterns for pulling baseline information
  • Pull the source file for ingestion?
• Process baseline - Map data from component-definition - provide precentages

All of this work likely falls under a "helper" function of sorts - but could be something that is reported on more regularly when stable.

[brandtkeller]

flowchart TD
    A[Report] -->|default/specified OSCAL files| B(Build Report)
    B --> C{Check for existence of models & Collect/identify Catalog}
    C -->|Components Exist| D[Component Report]
    C -->|SSP Exists| E[System Report]
    C -->|Assessment Results Exist| F[Assessment Report]

[CloudBeard]

That makes perfect sense ^